Explorer and IE Hijacked

Discussion in 'Windows Desktop Systems' started by ste_w, Aug 25, 2004.

  1. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    Hi all

    Im Havin Problem after problem Recently lol

    ok My Browser when i click search has changed from the regular XP Search and also something called Mysearch Bar shows a toolbar at the top of IE allthough i have disabled it from view it is still there.

    I have ran Lava soft Adaware latest updates etc, found a few things and got rid of them, ive ran Hijack this 1.9 and deleted known Entries and ive ran Aranea Spywizard but all aint gettin rid of the problem of the Explorer Search. i have attatched some pics, pls help and list all software free or Purchase which will help, Thanx

    Ste_W
     

    Attached Files:

  2. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    Open 'Add/Remove Programs' in the Control Panel. Select the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'. For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer'.

    You can then reset your home page (Internet Options->General->Start Page) if it has been changed, and search settings (Internet Options->Programs->Reset web settings).
     
  3. VenomXt

    VenomXt Blame me for the RAZR's Folding Team

    Messages:
    3,453
    Location:
    Houston, Texas
    try spybot search and destroy. other than that i dont know. i think its def spyware. maybe just new and needs some defs.

    do what ep said lol he beat me to it.
     
  4. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    I dont have any of these listed

    'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb)
     
  5. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    Ok So far i have Ran

    Adaware 6 181 Pro
    SpyBot
    Noadaware
    Spyware Doctor
    Hijack This
    Aranea Spywizard

    But still i dont get my normal Search Back and spybot keeps telling me that that Search Assistant is changing something from (for example) fgkjhgkdhgskhk to qwqqljlnmnjk, they really are random letters?
    Ive Used Norton System works to Cleanup Temp Files and i use the Wiping Wizard to Delete 2 of the contents in a folder called Upload Coal Live, one files remain in it an cannot be removed called "Itch Program" another folder called Xerox containing the folder "nwwia" cannot be normally deleted, i have no Xerox Products installed tho and also have never installed anything like upload coal live. The companies that do this crap should be destoryed lol Its really annoying!
     
  6. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    I think you may need to post up your HiJackthis! log - when you say you ran it you did not say if you had it fix anything. Could also try running in Safe Mode when you do all of this to make sure it's effective and running CWShredder too I guess cannot do any harm.
     
  7. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    Ok Using Hijack this i have created 2 logs, 1 being the Startup List and 2nd being the Hijack this Log of what it detects. the 3rd upload is just a jpeg version of the Hijack this log if its easier to look at...

    Thanx
     

    Attached Files:

  8. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    Just been in Safe Mode and Got Rid some suspiscious sounding Reg entries using Hijack this, other than that i deleted those 2 folders succesfully and stopped the ITCH program Startup.

    First thing i did was log into the Admin User name which is only visible when in Safemode and i clicked "search" on my computer and the default search look for xp appeard, i then logged into my account which still has admin rites n did the same however the search didnt show the default search look!?

    Whats goin on?
     
  9. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    I'm wondering now if this problem is partly caused because you are running from your D: drive and that is giving any problems for SpyBot or Adaware... seems unlikely though, because %sysroot% should find things anyway.

    In your log entry:-
    and

    looked suspicious to me - why not fix those and post back?
     
  10. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    Since do what i said i did b4 in Safe Mode i cant find the stuff u said looked Suspicious?

    Heres a pic of what the program finds now, anything look strange?
     

    Attached Files:

    • HJ.JPG
      HJ.JPG
      File size:
      112.3 KB
      Views:
      60
  11. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    Mainframeguy, both of the entries you say to take out are part of Windows XP.
    First one mswmp.inf is Window Media Player and the second one MarketplaceLinkInstall is Windows Marketplace Link.
    Neither are spyware as both come with XP.
     
  12. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    lol i didnt delete um but they arnt being shown now?
     
  13. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    Did you shut down system restore (if running) before starting on your removal process?
     
  14. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    No, but either way System Restore files do not conflict with current Reg Files, only if i do a restore will all the crap come bk.
     
  15. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    Here are my entries in registry for search:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
    "SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    "CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
     
  16. yoyo

    yoyo _________________

    Messages:
    1,557
    You have a lop.com infection. Lop.com is bundled with MessengerPlus.

    So first uninstall MessengerPlus in Add/Remove programs. If you really think you need it you can reinstall it later, but don't install the "sponsor" this time. There is an option during install.

    Also if present uninstall

    Window Search
    Win Tools

    If it isn't there run these two uninstallers:

    http://lop.com/new_uninstall.exe
    http://lop.com/toolbar_uninstall.exe

    Update HijackThis to the latest version 1.98.2

    With all other windows closed let HijackThis fix these entries if still present (Where is your HijackThis log anyway? Not so conveniant to copy and paste from a .jpg):
    all R0 entries
    O4 - HKLM\..\Run: [MessengerPlus3]..
    O4 - HKLM\..\Run: [gplclose] D:\PROGR~1\UPLOAD~1\Itch program.exe (in case you don't know exactly what that is)
    O4 - HKCU\..\Run: [MessengerPlus3]..

    Delete the folders:
    D:\Program Files\MessengerPlus!
    D:\Program Files\Upload~1 (=folder beginning with upload
    there usually is still another folder to delete in \Documents and Settings\All Users\Application Data\ - likely you already fixed the entry indicating the name.

    Clear your temp and temporary internet files.

    Reboot.
     
  17. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    Done that Boot the Search Thing stays the same?
     
  18. yoyo

    yoyo _________________

    Messages:
    1,557
  19. ste_w

    ste_w Moderator

    Messages:
    756
    Location:
    UK
    Here u go
     

    Attached Files:

  20. yoyo

    yoyo _________________

    Messages:
    1,557
    That log is clean.

    What is the exact problem now? Still that "search the web" site in IE?