Zidane´s thread

Discussion in 'other software & services' started by Zidane, Oct 18, 2003.

Thread Status:
Not open for further replies.
  1. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Javacool, many thanks for your super programs - MRU Blaster, Spyware Blaster and Spyware Guard - I am using this "program combo" and it is great :)

    ONe question - it is great that SG has the Browser Hijack protection, but the protection EXCLUDES homepage :( - why?

    Couldnt you add the "homepage hijack protection" to the newest release of SG? I will be forced to use Spybot SD because I want my homepage to be protected, but thanks to Spyware Blaster most of spyware gets blocked before installation, so I will use SD just for homepage protection... could you add this feature to SG please? Or some of your programs already has it? :)

    I have problem with homepage hijacking - Ad-aware finds and deletes the registry entries that change my homepage to www.searchv.com, but there has to be some other registry entry, that does the homepage change after every restart, I cannot find it :( so I will be forced to use SD for homepage protection... could you add this feature to SG for us, please? :)

    I like your super programs, keep up the good work :)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.
    We´ll get Searchv sorted out. There are some new variants that have not been added to AdAware´s definitions (yet).

    Regards,

    Pieter
     
  3. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Re:Browser Hijack Blaster Question

    Maybe I should run Hijack This before Ad-aware cleans the problem - I will run it after the next restart of the comp,if the browser hijacking appears an d will see what you will find from the log :)

    The current log is:

    Logfile of HijackThis v1.97.3
    Scan saved at 0:25:55, on 19.10.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\Overnet\Overnet.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\abc.ABC-TQ1ZTLPRERD\Local Settings\Temp\Dočasný adresář 1 pro hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.clnet.cz:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
    O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = ?
    O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11

    Can you say, if there are some interesting things? :)
     
  4. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    After-restart log

    Logfile of HijackThis v1.97.3
    Scan saved at 0:45:26, on 19.10.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\Overnet\Overnet.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\abc.ABC-TQ1ZTLPRERD\Local Settings\Temp\Dočasný adresář 1 pro hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.clnet.cz:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
    O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = ?
    O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11


    Btw. I underestimated my newly installed Spyware Guard - in the SG is a notice that the Hijack Protection EXCLUDES homepage - but in reality it INCLUDES the homepage - when there was an attempt to change the homepage by the hijacker, SG caught it and warned me :) and gave me the choice "keep the old value" or letting be the new value :)

    So despite of SG saying that the protection doesnt protect the homepage the homepage IS protected - SG catches the hijack as "changing IE settings" :)

    Excellent, I didnt know about that :) Javacool software RULEZ *thumbs up* :) But the hijacker still remains somewhere in my system, the hijack was only stopped, but it didnt destroy the hijacker himself... I believe that somebody will find the bastard and help me (and others who might have the problem) destroy him :)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)

    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll

    Then reboot and delete:
    C:\WINDOWS\sys.reg

    I´m not sure what this is:
    O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
    Everything I could find about it was either in Arabic, Chinese or somethig else I couldn´t read.

    Regards,

    Pieter
     
  6. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Re:Browser Hijack Blaster Question

    Understood, I have only one question - do you really think I should delete the "overnet.exe" entry? I know about that, I installed that - that is one of P2P programs - and with that program I am able to download stuff from www.sharereactor.com - do you think that Overnet causes the hijacking? I have it for a quite long time and the hijacks did not started at the time I DL´ed Overnet, but some time after...

    But if you know better and safer P2P program for DLing from sharereactor and other "eDonkey links" , I will be pleased :)
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    First off. I never advised you to remove Overnet. It just has no bussiness starting up at boot IMO, so I advised to remove the Startup-entry for it.
    If you open sys.reg in Notepad, you will be able to see who did the hijacking. ;)

    As to which P2P programs are spyware-free or not:
    http://www.spywareinfoforum.com/articles/p2p/

    Regards,

    Pieter
     
  8. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    All is OK :)

    Many thanks :)))

    One OFF TOPIC QUESTION, if I may... it has nothing to do with spyware, but it is bugging me for some time ago...

    I am not able to install Nero Burning ROM - the CD burning software, the installer keeps telling me that there is an older version in my computer, but there is NOT and WAS NOT any NERO AFAIK - maybe previous owner of the comp had Nero there and uninstalled it incorrectly - do you know WHERE can be some "tracks " of Nero left and what I have to delete to clean my comp of those Nero tracks and so I will be able to install Nero? :) I tried to clean the registries from anything related to Ahead Software - the Nero author, but it seems that there is something still there :-(((
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    It seems they have a special tool to resolve this issue.
    Follow instructions here: http://www.nero.com/en/631927293720980.html#2

    I will split the last part of this thread off and move it to another forum, so the OT will go unnoticed. ;)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.