Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Browser hijacked by searchcentrix.com 5

Status
Not open for further replies.
bristolxyz

bristolxyz

MIS
Aug 6, 2003
83
US
I have tried just about EVERY spyware remover to get rid of this pest. I find instances of it in the registry. I delete them and after a restart, it still shows up.
It's not that much of a problem, but if I screw up typing a URL in the address bar, it defaults to that searchcentrix.com page.

I have tried everything, many ad-ware removals proggys, several spybot removals programs, checked the startup config, etc. I've performed updates to the spybot and ad-ware proggys as recommended.

A search for "searchcentrix.com" on google yeilds only two results, with no suggestions beyond what I have tried.

The URL below is where it takes me, any clues within there (DO NOT GO TO THAT URL), I would assume you will be hit with it as well if you do.

Help??

P.S.

Dear searchcentrix.com people,

You suck.



 
Sort by date Sort by votes
Also, if you're using W2K or higher disable system restore before you scan or clean everything. After everything is clean reboot and then re-enable system restore.

Cheers.
 
Upvote 0 Downvote
A wild shot, but have you tried something like startup.exe from... Mike Lin I believe. ? It digs into all of the places Windows hides auto start programs. It won't deal with things within IE, however many hijackers use other auto-start programs to re-install themselves if removed. I install it on every PC I work on. It's freeware ( or more corectly the version I use is: he went to shareware or more half a year ago, but his old version works on XP: not sure about server 2003 ): happy to send you a copy if you would like it.

Paul
 
Upvote 0 Downvote
bristolxyz

PLease do what sydspirit suggests, and post your hijackthis log and I'm sure we will be able to solve your problem.

Please Download hijackthis from


Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam
 
Upvote 0 Downvote
OT and paranthetical aside to steamwiz:

Have you looked at the FROGGYJ issue: thread608-669691
Curious.
 
Upvote 0 Downvote
I see the entry ar R1

(R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
But Ihave removed it several times. I have system restore turned off (did that previous to doing any of this). Anyone see anything that might be loading it back into my machin? Most of what I see is reognizable.

Regards

________________________________________________

Logfile of HijackThis v1.97.7
Scan saved at 10:09:56 AM, on 11/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\NoFlash\NoFlash.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Junk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by some asshole
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\Windows\gsim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [No! Flash] C:\Program Files\NoFlash\NoFlash.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - O16 - DPF: {0D3983A9-4E29-4F33-8313-DA22B29D3F87} (QuickBooks Online Edition Utilities Class v6) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{B2374CC7-A78D-4FB4-8455-27E88F141DCC}: NameServer = 24.95.227.34,24.95.227.35
 
Upvote 0 Downvote
This'll be the one.....but it's new, so before fixing it, would you please copy the .dll and send it to me at :-

cactus445@hotmail.com

Then do this

Close all browser windows - run hijackthis and tick to fix :-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\Windows\gsim.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
 unless you locked it with spybot


O17 - HKLM\System\CCS\Services\Tcpip\..\{B2374CC7-A78D-4FB4-8455-27E88F141DCC}: NameServer = 24.95.227.34,24.95.227.35
 if it isn't your ISP

steam
 
Upvote 0 Downvote
You're talking about the dll here:??

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\Windows\gsim.dll
 
Upvote 0 Downvote
THAT DID IT! It appears it was that pesky dll. Here's the log after;;;;

Logfile of HijackThis v1.97.7
Scan saved at 10:13:12 AM, on 11/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\NoFlash\NoFlash.exe
C:\Junk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by some asshole
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [No! Flash] C:\Program Files\NoFlash\NoFlash.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - O16 - DPF: {0D3983A9-4E29-4F33-8313-DA22B29D3F87} (QuickBooks Online Edition Utilities Class v6) - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{B2374CC7-A78D-4FB4-8455-27E88F141DCC}: NameServer = 24.95.227.34,24.95.227.35
 
Upvote 0 Downvote
bristolxyz

Yes that's the one.........Thanks for the file

{4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D}: gsim.dll -

Confirmed as :-

Searchcentric.com/Mygeek.com hijacker

By the way, your log is now clean

steam
 
Upvote 0 Downvote
What is it with the dll... do these advertisers plant that crap on your computer somehow and use it to re-load their stuff?
Other than looking thru the log or registry for suspect stuff, how would I know that that is a bad dll? Is there a way to tell other than NOT recognizing it as a good one..?
 
Upvote 0 Downvote
Just anothr note:

Thanks to everyone here for all the help.
I found a ton of information regarding BHO's, startup proggies, dll's etc. I read a rather long paper in teh develpers forum regarding BHO's and things like that.
As these thiings become more popular and companies use these tactics to infect us with their unwanted advertising, sometimes it's hard to keep up.
Do these people know how annoyoing it is? LOL.. What kind of executive would make that kind of damaging descision to use those tactics. It's bad business as far as I'm concerned.

Once again.. everyone, thanks for the education! :)

Regards
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

demigod7
  • Locked
  • Question
No internet in browser even after being connected to the internet
Replies
1
Views
213
xwb
xwb
hpsait
  • Locked
  • Question
Unable to view webcast using any browser
Replies
12
Views
175
goombawaho
goombawaho
BobMCT
  • Locked
  • Question
Looking for suggestions to regain control of all my browsers? 1
Replies
14
Views
197
1DMF
1DMF
BadBigBen
  • Locked
  • Question
Browser(s) issue, need a bit of input... 1
Replies
19
Views
328
rclarke250
rclarke250
Technoid101
  • Locked
  • Question
Request advice on changing from IE to any other browser.
Replies
5
Views
106
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top