Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 28th, 2008, 2:20pm
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Getting rid of Spyware: SearchWeb		 « Previous topic | Next topic »
Pages: 1 2    Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Getting rid of Spyware: SearchWeb  (Read 8572 times)
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Getting rid of Spyware: SearchWeb
« on: Nov 28th, 2004, 4:26pm »
"SearchWeb" continues to haunt my MSIE v6.0-SP1 on Windows XP (HE) SP2. I've used: AdAware SE Personal Edition, SpyBot S&D v1.3, CWShredder and Spyware Blaster (all software is updated to current versions). Although these spyware removers eventually remove "SearchWeb," the bloody piece of malware returns as a "SideView" vertical display similar to the display I would select if "Favorites" is selected from the IE Toolbar. I believe, an extra Toolbar below my Address Bar is also added by the dreaded "SearchWeb." What can I do to remove it, permanently? Huh
IP Logged
Jimbo
Aaron
Administrator
*****





   


Gender: male
 Posts: 286
Re: Getting rid of Spyware: SearchWeb
« Reply #1 on: Nov 28th, 2004, 5:42pm »
Let's start with a HijackThis log, and we'll go from there.  You can download it from:
 
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
 
Thanks,
 
Aaron
IP Logged
Aaron Hulett | Trojan Analyst | Mischel Internet Security
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Re: Getting rid of Spyware: SearchWeb
« Reply #2 on: Nov 29th, 2004, 12:34pm »
I shall attempt running "HiJackThis" today, Monday, Nov. 29th.
'Will post my results as soon as possible. I'm helping a friend out with this problem and I won't be performing "HiJackThis" on my personal computer. I am posting this message and the original problematic "SearchWeb" to the forum from my own computer and not my friend's. He's the one in trouble.
IP Logged
Jimbo
Aaron
Administrator
*****





   


Gender: male
 Posts: 286
Re: Getting rid of Spyware: SearchWeb
« Reply #3 on: Nov 29th, 2004, 1:39pm »
Ok that's fine.  What we'll do is look for suspicious files and then have you email those in for analysis.  Once we review them, we can add definitions to TrojanHunter that you can use to clean this off your system.
 
Thanks,
 
Aaron
IP Logged
Aaron Hulett | Trojan Analyst | Mischel Internet Security
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Re: Getting rid of Spyware: SearchWeb
« Reply #4 on: Nov 29th, 2004, 2:36pm »
Shall I email you the "HiJackThis" results to your email address, which I do not have, or should I attempt to post these results on this forum? This has to be done from a different computer (my friend's infected one).
IP Logged
Jimbo
Aaron
Administrator
*****





   


Gender: male
 Posts: 286
Re: Getting rid of Spyware: SearchWeb
« Reply #5 on: Nov 29th, 2004, 3:16pm »
If possible, post them here.  You can login to the forums with your account from their system (it's not limited to just the computer you used to sign up).
 
Aaron
IP Logged
Aaron Hulett | Trojan Analyst | Mischel Internet Security
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Re: Getting rid of Spyware: SearchWeb
« Reply #6 on: Nov 29th, 2004, 7:02pm »
Okay: Here's HiJackThis' results ...
 
Logfile of HijackThis v1.98.2
Scan saved at 3:48:01 PM, on 11/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\explorer.exe
C:\HiJackThis Folder\hijackthis_198\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\System32\SZIEBHO.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
 
IP Logged
Jimbo
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Re: Getting rid of Spyware: SearchWeb
« Reply #7 on: Nov 29th, 2004, 7:05pm »
I'm at my friend's computer posting this message. Hopefully, Aaron, you're there to give me relatively quick answer.
 
Thanks
IP Logged
Jimbo
Aaron
Administrator
*****





   


Gender: male
 Posts: 286
Re: Getting rid of Spyware: SearchWeb
« Reply #8 on: Nov 30th, 2004, 7:58pm »
Sorry, wasn't around yesterday.  But I don't see anything that's "staring me in the face" about that log.  I'm not at home right now, so I don't have my notes handy, but I wonder if a home/searchpage reset would take care of it.  When I get home I'll find those and post my thoughts.
 
You mention a "toolbar" also in this.  Could you possibly email a screenshot of this toolbar to aaron@misec.net so that I can see what you're referring to?
 
Thanks,
 
Aaron
IP Logged
Aaron Hulett | Trojan Analyst | Mischel Internet Security
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: Getting rid of Spyware: SearchWeb
« Reply #9 on: Nov 30th, 2004, 8:55pm »
Leecher, I plugged in your HJT log into this auto-analyzer and here is its findings:
 
Help2Go Detective
This is BETA Software. Use at your own risk.
 
Suspicious entries have been found in your log. They might be spyware/malware. We advise that you follow all of the directions on this page, and then re-run HijackThis. If you are still seeing this "Suspicious" section, you should go to the Spyware Help section of our site and post your log in a new topic so that our experts can analyze it personally.
 
 
-------------------------------------------------------------
Suggestions  
 
The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.
 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
(Description: NVidia graphics card system tray application for tweaking. Not necessary. Removing this entry will free up a small amount of system resources.)
 
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
(Description: Used with internal modems on Gateway and vprMatrix PCs. This is the "GTW modem messaging applet" and is not required for the modem to work correctly. Removing this entry will free up some system resources. )
 
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)
 
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
(Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)
-------------------------------------------------------------
 
1) Press the "Fix checked" button. Then close HijackThis.

 
2) Then reboot your computer.
 
3) Delete the file C:\WINDOWS\UpdReg.EXE
 
4) Empty your recycle bin.
 
5) Run Windows Update and install all critical updates.
 
6) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.
 
7) Reboot one last time. Your PC should now be free from spyware!
We suggest that you run HijackThis again, just to make sure that none of the entries that you removed suddenly reappeared. If they haven't, print out our HijackThis log and put it somewhere safe. You can refer to it later if your PC starts acting up.
« Last Edit: Nov 30th, 2004, 9:00pm by Randy_Bell » IP Logged
Aaron
Administrator
*****





   


Gender: male
 Posts: 286
Re: Getting rid of Spyware: SearchWeb
« Reply #10 on: Nov 30th, 2004, 10:54pm »
OK let's try this.
 
Right-click on the desktop, choose New, then Text File. When naming it, call it reset.reg. (The key being, the file extension is .reg, and not .txt.)
 
Then, tell it yes when it warns you about changing the file extension.
 
Then, right-click the file, and choose Edit. (This should open it in notepad.)
 
Paste the information inside the box here into notepad.
 
Code:
REGEDIT4
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Do404Search"=hex:01,00,00,00
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
"provider"=""
" "="+"
"&"="%26"
"+"="%2B"
"#"="%23"
"?"="%3F"
"="="%3D"
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"=http://search.msn.com/spbasic.htm
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.
htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.
htm"
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iese
arch
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=ies
earch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Defaul tPre
fix]
@="http://"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

Then exit notepad, and tell it yes to save the changes. Then double-click the reset.reg file, and tell it yes when it asks to import the settings into the registry.
 
This will reset your search capabilities (they'll go back to MSN) and hopefully take care of this.
 
You're still welcome to send a screenshot also before doing anything if you'd like.
 
Aaron
IP Logged
Aaron Hulett | Trojan Analyst | Mischel Internet Security
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Re: Getting rid of Spyware: SearchWeb
« Reply #11 on: Dec 3rd, 2004, 1:36pm »
Aaron,
 
As soon as I get back to my friend's infected PC's location, I'll take a "Screen Shot" of his actual homepage website's appearance and email it to you. His homepage is: "Yahoo!" I don't know what you mean by the mention of: "They'll go back to MSN" in your last posted statement. As of this posting date, 12/03/04, and after checking with my friend, it appears that his homepage "SearchWeb" infection has disappeared. I haven't a clue as to what may have cleared the original problem ... With one exception, I ran an updated Ad-Aware and SpyBot S&D on Nov. 29th prior to leaving the infected PC's home site. Maybe the extra Spyware found (which I can't recall) by these programs could have cleared up "SearchWeb" and gave "HiJackThis' Log" (the log I copy-pasted to this forum) a clear slate.  
 
I noticed, in your recommended "reset.reg" notepad edited file, the line:  
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Defaul  tPre fix] @="http://"  
 
appears to have a "typo" error: \Defaul tPre fix ... Is this true?
IP Logged
Jimbo
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Re: Getting rid of Spyware: SearchWeb
« Reply #12 on: Dec 3rd, 2004, 1:53pm »
Randy_Bell,
 
What program did you use to auto-analyze my "HJT Log?" Is it purchase-able, freeware, or shareware?
IP Logged
Jimbo
claire
Stole All the Forum Stars
********



carpe diem

   


Gender: female
 Posts: 3475
Re: Getting rid of Spyware: SearchWeb
« Reply #13 on: Dec 3rd, 2004, 3:17pm »
Hi TheLeecher,
 
Here's the progie you're looking for.
 
Caution it's a Beta
 
http://www.help2go.com/modules.php?name=HJTDetective
 
IP Logged
Claire
The Leecher
Newbie
*



Jimbo

   


Gender: male
 Posts: 9
Re: Getting rid of Spyware: SearchWeb
« Reply #14 on: Dec 10th, 2004, 4:08pm »
All of a sudden, as of today, "MySearchWeb" seems to have disappeared after I ran another update of: SpyBot S&D, AdAware and CWShredder. There is still a remaining "Flashing-Dark-Screen" in the background which comes up immediately after accessing MSIE v6.0-SP1 via DSL. The "Dark-Flashing-Screen" disappears almost immediately prior to a normal "Homepage" screen. I'm still going to follow the instructions given or previously suggested by Aaron. I'd like to keep this posting open until I'm clear of all doubts with regard to the original problems. I shall not be returning to my friend's PC until next week, December 14th.
IP Logged
Jimbo
Pages: 1 2    Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register