hijacked browser

Discussion in 'Computer Support' started by tired techie, Jun 2, 2004.

  1. tired techie

    tired techie Guest

    HELP! I have been trying to reclaim my machine for days. I can not get
    rid of websearch.com, which appears to take over my browser. Any
    proven suggestions are welcomed.

    Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:20:18 AM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter with
    SpeedBooster\NICServ.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Timbuktu Pro\tb2launch.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Timbuktu Pro\tb2pro.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\RightFAX\FaxCtrl.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Timbuktu Pro\tb2logon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Home\Program Files\Programs\Roxio Easy CD Creator
    5\DirectCD\DirectCD.exe
    C:\Home\Program Files\Programs\iTunes\iTunesHelper.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Home\Program Files\Programs\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Home\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter with
    SpeedBooster\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter with
    SpeedBooster\WPC54Cfg.exe
    C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
    C:\Home\Program Files\Programs\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.websearch.com/ie.aspx?tb_id=50032
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    http://www.websearch.com/ie.aspx?tb_id=50032
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}
    - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
    C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
    files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Home\Program Files\Programs\Spy
    Sweeper\SpySweeper.exe /0
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111
     
    tired techie, Jun 2, 2004
    #1
    1. Advertisements

  2. tired techie

    Brian Guest

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111

    go into the registry start>>run type "regedit" do a search for websearch and
    delete all keys found... (this includes redoing the search process until
    nothing else is found)

    Brian
     
    Brian, Jun 2, 2004
    #2
    1. Advertisements

  3. tired techie

    Brian Guest

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111

    oh from what i can see the key you need to delete is at
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Search Bar....
    delete the entry in there.. Still so the search though cos you never know
    what other crap they have hidden.... also search your hard drive for
    anything containing websearch and delete..
     
    Brian, Jun 2, 2004
    #3
  4. http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.164861
    1111

    Adaware will remove all this...
     
    Scott Freeman, Jun 2, 2004
    #4
  5. tired techie

    Keith Guest

    Your temporary solution is ad-aware. A permanent solution would be
    mozilla.org or opera.com web browsers. Using IE is like having sex
    with HIV positive male prostitutes. One day or another you will
    get infected no matter what you do.
     
    Keith, Jun 2, 2004
    #5
  6. tired techie

    Andy Guest

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111
    I do not think if Ad Aware will remove it. Last week I got same crap called
    TheBikeBait. Only solution to get rid of that was "System Restore". If you
    did not know about TheBikeBait, it came with MSN 3 Plus. When you install
    MSN 3Plus you need to check : I accept or I refuse. If you click I accept it
    means that you accept to install MSN Plus with sponsored program. That
    program is TheBikeBait which makes you a slave to watch any thing on the
    internet what "they" want not what you want.
     
    Andy, Jun 2, 2004
    #6
  7. tired techie

    °Mike° Guest

    SpySweeper is a pile of crap that gives false
    positives. I would remove it and install
    SpyBot Search & Destroy and Ad-Aware,
    if I were you.

    Terminate the above processes.

    Have HijackThis fix the above.

    Have HijackThis fix the above

    Have HijackThis fix the above

    Have HijackThis fix the above

    Have HijackThis fix the above

    Have HijackThis fix the above.

    See my comment above about SpySweeper.
     
    °Mike°, Jun 2, 2004
    #7
  8. tired techie

    °Mike° Guest

    Why do you insist on giving this BAD advice? This is
    precisely the kind of advice that Bullis gives. It should
    be ignored totally.
     
    °Mike°, Jun 2, 2004
    #8
  9. tired techie

    °Mike° Guest

    On Wed, 2 Jun 2004 13:44:42 +0200, in
    <>
    Brian scrawled:

    You're a bloody menace!
     
    °Mike°, Jun 2, 2004
    #9
  10. tired techie

    ProfGene Guest

    Download Opera with Java and use it instead of IE. Hijackers don't seem to
    bother with Opera and it is a good fast browser.
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.164861
    1111
     
    ProfGene, Jun 2, 2004
    #10
  11. tired techie

    tired techie Guest

    I have not yet tried going with Opera.

    However, I have tried SpyBot S&D, Adaware and SpySweeper but am losing
    the battle.

    The WinTools crap cannot be deleted by anything I have tried.
    Something is locking it down or re-installing it every time.

    I am considering a reinstall of XP but am hoping someone can save me
    from that.

    Any proven suggestions?
     
    tired techie, Jun 3, 2004
    #11
  12. tired techie

    °Mike° Guest

    On 2 Jun 2004 19:12:56 -0700, in
    <>
    tired techie scrawled:

    Have you read my response to you? Click here:
    <
     
    °Mike°, Jun 3, 2004
    #12
  13. tired techie

    tired techie Guest

    Mike,

    I read your response. I had already tried everything you suggested. I
    even re-ran all the programs. As I mentioned in my followup posting, I
    am unable to delete the WinTools program you said I should delete -
    something is locking it down.

    I need stronger medicine.

    Thanks.
     
    tired techie, Jun 3, 2004
    #13
  14. tired techie

    °Mike° Guest

    Go through my recommendations again, thoroughly.
    Re-run HijackThis and re-post the NEW log file here.
     
    °Mike°, Jun 3, 2004
    #14
  15. tired techie

    tired techie Guest

    Victory, I think.

    In the ControlPanel>AddRemovePrograms I removed every game the kids
    had installed. Then, and only then, was I able to delete the WinTools
    program. WinTools even asks negative questions on the uninstall
    confirmation boxes so that if you just hit OK, it is not removed.

    However, I was still getting browser windows popping up by themselves.
    Ad-aware could see the devil, but still couldn't remove it. It turns
    out that VX2.BetterInternet is really nasty to remove. Thanks to a
    thread at tek-tips.com
    (http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/21/pid/760/qid/666236)
    I was able to download the Better Internet uninstaller
    (http://www.look2me.com/cgi-bin/UnInstaller) and fortunately it worked
    for me.

    My computer appears cured. Thanks to all for your useful suggestions
    and encouragement.

    Please pass on my discoveries to other fellows in need of strong
    medicine.

    - a very Tired Techie
     
    tired techie, Jun 4, 2004
    #15
  16. tired techie

    °Mike° Guest

    On 4 Jun 2004 04:01:38 -0700, in
    <>
    tired techie scrawled:

    ANOTHER ActiveX control that you have to agree to a EULA
    for, THEN enter a serial into it, from a known scumware site,
    and that is tagged as NOT SAFE!

    No, thank you.
     
    °Mike°, Jun 5, 2004
    #16
  17. tired techie

    tired techie Guest

    Have I made my problems worse? Is there some doom looming for me?

    What alternatives exist? Is it too late?
     
    tired techie, Jun 6, 2004
    #17
  18. tired techie

    °Mike° Guest

    I have no idea, but ask yourself these questions, bearing
    in mind that the very site you used this uninstaller from
    is a *known scumware site*, and was the very site that
    put the crap on you system in the first place:

    1. Why on earth would you have to agree to
    a EULA for an ActiveX uninstaller -- this is NOT
    some new 3D game, or expensive application
    that YOU have installed?

    2. Why on earth would you have to enter a
    serial number into an ActiveX uninstaller, BEFORE
    you can use?

    3. Why does my system, on 'Default' settings, tell
    me that the ActiveX is unsafe, and that my security
    settings will not allow it?

    SOMETHING smells not right.
    Yes, use the method that I first gave. I don't
    believe there is any scumware that can't be
    removed by the combination of SpyBot S&D,
    CWShredder and HijackThis, no matter what
    you say.
     
    °Mike°, Jun 6, 2004
    #18
  19. However, I was still getting browser windows popping up by themselves.

    I have the same problem. After reading this I also resorted to using
    the 'uninstaller' apparently made by the spyware maker himself. After
    running, the multi-named almost-undeletable dll is still there but the
    pop-up's have been turned off, for now, according to the grace and
    good will of the spyware writer. Tried McGafee, SpyBot, SpySweeper,
    CWShredder (perhaps not updated), and Ad-aware, and none removed the
    dll which renamed with every attempt. Someone else said he fixed it
    by erasing the offending dll using another PC on the network. I'll
    try that later. See
    http://groups.google.com/groups?selm=&output=gplain
     
    David Johnson, Jun 6, 2004
    #19
  20. Correction, after running their own uninstaller, the offending dll
    allowed itself and its registry keys to be deleted by Ad-aware.
    Ad-aware and other products did not help me except to identify the
    problem. An alternative approach might have been this -- Since the
    dll may have been designed to respawn itself during logoff, I might
    have removed its corresponding registry keys, then performed a HARD
    power off (so the reg key wouldn't have a chance to be recreated), in
    order to guarantee problem would not be there on next boot-up -- not
    exactly professional.
     
    David Johnson, Jun 6, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.