OMFG This bar is doing my head in

Dara Robinson · 15-12-2004 3:29pm #1

WTF?? this **** are getting better and better at installing crap onto your pc that you cant get rid of.

Man I make it my mission to get rid of all the spyware and other crap that self installs its self onto my pc. And I tend to be good at it but this, this was increadible. One min everything was fine the nect it has stuff on my desktop, favorites and that bloody bar was there and I could not get rid of it. Neither Adware nor my firewall detected it and I cant seem to find its source.

Does anyone know what it is? and how to remove it??

Sherifu · 15-12-2004 3:31pm

Its a new one to me.
Update your spyware definition files and sweep again.

Dara Robinson · 15-12-2004 3:39pm

be there, done that and ... well no te-shirts yet

Blub2k4 · 15-12-2004 3:43pm

Anything strange under the registry run key?

Sherifu · 15-12-2004 3:45pm

Its running in your processes.
Find it there and kill it.
Then edit run key or run msconfig and stop it from starting.

garthv · 15-12-2004 3:46pm

go to start > run > type "msconfig" and then go down to the startup tab.
there should be a list of all programs that startup with your pc there. Look for all the .exe files that you dont recognise(post up a few here if you're not too sure) and unclick them. This will stop the bar booting up with your system. And in future,lay off the pr0n my friend

aaf · 15-12-2004 3:50pm

Try HijackThis. Should hopefully do the trick. I think that adware could be called MySearchBar but I'm not 100% sure. You should probably post your HijackThis log up here so as we can help.

Dara Robinson · 15-12-2004 3:51pm

FordChin C:\Docume~1\Dara\Applic~1\DrawEggs\FordChin.exe
Iso Okay C:\Docume~1\All Users\Applic~1\mess junk enc hole\Iso Okay.exe
slam C:\temp\slam.exe (thats gone already)
WinCtlAd C:\Program Files\Windows Control Aid\WinCtlAd.exe (also no longer there)

Dara Robinson · 15-12-2004 3:52pm

aaf wrote:

Try HijackThis. Should hopefully do the trick. I think that adware could be called MySearchBar but I'm not 100% sure. You should probably post your HijackThis log up here so as we can help.

will do, brb

Sherifu · 15-12-2004 3:53pm

They all look suspicious

Dara Robinson · 15-12-2004 3:56pm

Logfile of HijackThis v1.99.0
Scan saved at 15:57:19, on 15/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\DOCUME~1\Dara\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.roienhoyhhe.org/2jWtQEG4eacvPIMnoa5zJ8EBYlLqlPlEZnO5wML2uVb4RBjmsz9VZ0x0FoSbZgU9.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BC22DDDE-F17B-1396-B0D3-58D88A15CB83} - C:\DOCUME~1\Dara\APPLIC~1\SHIMLO~1\lite that.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Ball slow] C:\DOCUME~1\Dara\APPLIC~1\DrawEggs\FordChin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/GamesUnlimited/ie/bridge-c18.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102774993170
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Occidental · 15-12-2004 3:56pm

Start-> Control Panel-> Add/Remove Programs
and see if there is anything unusual there. Many of the newer browser hijackers will happily uninstall from here.

Dara Robinson · 15-12-2004 3:59pm

Occidental wrote:

Start-> Control Panel-> Add/Remove Programs
and see if there is anything unusual there. Many of the newer browser hijackers will happily uninstall from here.

nothing unacounted for. there was some stuff before but its gone since yesturday

garthv · 15-12-2004 4:00pm

aye them msconfig run files all look dodgy,so unclick and restart and see what happens

Dara Robinson · 15-12-2004 4:02pm

wtf? how can u say that all my run files look dodgy?? what about the sysmntic ones?? the ones that my firewall and anti-virus needs to run???

Occidental · 15-12-2004 4:05pm

Dara

It's a LOP search bar.

Look for a "Windows Search" program under Add/Remove and uninstall it

If its not listed in Add/Remove Run both these uninstallers:
http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Pat

pickarooney · 15-12-2004 4:05pm

They meant all these ones, surely:
FordChin C:\Docume~1\Dara\Applic~1\DrawEggs\FordChin.exe
Iso Okay C:\Docume~1\All Users\Applic~1\mess junk enc hole\Iso Okay.exe
slam C:\temp\slam.exe (thats gone already)
WinCtlAd C:\Program Files\Windows Control Aid\WinCtlAd.exe (also no longer there)

jbkenn · 15-12-2004 4:06pm

You need to replace Ad-Aware 6 with Ad-Aware SE Personal
Get Spybot Search and Destroy 1.3

Use Firefox instead of IE

kbkenn

aaf · 15-12-2004 4:10pm

I would say you can safely get rid of:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.roienhoyhhe.org/2jWtQEG4...0x0FoSbZgU9.htm

O2 - BHO: (no name) - {BC22DDDE-F17B-1396-B0D3-58D88A15CB83} - C:\DOCUME~1\Dara\APPLIC~1\SHIMLO~1\lite that.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKCU\..\Run: [Ball slow] C:\DOCUME~1\Dara\APPLIC~1\DrawEggs\FordChin.exe

Not sure about the messenger one. I don't use messenger and make a point to delete it from fresh install of any OS. Here's how:
1. Open a command prompt by clicking Start/Run, then typing "command" and clicking OK.
2. Uninstall MSN Messenger by typing "rundll32 advpack.dll,LaunchINFSection %systemRoot%\INF\msmsgs.inf,BLC.Remove"

Dara Robinson · 15-12-2004 4:13pm

Occidental and aaf. Not sure which one of your 2 solutions worked but thats to both of you (and everyone that tried to help, dont feel left out

)

Everything seems to have gone.

God I hate spyware

aaf · 15-12-2004 4:16pm

No problem. Glad to be of service

Invader Zim · 15-12-2004 4:21pm

Spyware doesn't just get there by accident.

In the vast majority of cases the user of the PC has to agree to install it when prompted by a website.

In the very occasional use of a IE exploit to install spyware the user is still an idiot for using IE.

Get Firefox/Mozilla/Kmelon/whatever, get Sygate Personal Firewall/Zonealarm.
I haven't had a spyware infection in years and all I do is surf the net.

OMFG This bar is doing my head in

Comments