Find your solution!

Dekker · 13-Apr-2003, 12:05 PM #1

Hello

I have recently accidentally downloaded a program called mysearch and I can't uninstall it. It has added a new tool bar to my browser and keeps opening pop-ups as well as saving unwanted web pages to my desk top.

When I go to add/remove files it tells that I'm unable to uninstall because there is no uninstall exe.
I've tried deleting the files but I’m left with one called 'S4BAR.DLL' that won't be deleted. Is there any way that I can remedy this?

Many thanks

Gordon7000 · 13-Apr-2003, 12:14 PM #2

Hi Dekker,

Yes, this is a known parasite. Please download and install Spybot Search and Destroy.

http://security.kolla.de/index.php?l...&page=download

Before using the programme, UPDATE it from the Internet. Then, disconnect from the Internet, close your browser and run Spybot (Check for Problems). Tick everything highlighted in red and DELETE these entries with Spybot. After this, REBOOT your PC.

After this, download, unzip and run Hijack This

http://www.tomcoyote.org/hjt/

Most of the entries in the log are harmless, so don't fix anything yet. Just SCAN your computer. When the scan is completed, press the SAVE LOG button to save the log to Notepad. Then copy the entire log from Notepad and post it on this forum. Someone will then let you know what to do next.

Regards, Gordon

Dekker · 13-Apr-2003, 01:31 PM #3

Hi Gordon

Thanks for taking the time to reply, the spybot search and destroy was extremely helpful.

I haven’t been able to get on the tomcoyote site yet but when I can I shall carry out your second instruction.

Best wishes

Dekker

TonyKlein · 13-Apr-2003, 01:32 PM #4

You can download Hijack This at the following sites as well:

http://www.spywareinfo.com/downloads.php#det

http://www.lurkhere.com/~nicefiles/index.html

Dekker · 13-Apr-2003, 02:08 PM #5

Thanks Tony

Logfile of HijackThis v1.93.0
Scan saved at 19:05:10, on 13/04/03
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Antivirus\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\RealDownload.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...467.6698611111
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

TonyKlein · 13-Apr-2003, 02:12 PM #6

Are you sure you updated SpyBot before having it scan your drive?

It should have removed some more stuff.

In Hijack This, check the following items, then CLOSE all browser windows, and press "fix checked".

You need to reboot after doing that.

O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -

Cheers,

rayandtam02 · 28-Jun-2003, 10:07 AM #7

Logfile of HijackThis v1.95.0
Scan saved at 10:01:08 AM, on 6/28/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\bpk.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=129192
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.yahoo.com/
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\PROGRA~1\Yahoo!\MESSEN~1\bpkwb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17d0d121b519e81...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7748.829224537
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

TonyKlein · 28-Jun-2003, 10:30 AM #8

Hi,

Check and have Hijack This fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=129192

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe

O16 - DPF: Yahoo! Chat -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17d0d121b519e8...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab

Now restart your computer, and find and delete the RunDll16.exe file, if you still have it.

Cheers,

TonyKlein · 04:29 AM

Also, you have a browser plugin I've never seen before, and I'd like to have a closer look at it.

Would you mind terribly sending me a copy of the bpkwb.dll file in your Program Files\Yahoo!\Messenger folder for analysis, please?

I'll keep you updated on the nature of the file, and whether it is in fact legitimate.

It has almost the same Class ID as the Stealth Keylogger, and one of the Commonname foistware browser plugins, so I'think it may need to be investigated.

TIA!

TonyKlein · 28-Jun-2003, 10:40 AM **#10**

Hmm, here's a Portuguese language thread which indeed mentions this file in relation to the Antispy Keylogger:
http://216.239.39.100/search?q=cache...hl=en&ie=UTF-8

reedygal · 06-Jul-2003, 03:37 PM **#11**

Here is my Hijack this log file... Can you help?

Logfile of HijackThis v1.95.0
Scan saved at 3:31:35 PM, on 7/6/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsgSys.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\BQTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Philips\LightFrame\LightFrame.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://broadband.zoomtown.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB002" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: LightFrame.lnk = C:\Program Files\Philips\LightFrame\LightFrame.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/in....30/Hiwire.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/116842f97924b09...zip/RdxIE6.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...567.4949189815
O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - http://www.premiereinteractive.com/b...oViewer3_0.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rrc.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

TonyKlein · 06-Jul-2003, 03:41 PM **#12**

Hi!

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.30/Hiwire.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/116842f97924b0...tzip/RdxIE6.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Sha...c/bin/cabsa.cab

Now restart your computer, and download Spybot - Search & Destroy

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Cheers,

dieselbreton · 07-Jul-2003, 03:42 AM **#13**

Hey Im very worried! I just bought my new computer and I realize that a bar downloaded by itself in my internet explorer.....the name of this bar is mysearch. I already tried to erase it but it doesnt have an uninstall program! what do I have to do???? Is this a virus?? will it erase something from my computer?? Please help me!

Please contact me,

Thank you

Armando Bretón

armand_boy@yahoo.com

dieselbreton · 07-Jul-2003, 04:12 AM **#14**

Its me.....Armando again....my scan gave me these files please tell me if I have to erase anything from here......

Ad-Flow: Tracking cookie or cookie of tracking site (Archivo, nothing done)
C:\Documents and Settings\Armando\Cookies\armando@ad-flow[2].txt

BFast: Tracking cookie or cookie of tracking site (Archivo, nothing done)
C:\Documents and Settings\Armando\Cookies\armando@bfast[1].txt

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-21-2952981389-2299825339-2237029002-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

FastClick: Tracking cookie or cookie of tracking site (Archivo, nothing done)
C:\Documents and Settings\Armando\Cookies\armando@fastclick[2].txt

Gator: Global settings (Clave del Registro, nothing done)
HKEY_LOCAL_MACHINE\Software\Gator.com

Hacker.ag: Log file (Archivo, nothing done)
C:\WINDOWS\coder.log

Hacker.ag: Settings (Archivo, nothing done)
C:\WINDOWS\coder.ini

Windows Media Player: Client ID (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-21-2952981389-2299825339-2237029002-1005\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

--- Spybot-S&D version: 1.2 ---
2003-06-24 Includes\Cookies.sbi
2003-07-04 Includes\Dialer.sbi
2003-07-03 Includes\Hijackers.sbi
2003-06-24 Includes\Keyloggers.sbi
2003-07-02 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-06-24 Includes\Security.sbi
2003-07-02 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-07-05 Includes\Tracks.uti
2003-06-24 Includes\Trojans.sbi

dieselbreton · 07-Jul-2003, 04:16 AM **#15**

Logfile of HijackThis v1.95.0
Scan saved at 03:16:35 a.m., on 07/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Armando\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.sony-latin.com/registration/vaio
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSURVEY] C:\Archivos de programa\Sony\VAIO Survey\LASurvey.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony-latin.com/registration/vaio
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {280168BC-76BF-4CD0-B835-3D686EFA8DDC} - http://www.browserwise.com/search1/i...ninstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...795.5547222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Tag Cloud
adware audio bios blue screen boot bsod computer crash dell desktop drivers email error excel firefox freeze google hard drive hardware hijackthis install internet itunes laptop linux malware network no sound outlook problem reboot recovery router screen slow sound speakers spyware startup trojan usb video virus vista webcam windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)