0

I have a search bar in the left part of Internet Explorer every time I start new IE after rebooting the system.:evil: I uncheck it from the options menu but when I reboot and start Internet Explorer anew - the damn search bar appears again! How to get rid of it once and for all!!?

Thanks!:evil: :evil:

3
Contributors
10
Replies
11
Views
13 Years
Discussion Span
Last Post by Artemi
0

That domain is associated with the CoolWebSearch malware (and perhaps others).

Please check out the information in the links given in caperjacks' sig: Read the documentation on the recommended removal tools, download them, install them, and run them. Also read through previous posts in our Security forum for more background and helpful information on these types of intrusive programs and ways to remove them.

If you have any questions or problems when/after trying the removal tools, let us know and we'll take it from there.


Since this is a spyware/malware issue, fasten your seatbelts- we're moving this thread to the Security forum in T minus 3 seconds...

:D

0

Thanks!

I have already tried Spybot and while it has eliminated all other annoying things like the pop-up windows (When U Search popup and others) this search bar problem still remains. :mad: :mad: ;)

And the problem with saving html pages on hard disc mentioned elsewhere...:sad:

0

Download 'Hijack This!'. http://www.computercops.biz/downloads-file-328.html
Unzip (extract) it to a folder of its own. Like C:\HJT\hijackthis.exe ,Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

0

Thanks! Will try it and tell you about the results:surprised :confused:

0

Ok! Here are the results.


Logfile of HijackThis v1.97.7
Scan saved at 20:21:35, on 01.05.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\DrWeb for Windows\spidernt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\TimeSynchronize.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\dhsvr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.znext.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eem.hotbox.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.znext.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.znext.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Сылки
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://shell.windows.com/fileassoc/fileassoc.asp?LangID=0419&Ext=pf
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.eem.hotbox.ru"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\Program Files\Common Files\OE\redirector.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll (file missing)
O3 - Toolbar: &адио - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [xkfwybj] rundll32 C:\WINDOWS\System32\xkfwybj.dll,Init 1
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [TimeSyncApp] C:\WINDOWS\TimeSynchronize.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [*xkfwybj] rundll32 C:\WINDOWS\System32\xkfwybj.dll,Init 1
O8 - Extra context menu item: &кпорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://63.215.149.59/go.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A86ADC7} - file://C:\WINDOWS\system32\SearchBar\zpprf1sh.exe
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - file://C:\WINDOWS\system32\SearchBar\toolbar.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37827.0934606481
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://xbs.climaxbucks.com/mt/dialers/fc/UniDist.CAB

0

Hi Artemi,

I'm not as much of an expert on spyware as some of our other members, but these are the problems I see right off the bat:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.znext.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eem.hotbox.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.znext.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.znext.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Сылки
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://shell.windows.com/fileassoc/fileassoc.asp?LangID=0419&Ext=pf
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.eem.hotbox.ru"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\Program Files\Common Files\OE\redirector.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll (file missing)
O3 - Toolbar: &*адио - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O4 - HKLM\..\Run: [SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [xkfwybj] rundll32 C:\WINDOWS\System32\xkfwybj.dll,Init 1
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\RunOnce: [*xkfwybj] rundll32 C:\WINDOWS\System32\xkfwybj.dll,Init 1
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://63.215.149.59/go.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A86ADC7} - file://C:\WINDOWS\system32\SearchBar\zpprf1sh.exe
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - file://C:\WINDOWS\system32\SearchBar\toolbar.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://xbs.climaxbucks.com/mt/dialers/fc/UniDist.CAB

Check the boxes for the above entries and have HJT fix them.
Once you've fixed the items I listed above, restart your machine, do another HJT scan, and post the new results.

0

first i would run adaware and swshredder to clean up most of it the post a new log and cleanup the rest ..Cwshreddr first !!


Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

Then adaware

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup ad-Aware and spyBot
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

reboot computer and post a new hijackthis log

0

Here's what left after using the Shredder and Spybot (the Adware doesn't seem to work on my PC - it hangs during the process of scanning)

Logfile of HijackThis v1.97.7
Scan saved at 13:32:24, on 02.05.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\DrWeb for Windows\spidernt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TimeSynchronize.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eem.hotbox.ru/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Сылки
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://shell.windows.com/fileassoc/fileassoc.asp?LangID=0419&Ext=pf
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.eem.hotbox.ru"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\Program Files\Common Files\OE\redirector.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll (file missing)
O3 - Toolbar: &адио - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [xkfwybj] rundll32 C:\WINDOWS\System32\xkfwybj.dll,Init 1
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [TimeSyncApp] C:\WINDOWS\TimeSynchronize.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [*xkfwybj] rundll32 C:\WINDOWS\System32\xkfwybj.dll,Init 1
O8 - Extra context menu item: &кпорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://63.215.149.59/go.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A86ADC7} - file://C:\WINDOWS\system32\SearchBar\zpprf1sh.exe
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - file://C:\WINDOWS\system32\SearchBar\toolbar.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37827.0934606481
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://xbs.climaxbucks.com/mt/dialers/fc/UniDist.CAB

:eek: :eek: :eek:

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.