IE hijacked - Help requested to clean

Unknown

I have run CWshedder, then Adaware, then Spybot S&D (all updated today and re-runned). Clear many, many items this week. (removed jsconsole.dll manually tonite before running CS, Adaware, SBs&d then HJT).

Whenever IExplorer is started I still get a search bar at bottom of screen and immediately start getting pop-up ads. I have removed the following in "allow pop-up from" from the manage pop-up blocker menus but each time IE is restarted they reappear. They are:
look-today.com, lop.com, www.look-today.com & www.lop.com.
(lop is removed by SBs&d but reappears everytime either windows explore or IE is restarted).
search bar properties: search Now! http://look-today.com/passthrough/newpass2.html
search button properties: http://img.lop.com/images/newpass3/_search.gif

Any guidance/help greatly appreciated.

Attached is tonites HJT log (first one)
Logfile of HijackThis v1.98.2
Scan saved at 11:15:19 PM, on 11/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\System32\hpha2mon.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Harriett Lee Graham\My Documents\downloads\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pnotufvrcl.com/sI_cao42042ZgkeTSZlXmCtrgBE3rRBXRYqBbeOd4KzfsoCrUXL0_7g7KClumswU.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D47184FC-A251-9B90-3C97-979B602E4012} - C:\DOCUME~1\HARRIE~1\APPLIC~1\RDRLIC~1\Bin 2.exe
O2 - BHO: (no name) - {F2B4283D-BE57-B09E-387F-2DF7D6E2D65E} - C:\DOCUME~1\HARRIE~1\APPLIC~1\RDRLIC~1\sectcoal.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [HPHA2MON] C:\WINNT\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FIRST OBJ LINK ERROR] C:\Documents and Settings\All Users\Application Data\drvmfcdfirstobj\link draw.exe
O4 - HKLM\..\Run: [AudioMfcdCakeThat] C:\Documents and Settings\All Users\Application Data\DrawMp3AudioMfcd\tonsmeet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [download skip] C:\DOCUME~1\HARRIE~1\APPLIC~1\ANTIEX~1\more style deaf.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = ?
O8 - Extra context menu item: &Search with The Coolbar - res://C:\WINNT\Downloaded Program Files\CONFLICT.1\toolbar2.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A16ADC7} - file://C:\WINNT\system32\SearchBar\gngb4ng.exe

Thank you in advance
Chuck (CEG6667)

jared

Hmm not to sure on this one, but you can delete this and see if this helps.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pnotufvrcl.com/sI_cao420...g7KClumswU.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: (no name) - {D47184FC-A251-9B90-3C97-979B602E4012} - C:\DOCUME~1\HARRIE~1\APPLIC~1\RDRLIC~1\Bin 2.exe
O2 - BHO: (no name) - {F2B4283D-BE57-B09E-387F-2DF7D6E2D65E} - C:\DOCUME~1\HARRIE~1\APPLIC~1\RDRLIC~1\sectcoal.ex e
O4 - HKLM\..\Run: [FIRST OBJ LINK ERROR] C:\Documents and Settings\All Users\Application Data\drvmfcdfirstobj\link draw.exe
O4 - HKCU\..\Run: [download skip] C:\DOCUME~1\HARRIE~1\APPLIC~1\ANTIEX~1\more style deaf.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = ?
O8 - Extra context menu item: &Search with The Coolbar - res://C:\WINNT\Downloaded Program Files\CONFLICT.1\toolbar2.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A16ADC7} - file://C:\WINNT\system32\SearchBar\gngb4ng.exe


good luck man

ceg6667

Removed aas suggested....No luck... open IE to find same search bar at bottom and pop-up from http://adserv1.gruvmedia.com...... evertime reboot SBs&d dinds c2.lop - [email]user@ayb.lop.com.....so[/email]:
I uninstalled Norton AV then installed CA-EZArmor AV & FW ...found and cleane Win32.trojanDownloader.Swizer.br

Noticed on boot FW asked about the following net accesses:
xpsp_sp2_rtm.040803-2158 (Is this XP SP2 autoupdater?)
alg.exe (What's this??)
66.220.17.154 (When I go to this site with FireFox it is the "Search the Web" site that has hijacked my IE search)
213.35.101.4 FTP (?? suspicious ?? FTP access on boot?)

New HJT log attached
Logfile of HijackThis v1.98.2
Scan saved at 9:22:36 PM, on 11/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\System32\hpha2mon.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Harriett Lee Graham\My Documents\downloads\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qxxiyukycalrktsiomvkj.com/sI_cao42042ZgkeTSZlXmCtrgBE3rRBXRYqBbeOd4KzkUJ82GoTelLg7KClumswU.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [HPHA2MON] C:\WINNT\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Help much appreciated.
Chuck (CEG6667)

Crunchie

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://members.rogers.com/rjmac/new_uninstall.exe

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qxxiyukycalrktsiomvkj.co...g7KClumswU.html

alg.exe=http://www.liutilities.com/products/wintaskspro/processlibrary/alg/index.html

ceg6667

justlooking wrote:

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://members.rogers.com/rjmac/new_uninstall.exe

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qxxiyukycalrktsiomvkj.co...g7KClumswU.html

alg.exe=http://www.liutilities.com/products/wintaskspro/processlibrary/alg/index.html

ceg6667 wrote:

Found none of the suspects under Start>Settings>Control Panel>Add or Remove Programs
so downloaded & ran http://members.rogers.com/rjmac/new_uninstall.exe

then scanned with HJT and "fixed" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qxxiyukycalrktsiomvkj.co...g7KClumswU.html

rebooted --- opened IE , no look-today search bar or pop-up.... All seems clean,
Thank you all...
(PS thanks for the info on alg.exe, Also found the ftp was the autoupdater for EZArmor)

On to the next machine, will be trying to clean ads234 hijack...must get the kid off the games long enoungh to fix... 12yr. olds and gaming must attract this stuff like magnets....
BTW: will be providing & teaching the parents to use firefox going foward.
Great Forum, Thanks again

Crunchie

You're welcome .