Jump to content


Photo

thesearchmall.com toolbar


  • This topic is locked This topic is locked
4 replies to this topic

#1 rookie

rookie

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 05 June 2004 - 03:00 PM

I have a problem with an unwanted toolbar that recently appeared in my Internet Explorer 6 (with Windows XP) and it's called "TheSearchMall.com". Whenever I clicked on search in IE, it went to thesearchmall.com link. Also, TheSearchMall.com became my homepage and when browsing in IE certain words such as "spyware" are highlighted and when clicking on them they become hyper text links to searchmall.com.

First I followed the instructions "How to Disable Third-Party Tool Bands and Browser Helper Objects" and removed the toolbar. However, not surprisingly, when I rechecked the "enable third party browser extensions" box and restarted, the toolbar came back, along with the associated problems.

I ran Spyware Nuker which found nothing.

I ran AdAware which only found Alexa.

I ran Norton antivirus software which found nothing.

I ran HiJackThis and found eight lines referencing thesearchmall.com.

I read the FAQ for SWI forums.

I have pasted my HT logfile below. I assume that I should check the boxes in HT and run FixCheck for the eight items mentioning thesearchmall.com and the BHO with windec32.dll, but I don't know if anything else is relevant. I'm wondering what is O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - file://C:\install.cab. This file appeared recently also.

Any help on eliminating this problem and any other spyware issues apparent from my logfile would be very much appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 1:53:23 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Encarta\Encarta Reference Library 2004\EDICT.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thesearchmall.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\windec32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: TheSearchMall.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\windec32.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Polaroid iON PhotoBase .lnk = C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com...erInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compu...hat/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8000.3717476852
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.micr...N-US/msorun.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - file://C:\install.cab

#2 CRUZTAKER

CRUZTAKER

    "...feed your head"

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 09:58 AM

You're not alone Rookie, seems as though this one has just recently come out of the wood work since none of the traditional tools will remove it. There are 5 of us posting here now, and many more I know of suffering in my forum loop as well.

This should give the WIZARDS on this site something different and interesting to do. Maybe even a ....dare I say...challange? :lol:
MM.NET OHIO FORUM LEADER

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 06 June 2004 - 06:06 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thesearchmall.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\windec32.dll

O3 - Toolbar: TheSearchMall.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\windec32.dll

O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - file://C:\install.cab


Reboot after fixing

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 rookie

rookie

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 June 2004 - 08:26 AM

Dave38,
I ran HiJackThis and followed your instructions. Everything seems OK now and back to normal. It was good to have confirmation from an expert that this was the right thing to do. I still have two files named C:\install (dated 5/29/2004, one a cabinet file, the other an HTML document) which I believe were related to my problem but were not removed by HiJackThis. (See O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - file://C:\install.cab). Do you agree that I should manually delete them now?

After fixing with HiJackThis and rebooting, I also updated my AdAware to the latest version and reran that - it found 22 I-Lookup Reg Keys and I had AdAware delete/quarantine them (when I ran AdAware on 6-4-04 it did not find any I-Lookup keys). Not sure what to make of that....

Also there is the option in Internet Options\Advanced\Browser to "Enable third-party browser extensions" - do you recommend keeping that box checked or unchecked? (when unchecked it did at least prevent thesearchmall.com toolbar from functioning)

Here is my last logfile:

Logfile of HijackThis v1.97.7
Scan saved at 6:04:20 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Encarta\Encarta Reference Library 2004\EDICT.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Polaroid iON PhotoBase .lnk = C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com...erInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compu...hat/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8000.3717476852
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.micr...N-US/msorun.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 07 June 2004 - 02:26 PM

Yes, delete both the install files. Usually, Hijack this deletes these, but not always!

The "third party browser extensions" can be left unchecked, unless you find that the sites you visit do not display correctly. Things like the google toolbar would be disabled too.

The log you posted is clean. Happy surfing!

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button