Search engine pages keep opening in IE ..

[ultravox]

I know this sounds a lot like CoolWebSearch but I have the tools to identify and remove CWS.

I am a fanatic about spyware -virus updates and adwares and use at least 3 programs daily to clean. I also browse using Firefox.
Yesterday morning I woke up to find a search engine page opened but minimized in IE Then another later on and so on.. I can't open the window by clicking in the taskbar...I have to rt. click on it and choose-maximize. If I just click...nothing happens.
I have used trend online virus scan, Trojan remover, MS new Anti spyware program (which is GIANT in disguise, CWS shredder, Spysubtract ,VX2Finder and Adaware but these damn search window pages stlll keep popping up.....always for a diferent one and the big reputable names like Lycos Goggle..Yahoo. Hardly the sites that would resort to hijackings.

.Any ideas WTF this is or how to stop it.

I feel so dirty.....
Sad


Is there any place in windows where a log or something is kept....a record of what is going on. Maybe I can find out what triggers these windows to pop up

 

[MustISO]

Have you tried HijackThis?

Spyware removal thread:
http://forums.anandtech.com/me...6173&enterthread=y

 

[mechBgon]

Yeah, your HijackThis log would be very interesting. If HJT won't run, rename hijackthis.exe to something different. There are a couple interesting new exploits on the Norton and McAfee virus lists in the last couple days, and at least one of them makes a point of terminating processes named hijackthis.exe.

With that in mind, go to Symantec's online scan and run that. Since it's ActiveX-driven, you will need to use IE for that, methinks (and will need to be running with an Administrator-class account). If your computer won't go to Symantec's site, then check your C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file in Notepad and see if it has anything besides 127.0.0.1 localhost in it. If so, remove the excess entries.

 

[ultravox]

check your C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file in Notepad and see if it has anything besides 127.0.0.1 localhost in it. If so, remove the excess entries.

I don't have a sytem32 folder in windows. Is that possible. I followed the correct path and I only have a sytem folder.
Would you ike to have a look see at my HJT log?

 

[ultravox]

AHaa......I tried the Avast trojan scan thing and it said it couldn't scan temp file xxxx. in C:WIWNDOWS\TEMP So I went there to have a look-see and lo and behold there are a bunch of APP files with weird gibberish names such as

Ajhzoveil, Bbcdeuw,Bqahsyysw etc alphabetically listed and there are 50 in all. When I click on one of them, an IE window to a search engine opens up.

Now..... what put them there and is it safe to just delete them ?

I also found a file called null which was a log which listed a bunch of files etc that were deleted and there was a bunch of IE .ini files......the plot thickens !

 

[daveshel]

Originally posted by: ultravox
AHaa......I tried the Avast trojan scan thing and it said it couldn't scan temp file xxxx. in C:WIWNDOWS\TEMP So I went there to have a look-see and lo and behold there are a bunch of APP files with weird gibberish names such as

Ajhzoveil, Bbcdeuw,Bqahsyysw etc alphabetically listed and there are 50 in all. When I click on one of them, an IE window to a search engine opens up.

Now..... what put them there and is it safe to just delete them ?

I also found a file called null which was a log which listed a bunch of files etc that were deleted and there was a bunch of IE .ini files......the plot thickens !

Safe to delete but something will likely put them right back.

 

[mechBgon]

Originally posted by: ultravox

check your C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file in Notepad and see if it has anything besides 127.0.0.1 localhost in it. If so, remove the excess entries.

I don't have a sytem32 folder in windows. Is that possible. I followed the correct path and I only have a sytem folder.
Would you ike to have a look see at my HJT log?

I would love to see your HJT log 🙂

BTW, does this mean you were not able to reach Symantec's site, then?

 

[jamesbond007]

So much for safe browsing with FireFox. 😉 Wow, that lasted like what? 3 months? 😛

J/K

These types of programs are crap...if you can, go to microsoft.com and install the AntiSpyware Beta 1 pack. It's an incredible program, free too! It's much better than AdAware, Spybot S&D, and many others. I bet it'll fix whatever issue you're having. It also resets your IE/Internet settings, in case they were hijacked too.

Good luck man! This stuff is TOUGH to remove without reinstalling Windows. Let us know how it goes.

~Travis W.

 

[ultravox]

Originally posted by: mechBgon

Originally posted by: ultravox

check your C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file in Notepad and see if it has anything besides 127.0.0.1 localhost in it. If so, remove the excess entries.

I don't have a sytem32 folder in windows. Is that possible. I followed the correct path and I only have a sytem folder.
Would you ike to have a look see at my HJT log?

I would love to see your HJT log 🙂

BTW, does this mean you were not able to reach Symantec's site, then?

I use drive image and I browsed through the last image I made (jan10) about 2 days before all this sh*t started. In the image I have a system 32 folder but when I go to C:windows ther is none there. When scanning using one of the 78 programs I DLed since this started, I see that the app scans sytem32 so it must be there but hidden or something. Can I use the "restore" feature in DRve image or will that effectively remove that folder from the image (which I don't want to do?)
I have not tried the symantec site since I'm already running NAVPro 2003..should I anyway?

Here is my HJT log file:

Logfile of HijackThis v1.99.0
Scan saved at 4:59:22 PM, on 01/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\Apps\Drive Image v7-b\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\Progdvb\ProgDVB\ProgDVB.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\wsw.exe
C:\WINDOWS\wsw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchforit.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [nbprocrk] nbprocrk.bat
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [systemdll] C:\WINDOWS\systemdll.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/.../msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/...neSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1102137694507
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...atsClient.cab31267.cab
O21 - SSODL: KLiteCodecPack_is1 - {53C4A6F8-36D8-C18B-B624-4C96A27E29DE} - C:\Program Files\K-Lite Codec Pack\unins000.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: V2i Protector - PowerQuest Corporation - E:\Apps\Drive Image v7-b\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

 

[ultravox]

BTW I just notice that my start page has been hijacked...

 

[jamesbond007]

Originally posted by: jamesbond007
So much for safe browsing with FireFox. 😉 Wow, that lasted like what? 3 months? 😛

J/K

These types of programs are crap...if you can, go to microsoft.com and install the AntiSpyware Beta 1 pack. It's an incredible program, free too! It's much better than AdAware, Spybot S&D, and many others. I bet it'll fix whatever issue you're having. It also resets your IE/Internet settings, in case they were hijacked too.

Good luck man! This stuff is TOUGH to remove without reinstalling Windows. Let us know how it goes.

~Travis W.

Hm, did you install AntiSpyware yet? It's a really sweet program...should do the trick, hopefully. 😀

GL!

 

[mechBgon]

Maybe your System32 folder has simply been hidden from view. Try getting there via a command-prompt window, and/or go to Folder Options and ensure that you've enabled viewing hidden files/folders and also protected system files/folders.

Also, if you're as interested in security as all that, why are you using WinXP SP1? 😕

 

[mechBgon]

I have not tried the symantec site since I'm already running NAVPro 2003..should I anyway?

YES. Norton Antivirus 2003 doesn't have detection for what Symantec calls "Expanded Threats." Time to hang up your antique antivirus software and get something better, bro. Norton and McAfee both have 15-day trialwares of their current-generation stuff, or the free AntiVir is said to be one of the best free ones.

If you want to try one right now, try McAfee VirusScan 9.0 since it's pretty thoroughly pre-configured for you. http://download.mcafee.com/us/eval/evaluate2.asp

 

[MournSanity]

You can always try out Ubuntu Linux.

 

[mechBgon]

Originally posted by: hypersonic5
You can always try out Ubuntu Linux.

Hehe, that oughta work too 😀

 

[ultravox]

Originally posted by: mechBgon
Maybe your System32 folder has simply been hidden from view. Try getting there via a command-prompt window, and/or go to Folder Options and ensure that you've enabled viewing hidden files/folders and also protected system files/folders.

Also, if you're as interested in security as all that, why are you using WinXP SP1? 😕

I did a search for it and found it in 2 places... WIndows\last good
Windows\last good.tmp

Can I just replace it with the one from Drive Image. ?

did you see anything in the HJT log that looks like it shouldn't be there?


I already have MS (Giant) spyware thingie.

 

[mechBgon]

Can I get you to try a 15-day trialware of either Norton or McAfee's latest antivirus software, fully update and configure them to use all their options, then disable System Restore, reboot into Safe Mode, and do a scan?

McAfee would need less configuring, if you want something that's not very difficult: McAfee 15-day trialware.

Also use Microsoft Baseline Security Analyzer: MBSA download

 

[ultravox]

Well I've thrown everything I could at it...from safe-mode system scans to reapplying an older image I had.
Here's the poop.....some "BUG" has started a process that kicks in after every reboot no matter what files I manage to delete and most processes stopped/disabled.

[talking through a hat]

The bug writes a VBR script that executes IE explorer to open with a search engine page. I say VBR script because AVAST AV flags something but it gets through anyway. This is when a temp file gets writtes . This file is called gibberish.tmp but comes out as gibberish.exe in the flag. It cannot be deleted in Windows and when in safe mode it's not there ???

The time I spent dicking around could've been spent formatting and re-installing which Ive decided to do.....(sigh).
_________________


I've decided to re-install XP and throw in SP2 as well. I've never done it in XP so I'm not sure how to get to DOS to C:format. I can config the bootupin BIOS to boot off a CD and I understand that the XP cd is bootable...is this correct ? How do you get into dos ?
I want to make this is painless as possible so any tips you people can throw my way will be appreciated.
I have to copy OUTLOOK EXPRESS from application data to a safe place...as well as Favourites and any other folders on the desktop. Have I forgotten anything vital ?
Is there any config file that I could save that would carry over my preferences in windows appearance> I have mine setup pretty much like win 98.

 

[mechBgon]

Originally posted by: mechBgon
Can I get you to try a 15-day trialware of either Norton or McAfee's latest antivirus software, fully update and configure them to use all their options, then disable System Restore, reboot into Safe Mode, and do a scan?

McAfee would need less configuring, if you want something that's not very difficult: McAfee 15-day trialware.

Also use Microsoft Baseline Security Analyzer: MBSA download

Did you try what I suggested here?

If you want to reinstall, that's a great idea too. Start Windows Setup from CD, delete all the existing partitions on the hard drive, then press the F3 key twice to exit Windows Setup and start again. This ensures that you don't have a silly menu offering you two WinXP's to boot from in the end.

I would install SP2 first, then mobo drivers, then video drivers, then your other stuff as desired. If you use a Limited-class user account for browsing and other daily-driver stuff, that is quite a security boost... like wearing your seatbelt, is my usual comparison 😀 Among other things, a process running within the cage of a Limited account cannot fiddle with the Windows directory (hmmm!) or the imporant-er parts of the Registry (hmmm!), or install software (obviously).

It wouldn't hurt to enable Data Execution Prevention for all programs, like this. If programs have an issue with it, log on with an Administrator-class account and add them as an exception, like my Adobe Update Manager there.

 

[ultravox]

If you want to reinstall, that's a great idea too. Start Windows Setup from CD, delete all the existing partitions on the hard drive, then press the F3 key twice to exit Windows Setup and start again. This ensures that you don't have a silly menu offering you two WinXP's to boot from in the end.

Well I jumped the gun and went ahead...I thught the instalation would format the partition and do a clean instal.....no.....I now have a choice of 2 Win XP's to choose from. An infected one and another that although not yey infected seems to have all the same temp file that I had before (which I've since deleted.

I have 2 HD's.....one is partitioned into 3 parts C: D: E: I don't want to loose these partitions and the data therein. How do I go about formating just C: so that WINdos installs itself ther and I leave everything else intact?


"delete all the existing partitions on the hard drive, then press the F3 key twice to exit Windows Setup and start again."

How do I go about deleting just what's in C: when I boot off the XP disc it goes to the F8 menu which offers safe mode, safe mode with dos prompt etc.

Luckily I still have this instalation to get back online with and get edumacated ....😉

 

[mechBgon]

Hmm, how about this approach then:

1) start Windows Setup from CD

2) when it shows you the partitions, aim it at the C:\ partition but have it do a full NTFS format, the long way

3) Carry on with Windows Setup as usual

4) Once Windows is set up, if it's still giving you two WindowsXP installs to choose from at bootup, you can edit C:\BOOT.INI (hidden system file, so enable viewing of hidden+system files to see it) to eliminate the phantom one.


If you were to follow my previously-suggested method of exiting WinXP Setup then I fear that your D: partition would become C:, E: would become D:, your optical(s) would be E: and F:, and then your boot partition would end up being G: or something, and that would probably push you over the edge :Q And we can't have that, can we! 😉

Good luck! 🙂

 

[ultravox]

2) when it shows you the partitions, aim it at the C:\ partition but have it do a full NTFS format, the long way

I t never showed me the partitons the first time.... I think...😉
Should it ?

How do you get it to do a full NTFS format?

I think I'll put the actual doing off untill tomorrow but I'll get all the info I need now. God knows I couldn't sleep now anyways...😉

BTW it installed the other windows in the F partition...go figure.

Thanks for all your help MECH...you're one of the good guys..
Now that I think of it..during instalation..it flashed a "checking drive F thing for just an instant then went to checking C..which is why I thought it was formatting and installing there. This was much easier to do in '98...then again we had to do it more often also...😉

 

[mechBgon]

BTW it installed the other windows in the F partition...go figure.

Gaaah! 😛 Any chance you have another HDD you could simply move all your data to, and then move it back when you're done?

http://www.blackviper.com/Arti...e/images/image1_5.html

^ this sort of screen ought to show after you press the F8 key to accept the license agreement yadda yadda all your firstborn are belong to us etc. And that would be where you could choose the C: partition, and then in the next few screens you'd see this one where you could choose how to format it. Really, I think either Quick or Full would do the trick. Things are 😕 now that you have two Windows installations, however.

Personally, I like things very simple, and would want to just back up the important stuff to a different hard drive, or to another computer via the network, and then blow away ALL of the partitions, exit Setup, start it again, create the partitions I want, and off we go. But I know 200GB hard drives don't grow on trees...

Anyway, good luck there, and thanks for the compliment 🙂


EDIT: links fi><0r3d! 😛

 

[ultravox]

Late late last nite I had an epiphany........I thought that some of those infected files were not visible when I ran WIndows....even in safe mode but if I ran a virus scan on them while I was booted into the second version of windows On the F: drive it might do the trick. This morning I DLed the McAfee virus scanner and let it go through C; drive.

It found 4 trojans : irc\flood.i
irc\flood.b
irc\flood.c
backdoor-AFG

as well as 3-4 dubious programs..like wsw.exe and a few others I can't recall.
I'm scanning the rest of the partitons/drives then I'll reboot in my original windows and see if that didi the trick. AT least I will have tried everything before resorting to a re-install. To fix the problem of the other windows instalation in F; I'll just copy everything else on that drive into another drive.delete windows, refrmat that drive then copy everything else back. And fix ther boot deal by going into the boot ini and correcting it as necessary....( if I get some expert instructions that is.😉)
I'll keep you posted.

 

[mechBgon]

Originally posted by: ultravox
Late late last nite I had an epiphany........I thought that some of those infected files were not visible when I ran WIndows....even in safe mode but if I ran a virus scan on them while I was booted into the second version of windows On the F: drive it might do the trick. This morning I DLed the McAfee virus scanner and let it go through C; drive.

It found 4 trojans : irc\flood.i
irc\flood.b
irc\flood.c
backdoor-AFG

as well as 3-4 dubious programs..like wsw.exe and a few others I can't recall.
I'm scanning the rest of the partitons/drives then I'll reboot in my original windows and see if that didi the trick. AT least I will have tried everything before resorting to a re-install. To fix the problem of the other windows instalation in F; I'll just copy everything else on that drive into another drive.delete windows, refrmat that drive then copy everything else back. And fix ther boot deal by going into the boot ini and correcting it as necessary....( if I get some expert instructions that is.😉)
I'll keep you posted.

Interesting! :Q In that sort of "prod the maggots and watch them squirm violently in the meat" kind of way, I mean 😀