Zidane´s thread

Discussion in 'other software & services' started by Zidane, Oct 18, 2003.

Thread Status:
Not open for further replies.
  1. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Javacool, many thanks for your super programs - MRU Blaster, Spyware Blaster and Spyware Guard - I am using this "program combo" and it is great :)

    ONe question - it is great that SG has the Browser Hijack protection, but the protection EXCLUDES homepage :( - why?

    Couldnt you add the "homepage hijack protection" to the newest release of SG? I will be forced to use Spybot SD because I want my homepage to be protected, but thanks to Spyware Blaster most of spyware gets blocked before installation, so I will use SD just for homepage protection... could you add this feature to SG please? Or some of your programs already has it? :)

    I have problem with homepage hijacking - Ad-aware finds and deletes the registry entries that change my homepage to www.searchv.com, but there has to be some other registry entry, that does the homepage change after every restart, I cannot find it :( so I will be forced to use SD for homepage protection... could you add this feature to SG for us, please? :)

    I like your super programs, keep up the good work :)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.
    We´ll get Searchv sorted out. There are some new variants that have not been added to AdAware´s definitions (yet).

    Regards,

    Pieter
     
  3. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Re:Browser Hijack Blaster Question

    Maybe I should run Hijack This before Ad-aware cleans the problem - I will run it after the next restart of the comp,if the browser hijacking appears an d will see what you will find from the log :)

    The current log is:

    Logfile of HijackThis v1.97.3
    Scan saved at 0:25:55, on 19.10.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\Overnet\Overnet.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\abc.ABC-TQ1ZTLPRERD\Local Settings\Temp\Dočasný adresář 1 pro hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.clnet.cz:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
    O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = ?
    O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11

    Can you say, if there are some interesting things? :)
     
  4. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    After-restart log

    Logfile of HijackThis v1.97.3
    Scan saved at 0:45:26, on 19.10.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\Overnet\Overnet.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\abc.ABC-TQ1ZTLPRERD\Local Settings\Temp\Dočasný adresář 1 pro hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.clnet.cz:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
    O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = ?
    O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11


    Btw. I underestimated my newly installed Spyware Guard - in the SG is a notice that the Hijack Protection EXCLUDES homepage - but in reality it INCLUDES the homepage - when there was an attempt to change the homepage by the hijacker, SG caught it and warned me :) and gave me the choice "keep the old value" or letting be the new value :)

    So despite of SG saying that the protection doesnt protect the homepage the homepage IS protected - SG catches the hijack as "changing IE settings" :)

    Excellent, I didnt know about that :) Javacool software RULEZ *thumbs up* :) But the hijacker still remains somewhere in my system, the hijack was only stopped, but it didnt destroy the hijacker himself... I believe that somebody will find the bastard and help me (and others who might have the problem) destroy him :)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)

    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll

    Then reboot and delete:
    C:\WINDOWS\sys.reg

    I´m not sure what this is:
    O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
    Everything I could find about it was either in Arabic, Chinese or somethig else I couldn´t read.

    Regards,

    Pieter
     
  6. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Re:Browser Hijack Blaster Question

    Understood, I have only one question - do you really think I should delete the "overnet.exe" entry? I know about that, I installed that - that is one of P2P programs - and with that program I am able to download stuff from www.sharereactor.com - do you think that Overnet causes the hijacking? I have it for a quite long time and the hijacks did not started at the time I DL´ed Overnet, but some time after...

    But if you know better and safer P2P program for DLing from sharereactor and other "eDonkey links" , I will be pleased :)
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    First off. I never advised you to remove Overnet. It just has no bussiness starting up at boot IMO, so I advised to remove the Startup-entry for it.
    If you open sys.reg in Notepad, you will be able to see who did the hijacking. ;)

    As to which P2P programs are spyware-free or not:
    http://www.spywareinfoforum.com/articles/p2p/

    Regards,

    Pieter
     
  8. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    All is OK :)

    Many thanks :)))

    One OFF TOPIC QUESTION, if I may... it has nothing to do with spyware, but it is bugging me for some time ago...

    I am not able to install Nero Burning ROM - the CD burning software, the installer keeps telling me that there is an older version in my computer, but there is NOT and WAS NOT any NERO AFAIK - maybe previous owner of the comp had Nero there and uninstalled it incorrectly - do you know WHERE can be some "tracks " of Nero left and what I have to delete to clean my comp of those Nero tracks and so I will be able to install Nero? :) I tried to clean the registries from anything related to Ahead Software - the Nero author, but it seems that there is something still there :-(((
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Browser Hijack Blaster Question

    Hi Zidane,

    It seems they have a special tool to resolve this issue.
    Follow instructions here: http://www.nero.com/en/631927293720980.html#2

    I will split the last part of this thread off and move it to another forum, so the OT will go unnoticed. ;)

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.