Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
There is a search bar installed as one of my explorer bars which I can't remove. It appears on the bars list without a name and does not appear on the remove programs list in control panel. please advise.
I tried but it couldn't find updates - advise
The search bar I am trying to remove is a startium search bar
0 
If Spybot wont work, try Ad-aware instead, again, update it before you run a scan of your registry and drives, REMOVE everything it finds.
0
You were hijacked. This happened to me about a month ago and neither Spybot or Ad-Aware had the fix yet so I was on my own. I eventually located the offending files, fixed my problem, and sent the files to Ad-Aware and Spybot developers. (The site that got me had only been up a week when I was hit.)
Scan the entire hard drive for files with a *.REG extension. There is more than likely a script running that imports registry entries into your computer every few seconds. Go to the following in the registry:
HCLM\Software\Microsoft\Windows\CurrentVersion\RUN
Check the entries there. This is where the SYS TRAY items and other background programs are started. Check the path statements for the items listed. If there is something weird that you don't recognize check the files indicated.
Also, since you don't know the name of the bar that is hitting you, try configuring this bar or having it go home. If you come up with SOME name of some sort, use the ADVANCED search to look for files containing that text string.
In the case of the Spyware that got me it was quite hard to remove the bar. Each time I deleted it, the thing came back. It also hijacked my home page. I did a search of all files containing the text string of the URL of the home page. This is how I found out it was importing a registry entry as I found a buried *.REG file. To make matters worse, an executable was also installed that was part of the RUN as indicated in the above reg key. This executable would constantly (about once a second) and silently import the reg file.
0
Go to http://www.tomcoyote.org/hjt/ and download 'HijackThis' it " examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers" Then post the log it makes here so we can see what file and reg values you have running on your system.
0
Hi. I was able to get rid of the suferbar (which hijacked my computer), but I was wondering if anyone could check out my log to see if there are any other problems?
Logfile of HijackThis v1.97.2
Scan saved at 10:34:57 PM, on 10/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Semagic\LiveJournal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAce\WinAce.exe
C:\Documents and Settings\mat\Local Settings\Temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shippou.net:2095/horde/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Win32 Classes -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03a70ebb12be5607d205/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.6372337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5026091-1E5D-4364-97CB-25DF6746EC92}: NameServer = 206.13.29.12,206.13.30.12
O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175Also, since I'm here, I was wondering if anyone has had the problem in which you cannot log into any search engine? I can't log into the major search engines such as google, lycos, etc. And if I could load the main page of that engine up, it wouldn't be able to search (the usual "cannot find server" will pop up).
I was able to load the main page of yahoo up and when I type in "mochi" it'll try to search and it'll say "cannot find server" and here's the html:
http://www.yahoo.com/r/sx/*-http://search.yahoo.com/search?p=mochi&ei=UTF-8&fr=fp-top
Any help?
0
I am also having problems with the search bar in internet explorer. What do I need to get rid of to fix the problem?
Logfile of HijackThis v1.97.2
Scan saved at 4:31:00 PM, on 10/6/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\TPPALDR.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\AStart.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ToPicks\Bin\Idhost.exe
C:\DOCUME~1\Daniel\LOCALS~1\Temp\g181511.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Documents and Settings\Daniel\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sww.stusta.mhn.de/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8 - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\oo4.dll
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4 - (no file)
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AStart] C:\WINDOWS\system32\AStart
O4 - HKLM\..\Run: [PGStub.exe] C:\DOCUME~1\Daniel\LOCALS~1\Temp\g181511.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oo4] RunDLL32.exe C:\WINDOWS\oo4.dll,DllRun
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05755f8f01dc2ead9720/netzip/RdxIE601_de.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.8020601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{13175146-E6D0-4CAF-82BE-5AD9F4E2CDA0}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{491BEFBF-9DDE-4C9F-BC37-3EE7A1013C4E}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBB15AF9-5AC1-4BB2-944B-C0645BA60588}: NameServer = 10.150.127.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CS1\Services\Tcpip\..\{13175146-E6D0-4CAF-82BE-5AD9F4E2CDA0}: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CS2\Services\Tcpip\..\{13175146-E6D0-4CAF-82BE-5AD9F4E2CDA0}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = stusta.swh.mhn.de
0
I came across this forum doing searches about the qhosts trojan. The trojan changes your DNS numbers from what they should be, (assinged by your ISP) to these: 69.57.146.14 and 69.57.147.175 -I noticed these in your log.
The DNS numbers belong to a Houston TX based ISP called everyone's internet and were used in conjunction with this attack. As I understand it these DNS #s have been taken offline. The descriptions I have found about Qhosts also mention that it affects your ability to load major search engines. As I understand it, MS released an IE patch on October 3rd. Hope this helps, I wouldn't be able to stand it with no Google.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
