• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
xtc

Help! ShopNav problem. Log Included.

8 posts in this topic

Looks like I have the ShopNav parasite.

 

I have SpywareGuard and its telling me that my Homepage has been changed to http://websearch.drsnsrch.com/sidesearch.cgi?id=

 

To try to get rid of this, I have used miniremoval coolwebsearch smartkiller, CWShredder, Spybot, Adaware and I always have SpywareGuard and SpywareBlaster on for protection.

 

My last hope is that someone can tell me what to do with my HijackThis log. So here it is. Thank you!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:33:33 PM, on 6/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Total Recorder\TotRecSched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\SAVScan.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe

C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\sgmain.exe

C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\sgbhp.exe

C:\Program Files\Sonique\sqstart.exe

C:\Program Files\Adware & Spyware Removal Programs\Ads Gone\AdsGone\adsgone.exe

C:\Program Files\Adware & Spyware Removal Programs\Hijack This application\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tigerdirect.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\NavShExt.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\Total Recorder\TotRecSched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [spyBotSnD] "C:\Program Files\Adware & Spyware Removal Programs\Spybot\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - Startup: SpywareGuard.lnk = C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\sgmain.exe

O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\Adware & Spyware Removal Programs\Ads Gone\AdsGone\adsgone.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Add to Restricted Zone (HKLM)

O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)

O9 - Extra button: Add to Trusted Zone (HKLM)

O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.99x.com

O15 - Trusted Zone: http://www.ah-me.com

O15 - Trusted Zone: http://www.allposters.com

O15 - Trusted Zone: http://www.amazon.com

O15 - Trusted Zone: www.howardstern.com

O15 - Trusted Zone: http://click.linksynergy.com

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe

O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh...wflash.cab

Share this post


Link to post
Share on other sites

Hi,

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

 

Did you add these to the "Trusted Zone"? If not remove these also ...

 

O15 - Trusted Zone: http://www.99x.com

O15 - Trusted Zone: http://www.ah-me.com

O15 - Trusted Zone: http://www.allposters.com

O15 - Trusted Zone: http://www.amazon.com

O15 - Trusted Zone: www.howardstern.com

O15 - Trusted Zone: http://click.linksynergy.com

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\WINDOWS\twaintec.dll <--this file

C:\WINDOWS\twaintec.ini <--this file

C:\WINDOWS\systb.dll <--this file

 

Restart normally and then ...

 

Reconfigure Ad-Aware for Full Scan:

Please update the reference file following the instructions here:

http://www.lavahelp.com/howto/updref/index.html

 

Launch the program, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

 

After the above, reboot, rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

Thank you very much. OK i did everything you said, and yes those sites are ones that I personally put in the trusted zone.

 

The only thing i couldnt do was delete C:\WINDOWS\systb.dll which you mentioned. This file was not in my Windows folder, but C:\WINDOWS\systb.exe was. Should I delete that instead? please let me know. Other than that i did everything you said and here is my new log.

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 7:11:36 AM, on 6/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\techbox\techbox.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Total Recorder\TotRecSched.exe

C:\Program Files\Adware & Spyware Removal Programs\Ads Gone\AdsGone\adsgone.exe

C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\sgmain.exe

C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\sgbhp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\SAVScan.exe

C:\Program Files\Adware & Spyware Removal Programs\Hijack This application\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tigerdirect.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Anti-Virus 2004\Norton AntiVirus 2004 Pro\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\Total Recorder\TotRecSched.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - Startup: SpywareGuard.lnk = C:\Program Files\Adware & Spyware Removal Programs\Spyware Guard\SpywareGuard\sgmain.exe

O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\Adware & Spyware Removal Programs\Ads Gone\AdsGone\adsgone.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Add to Restricted Zone (HKLM)

O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)

O9 - Extra button: Add to Trusted Zone (HKLM)

O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.99x.com

O15 - Trusted Zone: http://www.ah-me.com

O15 - Trusted Zone: http://www.allposters.com

O15 - Trusted Zone: http://www.amazon.com

O15 - Trusted Zone: www.howardstern.com

O15 - Trusted Zone: http://click.linksynergy.com

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ... good job!

 

However I see you have one or more items disabled via Msconfig. If this was one of the items you were troubleshooting you need to place a check in that item and reboot. Note: HijackThis can not "see" disabled items. If this is not the case then ignore.

 

Should I delete that instead?

Yes ...

 

Last Step:

 

"Flush System Restore" (see "How To" below)

Basically turn off System Restore, reboot, run a full (updated) NAV scan, reboot and turn System Restore back on and create a new Restore Point.

 

How to configure Norton AntiVirus to scan all files

 

I would suggest adding some "Defense" to your system ...

See section: How To: Prevent this from happening again?

http://www.mvps.org/winhelp2002/unwanted.htm :wave:

Share this post


Link to post
Share on other sites

Thanks for all this. I really appreciate it. just one question. you told me to do this earlier:

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Can I bring it back to the way it was before? All those hidden files that are visible now are really annoying. Please let me know. thanks.

Share this post


Link to post
Share on other sites

Hi,

Can I bring it back to the way it was before?

Yes, just reverse the procedure ...... :wave:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0