# ssearch.biz removal??



## StealthXterm (Jul 25, 2004)

Hello,
I'm Craig and this is my first post in this wonderfull forum.

I have a big problem and need help, fast.

My clients are having troubles with Internet Explorer. When they open Internet Explorer, they get redirected to http://ssearch.biz/?wmid=1001, they can't use "Open in New Window" and links that open new windows also doesn't work.

I've used CWShredder, Spybot - Search & Destroy, Webroot - Spy Sweeper and they didn't help.

Here's the HijackThis log, thanks in advance

Cheers

Craig

---------------------
Logfile of HijackThis v1.98.0
Scan saved at 8:14:04 PM, on 7/25/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {10000030-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\\MAIN.MHT!http://hq-dialer.com/dial.chm?wmid=1001::/x.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://supportcenter.vzavenue.com/downloads/files/VZAPreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5A7B42-D3C9-48E5-983E-9C81F56FC300}: NameServer = 80.225.252.58 80.225.252.50


----------



## StealthXterm (Jul 25, 2004)

Does anyone know?


----------



## StealthXterm (Jul 25, 2004)

Can anyone help? This is imporant, I need this realy bad


----------



## StealthXterm (Jul 25, 2004)

I see that there were some views, maybe no one can understand me?


----------



## StealthXterm (Jul 25, 2004)

bump


----------



## StealthXterm (Jul 25, 2004)

Just 5 minutes ago, I started to also get an error and Norton keeps notifying me with a virus. This happens when I open Internet Explorer. Please help

P.S. Error is:

Internet Explorer cannot open the Internet site 
ms-its:mhtml:file://c:\209.8.161.54:80\dexGB897.exe.mht!http://209.8.161.54:80/iex/2.chm::/1.htm.

The specified protocol is unknown.


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

O16 - DPF: {10000030-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\\MAIN.MHT!http://hq-dialer.com/dial.chm?wmid=1001::/x.exe*

Restart to safe mode and delete:

The C:\Documents and Settings\All Users\Application Data\*IEservice* folder

How to start your computer in safe mode


----------



## StealthXterm (Jul 25, 2004)

Thanks for the advice, but I keep getting redirected to the web, and the same error keeps showing. I did EVERYTHING you said. Here's the current HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 8:10:37 PM, on 7/26/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab


----------



## Flrman1 (Jul 26, 2002)

I don't see anything in your log.

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

When it is finished *restart your computer*.

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* and download the latest referencefiles.

Make sure the following settings are made and on -------*ON=GREEN*

From main window :Click *Start* then *Activate in-depth scan (recommended)*

Click *Use custom scanning options* then click *Customize* and have these options selected: Under *Drives and Folders* put a check by *Scan within archives* and below that under *Memory and Registry* put a check by *all* the options there.

Now click on the *Tweak* button in that same window. Under *Scanning engine* select *Unload recognized processes during scanning* and under *Cleaning Engine* select *Let windows remove files in use at next reboot*

Click *proceed* to save your settings.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Come back here and post another Hijack This log and we'll get rid of what's left.


----------



## StealthXterm (Jul 25, 2004)

Should the "Activate in-depth scan (recommended)" be on or off?


----------



## Flrman1 (Jul 26, 2002)

It should be On


----------



## StealthXterm (Jul 25, 2004)

OK, checked, fixed and all that. Just 1 problem.. Didn't help  here's the log:

Logfile of HijackThis v1.98.0
Scan saved at 9:28:30 PM, on 7/26/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab


----------



## Flrman1 (Jul 26, 2002)

Didn't help what? There is no sign of any redirection in the log. It shows the start pages as http://www.yahoo.com.

Did you run Adaware?


----------



## StealthXterm (Jul 25, 2004)

Yes I did, but it didn't work. I posted that log before i opened Internet Explorer, so I guess the trojan works when Internet Explorer is opened. Here's the log after it was opened:

Logfile of HijackThis v1.98.0
Scan saved at 9:51:36 PM, on 7/26/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab


----------



## Flrman1 (Jul 26, 2002)

Well there is still nothing showing in the log. Please explain exactly what is happening in as much detail as possible so I can get an idea of what to look for.

Download this zip.

http://tools.zerosrealm.com/pv.zip

unzip it to the desktop.

Be sure to have at least 1 internet explorer window open.

Double click on the *runme.bat*

This will open a command window. In the command window enter the digit *1* by hitting the 1 key on your keyboard and then hit the Enter key.

Notepad will open with a log in it. Please copy and paste the log into this thread.


----------



## StealthXterm (Jul 25, 2004)

When I open Internet Explorer, I get redirected to the http://search.biz... website, but my homepage is set to yahoo.com. When I get redireceted, I get an error posted above and Norton claims that there's a trojan found and deleted. I can't use Internet Explorers back and forward commands, when I do a OPEN IN NEW WINDOW I get redireceted to the search.biz website.

Here's the log:

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3502.5321 Windows Explorer
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
ADVAPI32.DLL 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 Advanced Windows 32 Base API
KERNEL32.DLL 7c570000 753664 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6897 Windows NT BASE API Client DLL
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.6897 Windows 2000 USER API Client DLL
SHLWAPI.DLL 63180000 294912 C:\WINNT\system32\SHLWAPI.DLL 5.00.3521.1800 Shell Light-weight Utility Library
COMCTL32.DLL 77b50000 561152 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.4314 Windows 2000 IMM32 API Client DLL
shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.5308 Shim Engine DLL
AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.5308 Windows 2000 Shim Accessory DLL
SHELL32.dll 782f0000 2375680 C:\WINNT\system32\SHELL32.dll 5.00.3502.6144 Windows Shell Common Dll
OLE32.DLL 77a50000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.6906 Microsoft OLE for Windows
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4518 
MSVCRT.dll 78000000 286720 C:\WINNT\system32\MSVCRT.dll 6.10.9359.0 Microsoft (R) C Runtime Library
cscui.dll 77840000 249856 C:\WINNT\system32\cscui.dll 5.00.2195.4104 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.5434 Offline Network Agent
SHDOCVW.DLL 71500000 1118208 C:\WINNT\system32\SHDOCVW.DLL 5.00.3526.800 Shell Doc Object and Control Library
browseui.dll e50000 806912 C:\WINNT\System32\browseui.dll 5.00.3525.2300 Shell Browser UI Library
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
mydocs.dll 76df0000 69632 C:\WINNT\system32\mydocs.dll 5.00.3315.4065 My Documents Folder UI
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL
SECUR32.DLL 77be0000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.4587 Security Support Provider Interface
NETRAP.DLL 751c0000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
WS2_32.DLL 75030000 77824 C:\WINNT\system32\WS2_32.DLL 5.00.2195.4874 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
WLDAP32.DLL 77950000 163840 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.5944 Win32 LDAP API DLL
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.4874 Windows Socket 32-Bit DLL
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
NETSHELL.dll 76f20000 479232 C:\WINNT\system32\NETSHELL.dll 5.00.2195.5431 Network Connections Shell
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.5428 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.4874 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
MSI.DLL 770f0000 2084864 C:\WINNT\system32\MSI.DLL 2.0.2600.2 Windows Installer
webcheck.dll 76680000 266240 C:\WINNT\System32\webcheck.dll 5.00.3315.3727 Web Site Monitor
stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.4455 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.5305 Battery Meter Helper DLL
SETUPAPI.DLL 77880000 577536 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.5400 Windows Setup API
POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.5305 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL
behknqtw.dll 10000000 192512 c:\winnt\system32\behknqtw.dll 
WININET.dll 63000000 462848 C:\WINNT\system32\WININET.dll 5.00.3526.800 Internet Extensions for Win32
wdmaud.drv 77560000 36864 C:\WINNT\system32\wdmaud.drv 5.00.2195.3649 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking
es.dll 76290000 249856 C:\WINNT\System32\es.dll 2000.2.3511.0 
TxfAux.Dll 6de80000 409600 C:\WINNT\System32\TxfAux.Dll 2000.2.3511.0 Support routines for TXF
RASAPI32.DLL 774e0000 204800 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.5438 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2182.1 Microsoft® Windows(TM) Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2163.1 SENS Connectivity API DLL
RASDLG.dll 75870000 536576 C:\WINNT\system32\RASDLG.dll 5.00.2195.5438 Remote Access Common Dialog API
MPRAPI.dll 77320000 94208 C:\WINNT\system32\MPRAPI.dll 5.00.2181.1 Windows NT MP Router Administration DLL
ACTIVEDS.DLL 773b0000 188416 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.5312 ADs Router Layer DLL
ADSLDPC.DLL 77380000 139264 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.5781 ADs LDAP Provider C DLL
rsabase.dll 7ca00000 139264 C:\WINNT\system32\rsabase.dll 5.00.2195.3839 Microsoft Base Cryptographic Provider (Export Version)
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.4874 Windows Socket2 NameSpace DLL
iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.2 IP Helper API
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.4874 DHCP Client Service
winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
msafd.dll 74fd0000 118784 C:\WINNT\system32\msafd.dll 5.00.2195.4874 Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.4874 Windows Sockets Helper DLL
shdoclc.dll 76d90000 339968 C:\WINNT\system32\shdoclc.dll 5.00.3502.5039 Shell Doc Object and Control Library
WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2134.1 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL
ymmapi.dll 64000000 188416 C:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll 2004, 6, 13, 1 YMMAPI Module
MSONSEXT.DLL 379b0000 573440 C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL 
NavShExt.dll 1f00000 98304 C:\Program Files\Norton AntiVirus\NavShExt.dll 10.00.3 Norton AntiVirusNAVShellExt Module
MSVCP70.dll 1f20000 487424 C:\WINNT\system32\MSVCP70.dll 7.00.9466.0 Microsoft® C++ Runtime Library
MSVCR70.dll 7c000000 344064 C:\WINNT\system32\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library
browselc.dll 76ee0000 45056 C:\WINNT\System32\browselc.dll 5.00.3502.4373 Shell Browser UI Library
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2134.1 Microsoft Video for Windows DLL
AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2134.1 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider
ycomp5_3_12_0.dll 68000000 315392 C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll 2004, 1, 7, 1 Yahoo! Companion 5.3 for Internet Explorer
AcroIEHelper.ocx 2860000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
urlmon.dll 1a400000 458752 C:\WINNT\System32\urlmon.dll 5.00.3525.2300 OLE32 Extensions for Win32
mlang.dll 75d50000 532480 C:\WINNT\system32\mlang.dll 5.00.3315.3727 Multi Language Support DLL
mshtml.dll 63580000 2306048 C:\WINNT\System32\mshtml.dll 5.00.3526.800 Microsoft (R) HTML Viewer
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
webvw.dll 658f0000 1130496 C:\WINNT\System32\webvw.dll 5.00.2920.0000 Shell WebView Content & Control Library
imgutil.dll 6e490000 40960 C:\WINNT\system32\imgutil.dll 5.00.3502.5390 IE plugin image decoder support DLL
USP10.DLL 66650000 344064 C:\WINNT\system32\USP10.DLL 1.0325.2195.4506 Uniscribe Unicode script processor
msadp32.acm 75d40000 24576 C:\WINNT\system32\msadp32.acm 5.00.2134.1 Microsoft ADPCM CODEC for MSACM


----------



## StealthXterm (Jul 25, 2004)

I solved the problem 

There's a program called "AdwareAway" wich could be found at AdwareAway.com. The program has many Hijack, Trojan removers. The program helped me and Im free of ssearch.biz 

Sorry for the trouble you went through flrman1, and a big thanks for helping me.

Cheers to all


----------



## Flrman1 (Jul 26, 2002)

You're Welcome and I hope you are right about this program removing it. I do find it hard to believe that AdwareAway found and removed this when all the other programs that you have used didn't. I'm not very familiar with AdwareAway, but I have heard of it.

This file did show up in the pv log:

c:\winnt\system32\behknqtw.dll 

That is a known CWS hijack file. Will you see if that file is still there please?


----------



## StealthXterm (Jul 25, 2004)

Its still there... But I don't get ssearch.biz anymore, the back and forward in Internet Explorer works, and open in new window also works. There's an option on AdwareAway to delete certain objects, such as ssearch.biz, about:blank, coolsearch and so on.

I guess the other programs are not aware of this Hijack and they don't search for it. Here's a screenshoot, just out of curiosity


----------



## Flrman1 (Jul 26, 2002)

Go ahead and delete the c:\winnt\system32\behknqtw.dll file.

I will have to see what I can find out about AdwareAway. Did you buy it or is this a trial version?


----------



## StealthXterm (Jul 25, 2004)

It's a Trial version. Too bad you can use the Trial version for just 5 days.. If I get more trojan/virus/hijack atacks, I will buy it. For now, there is no point.

Anyway, I deleted the .dll file. Hope it works


----------



## Fernand ARN (Aug 11, 2004)

As far as the "ssearch.biz" re-direct is concerned I coincidentally found the following partial solution: I had the "Kill2me" program on my PC (downloaded from merijn.org if I rememeber correctly. Every time I open my PC (part of a network) my browser, selected on google, is automatically redrected to the nefarious "ssearch.biz". It appears that if I run the "kill2me" before browsing I can thwart the re-direct for as long as my pc is running. I can hop in an out of the web as often as I want. If I close or switch off my PC, I have to run "kill2me" again after switching on my PC later on.
It goes as follows: switch on PC, run "kill2me": it actually says there is no infection but I run the program anyway. Then it replies something like : if infection was present, it is removed. This ends the re-direct problem for as long as my PC is running.
I hope this at least partially solves your problem. Do not ask me why it works...


----------

