Explorer and IE Hijacked

ste_w

OSNN Senior Addict
Joined
13 May 2002
Messages
756
Hi all

Im Havin Problem after problem Recently lol

ok My Browser when i click search has changed from the regular XP Search and also something called Mysearch Bar shows a toolbar at the top of IE allthough i have disabled it from view it is still there.

I have ran Lava soft Adaware latest updates etc, found a few things and got rid of them, ive ran Hijack this 1.9 and deleted known Entries and ive ran Aranea Spywizard but all aint gettin rid of the problem of the Explorer Search. i have attatched some pics, pls help and list all software free or Purchase which will help, Thanx

Ste_W
 

Attachments

  • Search.JPG
    Search.JPG
    25.4 KB · Views: 152
  • Searcher.JPG
    Searcher.JPG
    29.8 KB · Views: 78
  • Search The Web.JPG
    Search The Web.JPG
    91.3 KB · Views: 96
Open 'Add/Remove Programs' in the Control Panel. Select the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'. For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer'.

You can then reset your home page (Internet Options->General->Start Page) if it has been changed, and search settings (Internet Options->Programs->Reset web settings).
 
try spybot search and destroy. other than that i dont know. i think its def spyware. maybe just new and needs some defs.

do what ep said lol he beat me to it.
 
I dont have any of these listed

'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb)
 
Ok So far i have Ran

Adaware 6 181 Pro
SpyBot
Noadaware
Spyware Doctor
Hijack This
Aranea Spywizard

But still i dont get my normal Search Back and spybot keeps telling me that that Search Assistant is changing something from (for example) fgkjhgkdhgskhk to qwqqljlnmnjk, they really are random letters?
Ive Used Norton System works to Cleanup Temp Files and i use the Wiping Wizard to Delete 2 of the contents in a folder called Upload Coal Live, one files remain in it an cannot be removed called "Itch Program" another folder called Xerox containing the folder "nwwia" cannot be normally deleted, i have no Xerox Products installed tho and also have never installed anything like upload coal live. The companies that do this crap should be destoryed lol Its really annoying!
 
I think you may need to post up your HiJackthis! log - when you say you ran it you did not say if you had it fix anything. Could also try running in Safe Mode when you do all of this to make sure it's effective and running CWShredder too I guess cannot do any harm.
 
Ok Using Hijack this i have created 2 logs, 1 being the Startup List and 2nd being the Hijack this Log of what it detects. the 3rd upload is just a jpeg version of the Hijack this log if its easier to look at...

Thanx
 

Attachments

  • startuplist.txt
    31.3 KB · Views: 91
  • Hijack this.JPG
    Hijack this.JPG
    127.1 KB · Views: 85
Just been in Safe Mode and Got Rid some suspiscious sounding Reg entries using Hijack this, other than that i deleted those 2 folders succesfully and stopped the ITCH program Startup.

First thing i did was log into the Admin User name which is only visible when in Safemode and i clicked "search" on my computer and the default search look for xp appeard, i then logged into my account which still has admin rites n did the same however the search didnt show the default search look!?

Whats goin on?
 
I'm wondering now if this problem is partly caused because you are running from your D: drive and that is giving any problems for SpyBot or Adaware... seems unlikely though, because %sysroot% should find things anyway.

In your log entry:-
[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\mswmp.inf,PerUserStub

and

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

looked suspicious to me - why not fix those and post back?
 
Since do what i said i did b4 in Safe Mode i cant find the stuff u said looked Suspicious?

Heres a pic of what the program finds now, anything look strange?
 

Attachments

  • HJ.JPG
    HJ.JPG
    112.3 KB · Views: 73
Mainframeguy, both of the entries you say to take out are part of Windows XP.
First one mswmp.inf is Window Media Player and the second one MarketplaceLinkInstall is Windows Marketplace Link.
Neither are spyware as both come with XP.
 
Did you shut down system restore (if running) before starting on your removal process?
 
No, but either way System Restore files do not conflict with current Reg Files, only if i do a restore will all the crap come bk.
 
Here are my entries in registry for search:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
 
You have a lop.com infection. Lop.com is bundled with MessengerPlus.

So first uninstall MessengerPlus in Add/Remove programs. If you really think you need it you can reinstall it later, but don't install the "sponsor" this time. There is an option during install.

Also if present uninstall

Window Search
Win Tools

If it isn't there run these two uninstallers:

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Update HijackThis to the latest version 1.98.2

With all other windows closed let HijackThis fix these entries if still present (Where is your HijackThis log anyway? Not so conveniant to copy and paste from a .jpg):
all R0 entries
O4 - HKLM\..\Run: [MessengerPlus3]..
O4 - HKLM\..\Run: [gplclose] D:\PROGR~1\UPLOAD~1\Itch program.exe (in case you don't know exactly what that is)
O4 - HKCU\..\Run: [MessengerPlus3]..

Delete the folders:
D:\Program Files\MessengerPlus!
D:\Program Files\Upload~1 (=folder beginning with upload
there usually is still another folder to delete in \Documents and Settings\All Users\Application Data\ - likely you already fixed the entry indicating the name.

Clear your temp and temporary internet files.

Reboot.
 
That log is clean.

What is the exact problem now? Still that "search the web" site in IE?
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back