PLEASE HELP WITH IE6 (Possible Trojan?)

[allenkc]

I am running Windows XP with Internet Explorer 6 and when I visit a search engine such as Google or Yahoo I get a "frame"(for lack of a better term) that opens up with in my window of Internet Explorer. This "frame" is not something that I have open and it appears the only way I can stop it is by going to my internet options and turning off "third party extensions"(I don't want to do this). The frame only opens when I do a search on a search engine. When I left click(I cannot right click on anything in the new frame)on a link in this frame 9 times out of 10 it sends me to a sight within "about.com". If I click on a link within the actual search engine results the frame will go away. I think that this is either spyware or a Trojan of some type and if it is a Trojan it could get worse before it gets better. I have run 4 spyware programs and a Trojan scanner to see if they can find something and they haven't found anything. You can not uninstall Internet Explorer 6 in windows xp and you can't run a repair on it either.

I have included a jpg of what my internet explorer looks like on yahoo and if you noticed you will see that this "frame" adapts to the "skin" of the search engine.

Please help ME I don't know what to do.
Thanks for your Time!!

 

[Del]

Check out this thread from Rog. If you download and run lurkhere and post it back, we can see if you have anything that doesn't belong.

http://forums.techguy.org/showthread.php?s=&threadid=116897&highlight=lurkhere

 

[allenkc]

Del,

Thanks for your help in advanced. I hope the info below is what you are looking for.

Allenkc


StartupList report, 2/6/2003, 12:06:51 PM
StartupList version: 1.51
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Free Surfer\fs20.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 3.0\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\6jkb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
freesurfer = C:\Program Files\Free Surfer\fs20.exe
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
SAUpdate = C:\Program Files\Insight\BBClient\Programs\SAUpdate.exe
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Microsoft Network Control = C:\WINDOWS\msdrvx.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SAClient = C:\Program Files\Insight\BBClient\Programs\RegCon.exe /admincheck
SpyCop ScanCheck = C:\Program Files\Common Files\Microsoft Shared\MAIN.EXE /LASTSCAN
THGuard = "C:\Program Files\TrojanHunter 3.0\THGuard.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LDM = \Program\BackWeb-8876480.exe

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\SbSrch_V2.dll - {4C4871FD-30F6-4430-8834-BC75D58F1529}
(no name) - C:\WINDOWS\System32\BHO2.dll - {53E10C2C-43B2-4657-BA29-AAE179E7D35C}
NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[BHO.clsUrlSearch]
InProcServer32 = C:\WINDOWS\System32\BHO2.dll
CODEBASE = http://www.adsrvr.com/auth/IE_InstllC.exe

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/07287d5f4f34eefa4301/netzip/RdxIE6.cab

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37651.5908912037

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 6,604 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[kwill152001]

there is a new update for Internet Explorer 6
try downloading it at www.microsoft.com and see if that makes a difference

 

[allenkc]

Thanks Kwill for the information but I figured out what the problem was by myself. It seems that something was downloaded onto my computer without me knowing it. I used a program called Hijacker 1.91 to show me what "third party plugins" were installed in IE6. Under the catagory of "Enumerating Browser Helper Objects" there was one called "BHO2.dll" that I didn't recognize. I deleted it and haven't had the problem since.

Thanks again for replying to my message. We little guys need to stick together.

 

[TonyKlein]

This one is a very recent browser hijacker as well, and you need to get rid of that too:

(no name) - C:\WINDOWS\System32\SbSrch_V2.dll - {4C4871FD-30F6-4430-8834-BC75D58F1529}

Have a look here :

http://www.net-integration.net/cgi-...?s=3e4611f743a9ffff;act=ST;f=32;t=1377;hl=new

 

[allenkc]

Hey Tony thanks for the reply. I had originally deleted that file but after running IE with it in the folder I didn't get the annoying window. But after reading the above thread, I have deleted it altogether. That thing was nasty and I hope no one else gets it. Really bugged the crap out of me.

Thanks again for your reply. This message board is cool.

 

[allenkc]

OH and Tony one more thing....do you have any idea how I might have gotten this? Was it a popup that was accidently clicked on or could it have been spyware that installed on my computer for a shareware program or something?

Thanks for your time.

 

[TonyKlein]

I'm not sure how you may have gotten this one.

It may have been a so called "drive by" ActiveX download, if your security settings are too lax.

 

[allenkc]

I do believe that my security settings were set below MED. I have changed that since all the problems started happening. Hopefully I won't have to deal with that again. WORD OF WARNING...SET YOUR SECURITY SETTINGS IN IE TO AT LEAST MED. TRUST ME YOU DON'T WANT THIS ANNOYING CRAP!

 

[brindle]

bump

 

[mokru]

If you want a copy of this email me. Also, an excellent program is BHO cop when combined with Ad-aware 6 or Spybot S&D. It allows you to turn off BHOs which apparently are somehow different than plug-ins. This dll is resistant. S&D removed the original version that did the same thing but this V2 is so new that none of the spyware removal programs catch it yet.