1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PLEASE HELP WITH IE6 (Possible Trojan?)

Discussion in 'Web & Email' started by allenkc, Feb 6, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. allenkc

    allenkc Thread Starter

    Joined:
    Feb 6, 2003
    Messages:
    203
    I am running Windows XP with Internet Explorer 6 and when I visit a search engine such as Google or Yahoo I get a "frame"(for lack of a better term) that opens up with in my window of Internet Explorer. This "frame" is not something that I have open and it appears the only way I can stop it is by going to my internet options and turning off "third party extensions"(I don't want to do this). The frame only opens when I do a search on a search engine. When I left click(I cannot right click on anything in the new frame)on a link in this frame 9 times out of 10 it sends me to a sight within "about.com". If I click on a link within the actual search engine results the frame will go away. I think that this is either spyware or a Trojan of some type and if it is a Trojan it could get worse before it gets better. I have run 4 spyware programs and a Trojan scanner to see if they can find something and they haven't found anything. You can not uninstall Internet Explorer 6 in windows xp and you can't run a repair on it either.

    I have included a jpg of what my internet explorer looks like on yahoo and if you noticed you will see that this "frame" adapts to the "skin" of the search engine.

    Please help ME I don't know what to do.
    Thanks for your Time!!
     

    Attached Files:

  2. Del

    Del

    Joined:
    Aug 31, 2001
    Messages:
    3,452
  3. allenkc

    allenkc Thread Starter

    Joined:
    Feb 6, 2003
    Messages:
    203
    Del,

    Thanks for your help in advanced. I hope the info below is what you are looking for.

    Allenkc


    StartupList report, 2/6/2003, 12:06:51 PM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ps2.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Free Surfer\fs20.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TrojanHunter 3.0\THGuard.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\6jkb.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
    PS2 = C:\WINDOWS\system32\ps2.exe
    IgfxTray = C:\WINDOWS\System32\igfxtray.exe
    hpsysdrv = c:\windows\system\hpsysdrv.exe
    HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
    freesurfer = C:\Program Files\Free Surfer\fs20.exe
    CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
    SAUpdate = C:\Program Files\Insight\BBClient\Programs\SAUpdate.exe
    zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
    EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    Microsoft Network Control = C:\WINDOWS\msdrvx.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    SAClient = C:\Program Files\Insight\BBClient\Programs\RegCon.exe /admincheck
    SpyCop ScanCheck = C:\Program Files\Common Files\Microsoft Shared\MAIN.EXE /LASTSCAN
    THGuard = "C:\Program Files\TrojanHunter 3.0\THGuard.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    LDM = \Program\BackWeb-8876480.exe

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\System32\SbSrch_V2.dll - {4C4871FD-30F6-4430-8834-BC75D58F1529}
    (no name) - C:\WINDOWS\System32\BHO2.dll - {53E10C2C-43B2-4657-BA29-AAE179E7D35C}
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [BHO.clsUrlSearch]
    InProcServer32 = C:\WINDOWS\System32\BHO2.dll
    CODEBASE = http://www.adsrvr.com/auth/IE_InstllC.exe

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/07287d5f4f34eefa4301/netzip/RdxIE6.cab

    [{6CB5E471-C305-11D3-99A8-000086395495}]
    CODEBASE = http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab

    [{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
    CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37651.5908912037

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 6,604 bytes
    Report generated in 0.094 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. kwill152001

    kwill152001

    Joined:
    Feb 7, 2003
    Messages:
    6
    there is a new update for Internet Explorer 6
    try downloading it at www.microsoft.com and see if that makes a difference
     
  5. allenkc

    allenkc Thread Starter

    Joined:
    Feb 6, 2003
    Messages:
    203
    Thanks Kwill for the information but I figured out what the problem was by myself. It seems that something was downloaded onto my computer without me knowing it. I used a program called Hijacker 1.91 to show me what "third party plugins" were installed in IE6. Under the catagory of "Enumerating Browser Helper Objects" there was one called "BHO2.dll" that I didn't recognize. I deleted it and haven't had the problem since.

    Thanks again for replying to my message. We little guys need to stick together.
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  7. allenkc

    allenkc Thread Starter

    Joined:
    Feb 6, 2003
    Messages:
    203
    Hey Tony thanks for the reply. I had originally deleted that file but after running IE with it in the folder I didn't get the annoying window. But after reading the above thread, I have deleted it altogether. That thing was nasty and I hope no one else gets it. Really bugged the crap out of me.

    Thanks again for your reply. This message board is cool.
     
  8. allenkc

    allenkc Thread Starter

    Joined:
    Feb 6, 2003
    Messages:
    203
    OH and Tony one more thing....do you have any idea how I might have gotten this? Was it a popup that was accidently clicked on or could it have been spyware that installed on my computer for a shareware program or something?

    Thanks for your time.
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I'm not sure how you may have gotten this one.

    It may have been a so called "drive by" ActiveX download, if your security settings are too lax.
     
  10. allenkc

    allenkc Thread Starter

    Joined:
    Feb 6, 2003
    Messages:
    203
    I do believe that my security settings were set below MED. I have changed that since all the problems started happening. Hopefully I won't have to deal with that again. WORD OF WARNING...SET YOUR SECURITY SETTINGS IN IE TO AT LEAST MED. TRUST ME YOU DON'T WANT THIS ANNOYING CRAP!
     
  11. brindle

    brindle

    Joined:
    Jun 14, 2002
    Messages:
    3,520
  12. mokru

    mokru

    Joined:
    Feb 9, 2003
    Messages:
    1
    If you want a copy of this email me. Also, an excellent program is BHO cop when combined with Ad-aware 6 or Spybot S&D. It allows you to turn off BHOs which apparently are somehow different than plug-ins. This dll is resistant. S&D removed the original version that did the same thing but this V2 is so new that none of the spyware removal programs catch it yet.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/117345

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice