Cannnot Run Search Engines From User Account

[DCO]

Please help solve apparent hijack problem. From my XP user account,
IE6 runs fine. But from other accounts, when I try to run search
engine (MSN, Google, Altavista), nothing happens. (Actually, the
search appears to hang the page.) I can load the engine's page
(either by URL or by IP address), but I get no search results.

I have already tried numerous solutions. I have cleared the cache and
temp files. I have reduced security settings. I have reset Web
Settings. I have run AV checks. I have had ComputerCops check my
HijackThis Log. I have replaced the Hosts file. I have even used
registry to transfer my IE settings to one of the other accounts (I
restored system when that did not solve the problem). None of these
things has had any impact on the problem.

Because the symptoms sound similar to qhost trojan, I ran a scan just
for that: it's not the problem.

I hope one of the knowledgable people here can suggest another
solution?

Thank you,
David

 

[Mike Burgess]

DCO,
You have to run Ad-Aware or SpyBot on *each* account.
Then run HijackThis for each account and go from there ...

Dealing with Unwanted Malware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 03-02-04]
Please post replies to this Newsgroup, email address is invalid

 

[DCO]

Good suggestion, Mike, and thanks for the input, but I'd already done
that. Didn't think to mention it in original post. I also posted
HijackThis logs from each account at ComputerCops, so the experts
there could compare.

Other thoughts?

David

Those logs, BTW, are:

HijackThis log of affected account:

Logfile of HijackThis v1.97.7
Scan saved at 6:55:40 AM, on 3/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
E:\MS Office\OFFICE11\ONENOTEM.EXE
E:\Mavis Beacon\MiniMavis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\MalWare Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
E:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} -
C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpinstantsupport] "E:\Program
Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "E:\Program
Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common
Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD
Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD
Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = E:\MS
Office\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
E:\MS Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: MiniMavis.lnk = E:\Mavis Beacon\MiniMavis.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk =
E:\Quicken\bagent.exe
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Add to FireViewer Conduit (HKLM)
O9 - Extra 'Tools' menuitem: Add to FireViewer Conduit (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: symsupportutil -
https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) -
http://diagnostics.support.hp.com/motivedocs/ces/aw/ipgaxctrl.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX
Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
- http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -
http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class)
- http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller
Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.3754282407
O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family
Finder Component) - http://www.genline.com/GFFControl.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA}
(MaxisSimCity4LotTeleX Control) -
http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD}
(MaxisSimCity4PatcherX Control) -
http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294}
(MaxisSimCityScapeTeleX Control) -
http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj
Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312


MY user account, which works fine:

Logfile of HijackThis v1.97.7
Scan saved at 7:29:09 AM, on 3/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
E:\Mavis Beacon\MiniMavis.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
E:\Rainlendar\Rainlendar.exe
F:\Sysmetrix\SysMetrix.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
E:\Handspring\HOTSYNC.EXE
E:\MalWare Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://members.efn.org/~dolsson/ourfamily.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program
files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} -
C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpinstantsupport] "E:\Program
Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "E:\Program
Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common
Files\Roxio
Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD
Creator
6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD
Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program
Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = E:\Handspring\HOTSYNC.EXE
O4 - Startup: Memorex Autorun.lnk = D:\autorun.exe
O4 - Startup: Rainlendar.lnk = E:\Rainlendar\Rainlendar.exe
O4 - Startup: SysMetrix.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = E:\MS
Office\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
E:\MS
Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: MiniMavis.lnk = E:\Mavis Beacon\MiniMavis.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk =
E:\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader -
C:\Program
Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page -
res://e:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Add to FireViewer Conduit (HKLM)
O9 - Extra 'Tools' menuitem: Add to FireViewer Conduit (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: symsupportutil -
https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) -
http://diagnostics.support.hp.com/motivedocs/ces/aw/ipgaxctrl.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX
Control) -
http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
-
http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -
http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class)
-
http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller
Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.3754282407
O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family
Finder
Component) - http://www.genline.com/GFFControl.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA}
(MaxisSimCity4LotTeleX
Control) -
http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD}
(MaxisSimCity4PatcherX
Control) - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294}
(MaxisSimCityScapeTeleX
Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj
Class) -
http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312