Zidane´s thread

Javacool, many thanks for your super programs - MRU Blaster, Spyware Blaster and Spyware Guard - I am using this "program combo" and it is great

ONe question - it is great that SG has the Browser Hijack protection, but the protection EXCLUDES homepage - why?

Couldnt you add the "homepage hijack protection" to the newest release of SG? I will be forced to use Spybot SD because I want my homepage to be protected, but thanks to Spyware Blaster most of spyware gets blocked before installation, so I will use SD just for homepage protection... could you add this feature to SG please? Or some of your programs already has it?

I have problem with homepage hijacking - Ad-aware finds and deletes the registry entries that change my homepage to www.searchv.com, but there has to be some other registry entry, that does the homepage change after every restart, I cannot find it so I will be forced to use SD for homepage protection... could you add this feature to SG for us, please?

I like your super programs, keep up the good work

 

Re:Browser Hijack Blaster Question

Hi Zidane,

Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.
We´ll get Searchv sorted out. There are some new variants that have not been added to AdAware´s definitions (yet).

Regards,

Pieter

 

Re:Browser Hijack Blaster Question

Maybe I should run Hijack This before Ad-aware cleans the problem - I will run it after the next restart of the comp,if the browser hijacking appears an d will see what you will find from the log

The current log is:

Logfile of HijackThis v1.97.3
Scan saved at 0:25:55, on 19.10.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Overnet\Overnet.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\abc.ABC-TQ1ZTLPRERD\Local Settings\Temp\Dočasný adresář 1 pro hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.clnet.cz:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - Default URLSearchHook is missing
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
O4 - Startup: MRU-Blaster Scheduler.lnk = ?
O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11

Can you say, if there are some interesting things?

 

After-restart log

Logfile of HijackThis v1.97.3
Scan saved at 0:45:26, on 19.10.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Overnet\Overnet.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\abc.ABC-TQ1ZTLPRERD\Local Settings\Temp\Dočasný adresář 1 pro hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.clnet.cz:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - Default URLSearchHook is missing
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
O4 - Startup: MRU-Blaster Scheduler.lnk = ?
O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11


Btw. I underestimated my newly installed Spyware Guard - in the SG is a notice that the Hijack Protection EXCLUDES homepage - but in reality it INCLUDES the homepage - when there was an attempt to change the homepage by the hijacker, SG caught it and warned me and gave me the choice "keep the old value" or letting be the new value

So despite of SG saying that the protection doesnt protect the homepage the homepage IS protected - SG catches the hijack as "changing IE settings"

Excellent, I didnt know about that Javacool software RULEZ *thumbs up* But the hijacker still remains somewhere in my system, the hijack was only stopped, but it didnt destroy the hijacker himself... I believe that somebody will find the bastard and help me (and others who might have the problem) destroy him

 

Re:Browser Hijack Blaster Question

Hi Zidane,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

R3 - Default URLSearchHook is missing
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)

O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll

Then reboot and delete:
C:\WINDOWS\sys.reg

I´m not sure what this is:
O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\abc\Plocha\Cashfiesta.exe
Everything I could find about it was either in Arabic, Chinese or somethig else I couldn´t read.

Regards,

Pieter

 

Re:Browser Hijack Blaster Question

Understood, I have only one question - do you really think I should delete the "overnet.exe" entry? I know about that, I installed that - that is one of P2P programs - and with that program I am able to download stuff from www.sharereactor.com - do you think that Overnet causes the hijacking? I have it for a quite long time and the hijacks did not started at the time I DL´ed Overnet, but some time after...

But if you know better and safer P2P program for DLing from sharereactor and other "eDonkey links" , I will be pleased

 

Re:Browser Hijack Blaster Question

Hi Zidane,

First off. I never advised you to remove Overnet. It just has no bussiness starting up at boot IMO, so I advised to remove the Startup-entry for it.
If you open sys.reg in Notepad, you will be able to see who did the hijacking.

As to which P2P programs are spyware-free or not:
http://www.spywareinfoforum.com/articles/p2p/

Regards,

Pieter

 

All is OK

Many thanks ))

One OFF TOPIC QUESTION, if I may... it has nothing to do with spyware, but it is bugging me for some time ago...

I am not able to install Nero Burning ROM - the CD burning software, the installer keeps telling me that there is an older version in my computer, but there is NOT and WAS NOT any NERO AFAIK - maybe previous owner of the comp had Nero there and uninstalled it incorrectly - do you know WHERE can be some "tracks " of Nero left and what I have to delete to clean my comp of those Nero tracks and so I will be able to install Nero? I tried to clean the registries from anything related to Ahead Software - the Nero author, but it seems that there is something still there :-(((

 

Re:Browser Hijack Blaster Question

Hi Zidane,

It seems they have a special tool to resolve this issue.
Follow instructions here: http://www.nero.com/en/631927293720980.html#2

I will split the last part of this thread off and move it to another forum, so the OT will go unnoticed.

Regards,

Pieter