Cannot remove "SearchTheWeb" Toolbar 4

[MakeItSo]

Hi guys,

I don't even know why or how it happened, but somehow a SearchTheWeb browser extension has had the courtesy to "install" itself on my machine - and now I can't get rid of it...
I have searched the installed software list, ran Spybot S&D, AdAware 6, Hijack This, BHODemon 2 and StopZilla...

Only Hijack This seemed able to remove the pesty toolbar - for two or three IE starts, or so...
However, the toolbar keeps coming back!

I have ensured, that all browser windows and Outlook are closed and I manually killed two iexplore processes before scanning and deleting with Hijack this.
I also manually deleted all related entries in Registry...

Then, Hijack This did not find any more suspicious entries.
And yet, the toolbar came back after a while.

The machine affected is the one I use at work and is thus behind a firewall. Using Win2k Pro SP 4, IE 6 SP1; automatically updated, with latest hotfixes...

Have you encountered similar things?
I consider this a severe security hole and it really enerves and alarms me!

I would really appreciate your input on this - of any kind.

Thanks in advance!

Cheerio,
MakeItSo

 

[carrr]

Are you running XP?
If so, did you disable sytem restore before removing the entries in HJT?



Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[carrr]

Also, do you find any suspect entries in your Add/Remove Programs windows?
If so, take them out.

You could also post a HJT log here for review.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[MakeItSo]

Hi Carr,

Actually I did - but I searched once more and found something insuspicious (to me) but obviously responsible: my favorite screensaver, which I installed a couple of weeks ago!

I removed it, restarted and ... no more "search assistant"!
Although the toolbar just popped back in , I now know its source (BHODemon just told me, since the toolbar was missing its screensaver...)

For all those also affected: it was the "Water illusion" screensaver, simulating waterfalls and rainforests. Beautiful - but obviously also a security hole...

Thanks a lot for your input, greatly appreciated!

Cheers,
Andy

[blue]The last voice we will hear before the world explodes will be that of an expert saying:
"This is technically impossible!" - Sir Peter Ustinov[/blue]
HP:

http://andygalambos.de

 

[MakeItSo]

Hmpff - issue only temporarily resolved.
Screensaver deinstalled, AdAwared, Hijack Thissed, restarted....The toolbar is back....

What is this? This thing is as pertinacious as a worm...

P.S. Carr: Not running XP, but Win2k SP4

Oh...P.P.S: Of course, McAfee hasn't found anything of interest at all...

Here goes my HJT log (lines in red keep coming back):

Logfile of HijackThis v1.98.2
Scan saved at 14:22:16, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\Programme\STOPzilla!\szntsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Programme\STOPzilla!\Stopzilla.exe
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\MSOFFI~3\OFFICE11\OUTLOOK.EXE
C:\totalcmd\TOTALCMD.EXE
C:\Programme\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\agalambo.EUROPE.000\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://i-net:99[/URL]
[red]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [URL unfurl="true"]http://www.vopwdtkucnaruzmsdglsbweof.net/AvGJhJMMI5KerdhjWZ_xwWljKak/ewHltiK2s0LKiW30LHqFpREu07dc8GSrPpWQ.html[/URL][/red]
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\system32\SZIEBHO.dll
O4 - HKLM\..\Run: [STOPzilla] "C:\Programme\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
[red]O4 - HKLM\..\Run: [ChicFlaw] C:\PROGRA~1\HELPME~1\more play logo.exe[/red]
O4 - Startup: BHODemon 2.0.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: [URL unfurl="true"]http://*.tek-tips.com[/URL]
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - [URL unfurl="true"]http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab[/URL]

[blue]The last voice we will hear before the world explodes will be that of an expert saying:
"This is technically impossible!" - Sir Peter Ustinov[/blue]
HP:

http://andygalambos.de

 

[diogenes10]

I think the things you've highlighted in red are a new variant of lop.

You can try rebooting into safe mode and then allowing hjt to fix the lines you have marked and then delete the
more play logo.exe file.

Also did you set this?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[MakeItSo]

Rebooted in safe mode, applied HJT scan/fix incl. O6 line, AdAwared
Manually deleted temporary IE files, cookies (incl. lob-tracking cookie)
Searched registry for resident entries
Searched Registry "run" (+ run once + ...)entries
Searched other partitions
Rebooted

Toolbar gone for roughly half an hour, re-appeared...
At least I was able to block traffic to/from lob site with the help of an extra firewall (paranoid settings)

This is more than spam or just enerving - this is definitely and certainly illegal, malicious and also leaves a bad impression on M$... (P.S: my private laptop (XP Pro)is equipped with firewall and Mozilla Firefox - not the slightest hint of any comparable security hole ;-)
Regular AdAware scans don't give suspicious results either...

It's giving me the creeps...

Andy

 

[diogenes10]

Andy,
I don't know how these tools work so I may not be asking good questions here, but:

bhodemon and toolbar cop both get recommended on toolbar problems.

When the thing comes back, do either of those give you any additional clues about a possible source?

carrr uses process explorer from sysinternals to look at process relationships, I think I've seen a post where he said he had one problem where he had to have it going just right away when the system fired up because the problem processes were able to hide themselves very quickly.

http://www.neuber.com/taskmanager/index.html

Here is another process reviewer that I've seen some people post indicating it helped them solve their problems.

I'm sorry I can't come up with something really specific to help you get rid of this thing.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[MakeItSo]

Diogenes,

first of all: thanks for standing by!
second: already using bhodemon - to no avail...
third: that task manager looks really promising!
It detected the suspicious exe in the background and I was able to move it to a quarantine folder. I hope that it will be gone with restart (can't check immediately...)

Will paste any progress (or backstrokes) here... ;-)

 

[diogenes10]

I was doing a little reading elsewhere and found two comments about this:
1) If there are multiple user accounts, it will infect them all.

2) There is an uninstaller here.

http://lop.com/new_uninstall.exe

(and this could take us straight into the discussions about using uninstalls from the foistware providers sites - just passing on info here.)

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[CableInstaller]

MakeItSo

there is a batchfile written by one of the Spyware experts @ SWI called pv.zip

http://tools.zerosrealm.com/pv.zip

I would download and unzip..run the "runme.bat" and select the #2 option to list Iexplore dll files.
Post that log here.

 

[MakeItSo]

Hi everyone,

status so far: Toolbar not visible anymore since yesterday - but not completely removed, just suppressed by System Task Manager and firewall.
I have run the log and removed things like iexplore.exe, comctl32.dll for better readability, as well as size info (Full log has 20k...):

   Module information for  'iexplore.exe'
  MODULE         PATH
GDI32.DLL     C:\WINNT\system32\GDI32.DLL      5.00.2195.6898   GDI Client DLL
SHLWAPI.dll   C:\WINNT\system32\SHLWAPI.dll    6.00.2800.1552   Shell Light-weight Utility Library
ADVAPI32.dll  C:\WINNT\system32\ADVAPI32.dll   5.00.2195.6876   Erweitertes Windows 32 Base-API
RPCRT4.DLL    C:\WINNT\system32\RPCRT4.DLL     5.00.2195.6904   Remote Procedure Call Runtime
SHDOCVW.dll   C:\WINNT\system32\SHDOCVW.dll    6.00.2800.1400   Bibliothek für Shell-Dokumente und -Steuerelemente
CLBCATQ.DLL   C:\WINNT\system32\CLBCATQ.DLL    2000.2.3511.0   
OLEAUT32.dll  C:\WINNT\system32\OLEAUT32.dll   2.40.4522       
sensapi.dll   C:\WINNT\system32\sensapi.dll    5.00.2195.6627   SENS Connectivity API DLL
Secur32.dll   C:\WINNT\system32\Secur32.dll    5.00.2195.6695   Security Support Provider Interface
NTDSAPI.dll   C:\WINNT\system32\NTDSAPI.dll    5.00.2195.6666   NT5DS
DNSAPI.DLL    C:\WINNT\system32\DNSAPI.DLL     5.00.2195.6824   DNS Client API DLL
NETRAP.dll    C:\WINNT\system32\NETRAP.dll     5.00.2134.1      Net Remote Admin Protocol DLL
SAMLIB.dll    C:\WINNT\system32\SAMLIB.dll     5.00.2195.6897   SAM Library DLL
rnr20.dll     C:\WINNT\System32\rnr20.dll      5.00.2195.6603   Windows Socket2 NameSpace DLL
iphlpapi.dll  C:\WINNT\system32\iphlpapi.dll   5.00.2195.6602   IP-Hilfs-API
ICMP.DLL      C:\WINNT\system32\ICMP.DLL       5.00.2134.1      ICMP DLL
winrnr.dll    C:\WINNT\System32\winrnr.dll     5.00.2160.1      LDAP RnR Provider DLL
rasadhlp.dll  C:\WINNT\system32\rasadhlp.dll   5.00.2168.1      Remote Access AutoDial Helper
mshtml.dll    C:\WINNT\system32\mshtml.dll     6.00.2800.1458   Microsoft (R) HTML Viewer
msimtf.dll    C:\WINNT\system32\msimtf.dll     1.00.2409.7 built by: Lab06_N Active IMM Server DLL
MSCTF.dll     C:\WINNT\system32\MSCTF.dll      1.00.2409.7 built by: Lab06_N MSUIM Server DLL
MSLS31.DLL    C:\WINNT\system32\MSLS31.DLL     3.10.337.0       Microsoft Line Services library file
IMM32.DLL     C:\WINNT\system32\IMM32.DLL      5.00.2195.6655   Windows 2000 IMM32 API Client DLL
docprop2.dll  C:\WINNT\system32\docprop2.dll   5.00.2178.1      DocProp2
WINMM.DLL     C:\WINNT\system32\WINMM.DLL      5.00.2161.1      MCI API-DLL

Do you see anything suspicious? e.g. msimtf and msctf? both start with ms, but don't seem to be M$...

 

[CableInstaller]

msimtf and msctf are for MS Office installations.

the log must have been bigger than that??

Most times the dll file will only be hooked with iexplore.exe or explorer.exe. you get an eye for spotting crap files after awhile.
If you do a quick once over on a full log, at first glance, look for any dll file that has a blank for description, no info is usually a giveaway that it is something you dont need.(although not always, as in this log the blank files are both legit).
Have you used regedit before?
if you look under these keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinTrust\TrustProviders
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers
the keys under "Trust Providers" if you look in the data, will sometimes reveal what software it belongs to.
These are the keys that store info about the security box that appears for downloaded programs and the box that is checked "Always trust xxx" & wont display that message anymore...meaning if you hit a website that offers the plugin, Websearch,comet cursor, etc..it just installs auto because it is in your trusted list.

Really would need to see the whole log, for both IE and Explorer...
another thing you can try is this utility DLLCompare

http://download.broadbandmedic.com/DllCompare.exe

it was not meant for this type of Hijack but can sometimes reveal problem files if any are listed in the bottom half of the window.(run on defaults)

 

[MakeItSo]

SOLVED!!!
Everyone here: Thanks a bunch!
To carr, since first step was to uninstall the screensaver.
To diogenes: The uninstaller did an excellent job! (Also got pointed to it by jwbirdsong on SWI forums
To CableInstaller Thanks for the hint to SWI. Great experts there.

Finally got it all removed by following the steps provided by jwbirdsong

Now that was some sweating for a lousy toolbar, wasn't it?
- lol

[blue]The last voice we will hear before the world explodes will be that of an expert saying:
"This is technically impossible!" - Sir Peter Ustinov[/blue]
HP:

http://andygalambos.de

 

[diogenes10]

Thanks for posting back.

So with this it's apparently necessary to run the uninstaller and clear assorted temporary files as well as do the hjt log fixes.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[MakeItSo]

Yes - depends: I didn't even have to do the HJT fixes after running the uninstaller - it did a clean job! ;-)
But the temp files: Yes, by all means clean 'em all

Wipe all temp files for all user profiles (i.e. the contents of C:\Winnt\Temp, of Docs and Settings\..\Temp, and of Docs and Settings\..\Temporary Internet Files.

Plus: Empty the recycle bin...

Don't give lop a chance...

 

[VBmim]

Thanks a lot diogenes10! the uninstall solved a very nagging problem.
Thanks!!

 

[Pagat]

MakeItSo,

i have an opposite problem! one of my customer want ''Search the Web'' back - he deleted it by mistake. and of course, he has no recall how or from where this ''Search the Web'' came. here is the url how it's like:

http://img82.exs.cx/img82/576/searchtheweb8tw.jpg

could you help me to put back this trouble maker tool?
TIA

 

[MakeItSo]

Hi Pagat,

I'm not going to try the download links, since I know how fast I got that crap. ;-)

Anyway: you should pretty quickly end up with the desired toolbar, if you hit

http://www.smileycentral.com/

Looks like you can easily get the desired WebSearch BHO from
there...


Good luck!
Andy


[blue]An eye for an eye only ends up making the whole world blind. - "Mahatma" Mohandas K. Gandhi[/blue]