Intermet Explorer Search Assistant Hijack

[Alexander Thomas Byron]

I use TeaTimer that came with Spubot: Search & Destroy and have
discovered that my Internet Explorer Search Assistant is being changed
at regular intervals to a differnt internet address every time. My
homepage, however, does not change. The following is my HijackThis
log:

Logfile of HijackThis v1.97.7
Scan saved at 9:31:59 PM, on 8/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL
Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Envy24\EnMixCPL.exe
D:\Program Files\FarStone\GameDrive\GDTask.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\SECRETMAKER\secretmaker.exe
C:\WINDOWS\System32\wpabaln.exe
D:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
E:\Downloads\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.sbwecfkutjrqojrcklrmms.c...lLv1RkvAslICH5/F6jORHM2KOpRtBjY4oVbnYSI0.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} -
C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4B342B0-BC67-96E8-9597-24DBA32F926D} -
C:\PROGRA~1\blehmath\City Third.exe
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common
Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType
Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EnvyHFCPL] D:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [GameDrive] "D:\Program
Files\FarStone\GameDrive\GDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus!
3\MsgPlus.exe"
O4 - HKLM\..\Run: [Bolt boob] C:\PROGRA~1\Obj window setup\Nurb Loud
Atom.exe
O4 - HKLM\..\Run: [shim live trust hide]
C:\DOCUME~1\ALLUSE~1\Application Data\Spam Hold Shim Live\Memo
ford.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI
Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager]
D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search
& Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus!
3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program
Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SECRETMAKER.lnk = D:\Program
Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document
4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446}
(IntraLaunch.MainControl) - file://K:\Resources\IntraLaunch.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I also have two iexplore.exe programs running in my processes list in
the Task Manager that I cannot kill with out them regenerating.

These are 12 of the internet addresses that my Search Assistant gets
changedto:

http://www.bxjiqseohbnnvmgew.com/CH...flLv1RkvAslICH5/F6jNgp12ziQGC5TY4oVbnYSI0.cgi
http://www.cctgicusimgim.com/CHSv/8v6QJydcZpOIc3g8J1flLv1RkvAslICH5/F6jMkUsRlWUsM_zY4oVbnYSI0.html
http://www.yxcqjjylsbylvaqdpgzwk.uk...lLv1RkvAslICH5/F6jMxVve2hjQmszY4oVbnYSI0.html
http://www.sbwecfkutjrqojrcklrmms.c...lLv1RkvAslICH5/F6jORHM2KOpRtBjY4oVbnYSI0.html
http://www.vagiwwpdvhjh.net/CHSv/8v6QJydcZpOIc3g8J1flLv1RkvAslICH5/F6jO_0TbNzT7qZTY4oVbnYSI0.php
http://www.uyzsgcswmcdwqgrdysprship...lLv1RkvAslICH5/F6jNfcFyex8HBCTY4oVbnYSI0.html
http://www.fnfklvioimohmoh.com/CHSv/8v6QJydcZpOIc3g8J1flLv1RkvAslICH5/F6jNXwEtFOUu3CTY4oVbnYSI0.cgi
http://www.dgkzxpagkedoa.net/CHSv/8v6QJydcZpOIc3g8J1flLv1RkvAslICH5/F6jPqOg0M9/KVpDY4oVbnYSI0.html
http://www.yaksqrkjbndamfzlslwjfan....lLv1RkvAslICH5/F6jN6JixplTZNwDY4oVbnYSI0.html
http://awkzuivabidhpdqgpvkqlkl.org/...lLv1RkvAslICH5/F6jNrrfifuLVDgjY4oVbnYSI0.html
http://www.fnqmqgwhpqrlyr.net/CHSv/8v6QJydcZpOIc3g8J1flLv1RkvAslICH5/F6jNp4g7UgAbGwDY4oVbnYSI0.html
http://www.zhxqpcesjfzkzdhrj.net/CH...lLv1RkvAslICH5/F6jNxG4ypk8NLIzY4oVbnYSI0.html

Here is my system information:

Microsoft Windows XP, Professional, Version 2002, Service Pack 1
Intel Pentium 4 2.40GHz
1.00 GB of RAM

What can I do?

 

[PA Bear]

We don't encourage folks to post HijackThis logs here, Alexander. Instead,
please post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 or another appropriate forum for
expert analysis.

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow all Removal steps.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

3. Check in at Windows Update.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://support.microsoft.com/default.aspx?pr=windowsxpsp2

What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx

AumHa Forums
http://forum.aumha.org

I use TeaTimer that came with Spubot: Search & Destroy and have
discovered that my Internet Explorer Search Assistant is being changed
at regular intervals to a differnt internet address every time. My
homepage, however, does not change

<snip>