Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Every time I open Internet Explorer, my homepage gets redirected and a popup bar opens at the bottom of the screen. The bar has the address:
http://searchexe.com/passthrough/popupbaropener.htmlI have tried running SpyBot and Ad-Ware, and neither of them are able to erase the problem. I am posting the log from hijackthis and I thank anyone in advance if you can provide any help.
Logfile of HijackThis v1.97.7
Scan saved at 7:22:43 PM, on 2/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.exe
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\ATI2EVXX.exe
C:\WINDOWS\SYSTEM\ATI2CWXX.exe
C:\COMPAQ\CPQINET\CPQINET.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.exe
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.exe
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.exe
C:\PROGRAM FILES\IPOD\BIN\IPODWATCHER.exe
C:\WINDOWS\SYSTEM\ATIPTAXX.exe
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\PROGRAM FILES\AXISTWO\INFODRIVEFOR.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {0E069F75-5E6D-5B10-8654-A95B616DA1F1} - C:\PROGRAM FILES\HELP CDROM\OPENBODY.DLL (file missing)
O3 - Toolbar: ActiveWindow - {E0D13969-3863-3050-4555-EAD44CB0CD89} - C:\PROGRAM FILES\HELP CDROM\OPENBODY.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT339890.exe -auto
O4 - HKLM\..\Run: [Fordburn] C:\PROGRA~1\AXISTWO\Infodrivefor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES\ARES.exe" -h
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37719.6186689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12178319adcf2e240816/netzip/RdxIE601.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} (AuroraCtrl Class) - http://www.icebergradio.com/aurora/1.0.2.259/client.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
One possibility is that the Broadjump CFD files on your computer are redirecting you to something.
If you use Yahoo/DSL it automatically loads the Broadjump/CFD during installation. This is spyware and is probably mentioned somewhere in the EULA when you subscribe.
If you contact Yahoo/DSL and ask them to set you up with the Enternet 300 software which will allow you to use IE, Netscape etc. as your browser instead of your yahoo browser they'll show you how. If you laready run your DSL this way then get rid of those entries.
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
I'm not sure if that's the exact reason why your being redirected but it definitely won't hurt to get rid of it.
Spybot & Adaware don't catch it...
0 
I am definately not using Yahoo/DSL, in fact I am a student using the university network.
However, I followed you directions and I am still getting the popup. If you have any other ideas, please let me know.
Thanks
0
I am having exactly the same problem with this stupid searchexe.com homepage hijacker. I have scoured my registry, startup file, win.ini file, and I cannot locate where it is coming from. I have run adaware and am now running Adwatch (a little late!!). I've looked for jse files and hta files, all to no avail. I hope someone can help us figure this out!!!
0
include me into the mix. however, i also have a search bar under my address bad called BaitToolDog and it comes up everytime i open up IE. i also get another advertisment of some sort at the bottom of my IE browser. the searchexe is driving me crazy. someone please help us!!!! thanks
0
thanks johnb.. i used hijackthis and it got rid of searchexe and BaitToolDog
I LOVE U!!!!!! haha.. jus joking
0
same here....i even went as far as to go to http://searchexe.com and see if i could find a solution...if you scrol down to the bottom of their page and go to their help page....you can download a toolbar remover...only problem is that it doesnt work and theres no contact information so you cant send them emails...what a bunch of s...i hate them and their damn spyware...if someone can help...please do
0
hijackthis has done the trick..thanks guys...its hard to find tho...most of the download sites i went to didnt work..but i finally found a copy..if anyone needs it...im putting it on kazaa..my connection is always on..so download away
0
You guys may want to refer to
http://kephyr.sureshot.xaviermedia.net/spywarescanner/library/searchexe/index.phtmlInstruction on manual removal of searchexe is available.
0
What is hijackthis? I have had the same friggin' problem and the last 3 nights I have searched for solutions to get rid of searchexe.com but to no avail. I purchsed Noadware and Spybegone and they did not do the job. I downloaded Spybot and it got rid of everything except for the 2 inch pop up bar at the bottom of my browser which is searchexe.com. I am so frustrated and have invested about $60.00 to get rid of this but no such luck. All I know is that these guys are from England and I will call them to help me get rid of this stuff but I would like to try other means b4 I invest more $$.
0
I tried to download hijackthis and the perfectnav search engine won't let me do it even though I have them listed as blocked with Norton Internet Security program. What's really creepy is that it will let me download other programs but it has a directive to hijack when I try to download a program that will eliminate it. I'm not being paranoid, this really seems to be it's programming
0
I had the problem also with searchexe.com where I couldn't get rid of it. I noticed that the bar popped up on the bottom of my monitor only when I went to my home page. I made a change to my IE home definition by reassigning it to "Use Blank" as my home page. I then launched my home page to "blank" and NO SEARCHEXE.COM BAR WAS INITIATED!!! I went back and reassigned my previous url as my home page. The problem has yet to come back. Apparently, there's a hook into the home address processing "when there's an actual url being processed". By redefining to use no url, the hook was killed. Also, check your file folders on the C: drive and Program Files for suspicious looking folders. When the hook existed, some of the folders couldn't be deleted. After the hook was killed, I was able to delete the folders, some from the file-level out to the parent/grand-parent level. I hope this helps.
0
I was also irritated by this disgusting tool bar. I tried hijackthis, spybot, ad-aware, but they didn't work. However, to restore the system to some point worked really well if you use XP. Click start up menu's accessory - system tool - restore system(I am using Japanese XP, so I'm not sure these words are correct.) and restore until the day before that toolbar showed up. Good luck!!
0
you should consider using a different browser than IE. For example, Mozilla and Mozilla Firefox are very good open source browsers and are more secure, coming with builtin pop-up blockers. Chances are spyware that was built to attack IE won't affect these browsers. I am using them and have had no difficulties.
Download them free at:
http://www.mozilla.org
0
Hi, I just removed this from a customers computer about 15 minutes ago. Here's how I did it:
In your browser go to "Tools" -> "Internet Options", Delete cookies, Files, and Clear History (just in case). Then go to "Settings". I also cleared out any ojbects here that I did not recognize. Next, go to the "Security" tab, then under Internet click "Custom Level". Sett all of the Scripting and ActiveX controls to PROMPT.
Close the browser, then reopen it. You will receive several popups prompting to run these. Keep clicking NO. Eventually you will get to the home page of SearchExe. Once there, reset your home page to your preference. That should do it.Cheers,
Dan
0
does anybody really know how to get rid of this popup bar. PLease help. It appears from all prior messhgaes that this is not an easy thing to remove
0
I was able to remove the popup bar quite simply by going into my IE settings (Tools: Internet Options). On that settings page is where your home page is set. You'll notice that while the url of your desired homepage is still displayed there, it is appended onto the end of a passthrough url. Just remove everything in the url line before the questionmark (or re-paste your desired homepage url into the field), and the popup bar should be gone next time you open IE.
0
Yes, this does remove it. However, the main problem that I know I am having, and probably some other people as well, is that sometimes after you log out and back in, or definately everytime you reboot, it gets put back in there. I've been trying to get this s* out of my box for quite some time, and I'm just glad that my state is passing anti-spyware legislation, so soon I'll have some recourse against this kind of hijacking.
0
finally.. since this page has already helped me a lot i want to add my contribution.. i was having the same problem with that annoying toolbar.. and everybody complained how the toolbar unistaller does not work..well i guess LOP.com finally realized that... and now their new unistaller finally worked.. i noticed they updated it since it asks you to type in the number you see on the screen... my problem is solved hope this helps... this is from where i downloaded the unistaller ..
http://lop.com/new_uninstall.exe
good luck!
0
i have hijackthis - and a log file now - but i dont know what 2 delete and what 2 keep, so could sum1 give me a hand pls, i would appreciate it, thanx
0
never mind ppls - i jus deleted the aboutblank search 1's and the searchexe 1 - and its all gone - thanx 4 ur info!
THE NOTORIUS S.I.D
0
Hi John ice to meet you !
Check registry Run and RunOnce brunches, there will be located any unwanted thirdparty agents.
------------------
www.KeyGlobe.com - Ready sale trade board
0  |
 help please
|
Computer freezes even aft...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
