Spurious URLs being inserted into IE "Back" list

[Frank D. Nicodem, Jr.]

I've been having a problem lately with spurious URLs being added to my
"Back" list, as I browse from page to page. I may be viewing page "A", but
when I click on a link to page "B", and then look at my "Back" list (by
clicking the down-arrow to the right of the "Back" button), I can see one,
two, three or more URLs that have been placed *in between* where I currently
am, and the original page "A".

In virtually every case, these spurious URLs point to either atdmt.com or
doubleclick.net -- or some variant of those domains. The result is that
when I try to use the "Back" button to return to the page I was reading
(page "A", in my example), I have to cycle through one or more intermediate
pages, before I can get back there. (And sometimes, even cycling back
through these spurious URLs will cause *other* URLs to be inserted into the
list. At this point, the only way I can return to where I want to go is to
use the drop-down "Back" list, and skip over the intermediate URLs. This,
however, is more tedious, and completely invalidates the use of the "Back"
button itself.)

I am *extremely* careful about viruses, trojans, spyware, adware, and other
malware on my system. If anything, I am *overly* cautious about running
virus checkers, spyware detection and removal tools, and other system
security and maintenance applications. I am running Windows XP Home
Edition, SP2, with all security turned on. Along with a *highly* customized
HOSTS file (listing literally thousands of domain names to ignore), the good
news is that I don't *see* these intermediate sites. However, it's still a
pain to try and use my IE browser. And above all, I don't know where they
are coming from.

My first concern is to find out if there is ANYTHING on my own system -- any
trojan or spyware or anything else -- that could be inserting these spurious
URLs; or is it a feature of the Web sites I am visiting? (It does seem to
be more predominant at some sites, than at others. My default portal, for
example, is probably the worst of the worst cases. I have a Dell Inspiron
9200, and my default home page is the dellnet.msn.com page.) Could *that*
be causing problems? And why does it happen in *some* other places... but
not others???

Of course, the key question is: What can I do to stop this kind of
activity?? How do I get IE to completely ignore references to these URLs --
or to requests to have them inserted into the "Back" list -- and keep that
list clean enough to be able to successfully use the "Back" button again???

 

[Jim Byrd]

Hi Frank - "I am extremely careful about viruses, trojans, spyware, adware,
and other
malware on my system."

That may be true, but you also have a malware problem. See my Blog,
link in Signature below, for some basic removal steps and preventive
measures that you can take.

 

[Frank D. Nicodem, Jr.]

Hi Frank - "I am extremely careful about viruses, trojans, spyware,
adware,
and other
malware on my system."

That may be true, but you also have a malware problem. See my Blog,
link in Signature below, for some basic removal steps and preventive
measures that you can take.

Thanks for the pointer. I'm going through it now -- although there's a LOT
to read. Perhaps you can help me "zone in" a little more quickly on where I
can focus my attention, if I give you a little more detail about what I mean
by being "extremely careful".

I run the Trend Micro PC-Cillin Security Suite -- not because I dislike
Norton or McAfee, but because it's consistently rated as the best and most
secure available. (I also have the Windows XP firewall enabled -- for
whatever that's worth.) My security settings are fairly high -- higher than
"default", but not set to the max (simply because that basically disables
many things I want/need to do). I run a HOSTS Manager utility that
constantly monitors my HOSTS file -- and that file is already about 300KB,
listing virtually every domain known to be a "problem".

I run Spybot Search & Destroy, along with its TeaTimer application, not only
to find/fix malware, but also to monitor my Registry (and prevent
unanticipated changes). I also run Ad-Aware regularly. However, once
again, since I know that even these two only catch about 30% of the
"baddies" (based on several independent studies), I really rely more on
Sunbelt CounterSpy (and, alternately, Microsoft Anti-Spyware, which is
basically the same program -- using the Giant anti-spyware engine). And I
also use SpyBlaster to "set my defenses" regularly, so to speak.

All of the above utilities are monitored regularly for updates (and I mean
"regularly" -- in the case of my Trend Micro suite, it updates every 3
hours). You could probably say that I'm paranoid about the security of my
system. But I know the dangers, and try to avoid them as much as possible.

For a time, I was even running Zone Alarm Pro (which I rate quite highly),
but it became too much -- I was getting conflicts between the "security"
apps that were too much to live with, and I let Zone Alarm go. I also
periodically run one or more of the online scanners -- although I know
they're not quite as robust. I've also tried PestPatrol, and a few other
similar utilities.

So, given the above... where do I look first? Can I "focus in" a bit on
what I should be looking for?

Oh, and one final question: if it really *is* some malware on MY system,
why does the problem (i.e., the insertion of "malware" URLs into my
browser's "Back" list) only seem to occur when I'm navigating some Web
sites, and not others?

Thanks in advance for any hints.

 

[Gary Smith]

I run the Trend Micro PC-Cillin Security Suite -- not because I dislike
Norton or McAfee, but because it's consistently rated as the best and most
secure available. (I also have the Windows XP firewall enabled -- for
whatever that's worth.) My security settings are fairly high -- higher than
"default", but not set to the max (simply because that basically disables
many things I want/need to do). I run a HOSTS Manager utility that
constantly monitors my HOSTS file -- and that file is already about 300KB,
listing virtually every domain known to be a "problem".

Does it happen when you go to http://www.jsifaq.com/reghack.htm, click on
"Recent tips", and then click the Back button? Is ad.doubleclick.net in
your HOSTS file? I seem to recall seeing similar symptoms under those
conditions.

 

[Jim Byrd]

Hi Frank -

1. Install all Critical updates from Windows Update.
Download and run Sysclean and Stinger as described in the Blog using a
Clean Boot.
Run AdAware and SpyBot UPDATED as described in the Blog using a Clean
Boot.

2. Install any of the preventive measures mentioned at the end of that
Blog - IESpyAd, SpywareGuard, SpywareBlaster et al - that you don't already
have installed. You might want to consider the cookie approach I outlined
in the Blog, but as a minimum set up your cookies to block Third Party
cookies.

3. Also, you don't appear from your report to have adequate HOSTS file
protection. From Blocking Unwanted Parasites with a Hosts File,
http://www.mvps.org/winhelp2002/hosts.htm :

"Locking the HOSTS File

There are many of these hijackers that add their own entries to your HOSTS
file. This is commonly know as redirects. To add a level of protection you
might want to consider making your HOSTS file "read only". You can download
a small batch file to accomplish this:

lockhost.bat http://www.mvps.org/winhelp2002/lockhost.bat
unlockhost.bat http://www.mvps.org/winhelp2002/unlockhost.bat (XP\2K)

LockHostsME.bat http://www.mvps.org/winhelp2002/LockHostsME.bat
UnlockHostME.bat http://www.mvps.org/winhelp2002/UnlockHostME.bat (98\ME)

To use: place the appropriate files in your Windows folder, create a
shortcut to each."


Even better locking than just "Read Only" can be achieved using the locking
function in ZoneAlarm.


4. Then start here:

Download HijackThis, free, here:

http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)

You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

or here: http://www.bleepingcomputer.com/files/spyware/hijackthis.zip

or here: http://thespykiller.co.uk/files/HJTsetup.exe

There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode or a Clean Boot, start HT (have ONLY HT
running - IE MUST be
closed) then press Scan. Click on SaveLog when it's finished which will
create hijackthis.log. Now click the Config button, then Misc Tools and
click on Generate StartupList.log which will create Startuplist.txt.

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

or Jim Eshelman's site here: http://forum.aumha.org/

or Bleepingcomputer here: http://www.bleepingcomputer.com/


Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular sites HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post "What problem(s) you're trying to solve" and
"What steps you've already taken."

 

[Frank D. Nicodem, Jr.]

Does it happen when you go to http://www.jsifaq.com/reghack.htm, click on
"Recent tips", and then click the Back button? Is ad.doubleclick.net in
your HOSTS file? I seem to recall seeing similar symptoms under those
conditions.

Yes, in fact it does. In that simple circumstance, I went to the URL you
mentioned, clicked on "Recent tips", and immediately my "Back" queue had a
URL inserted into it named:

ad.doubleclick.net/ad/msft.spon

Here's a related question: Is it possible that MY "security" software -- in
attempting to intercept and eliminate some of these malware URLs -- is
actually *causing* them to go into the "Back" queue?

 

[Frank D. Nicodem, Jr.]

First of all, Jim, thanks for your patience, and your detailed reply. I'm
in the process of going through it now, and thought I'd respond with some
comments and (where approprpiate) the results of my actions.

1. Install all Critical updates from Windows Update.

Good suggestion always. And I should have mentioned that I am extremely
careful about things like this. I have my system set to automatically
gather and install all updates, yet I still manually check periodically.
(Like I said, I'm paranoid!) So I'm pretty confident that my system is "up
to patch" at virtually any point in time. (In addition to the standard
Windows application to check for updates, my Trend Micro Security Suite does
the same thing -- checks for Windows Updates for me.)

Download and run Sysclean

Of course,. since I use the Trend Micro Security Suite 2005, I am
implementing that on a regular basis. What *did* help was the comment on
the Trend Micro Web site (where Sysclean is available for non-Trend Micro
users) that I should change my automatic and manual scans to *not* use the
"Recommended" processing, but always specify "Clean" first and "Quarantine"
second. I did change my settings to match that. (I had purposely left them
set to "Recommended", because I do have some things that sometimes "appear"
to a malware removal tool as "malware", when in reality they are not, and
it's a pain to have to "unquarantine" them all the time. But I'll try going
with the more aggressive settings and see what happens.) In any case, doing
a Manual Scan of my entire system found nothing.

and Stinger as described in the Blog using a
Clean Boot.

Didn't have Stinger, but I did pick up a copy, and have run it across my
entire system. (I ran into the file re-naming problem you mention, but I
picked up s-t-i-n-g-e-r.exe. Glad to see that McAfee is keeping one step
ahead of Sober!) Stinger found nothing.

Run AdAware and SpyBot UPDATED as described in the Blog using a Clean
Boot.

As I mentioned, I already have the latest updates of both of those
applications, and run them regularly. As a side note to others reading this
thread, though, I have found that neither of those is very aggressive, in
terms of catching everything. I particularly use SpyBot for the TeaTimer
application (i.e., protecting my Registry and other system settings). But I
typically count on my other spyware applications to do the harder work
(e.g., PestPatrol, Webroot SpySweeper, but mostly Sunbelt CounterSpy -- the
spyware tool with the highest ranking in several different indepedent
studies).

2. Install any of the preventive measures mentioned at the end of that
Blog - IESpyAd, SpywareGuard, SpywareBlaster et al - that you don't
already
have installed. You might want to consider the cookie approach I outlined
in the Blog, but as a minimum set up your cookies to block Third Party
cookies.

The aforementioned CounterSpy does quite a nice job on cookies. It not only
catches the "standard" ones (e.g., new.new, com.com, etc.), but many other
lesser-known ones, as well.

3. Also, you don't appear from your report to have adequate HOSTS file
protection. From Blocking Unwanted Parasites with a Hosts File,
http://www.mvps.org/winhelp2002/hosts.htm :

Not sure exactly what you mean here. I do run SpywareBlaster, to enable
protection on most of the "known" malware domains. And I run several HOSTS
manager programs that constantly update the HOSTS file.

There are many of these hijackers that add their own entries to your HOSTS
file. This is commonly know as redirects. To add a level of protection you
might want to consider making your HOSTS file "read only".

I always keep the HOSTS file locked. And to give you an idea of how
"all-encompassing" this file is, my current HOSTS file is almost 7200 lines
long!!! And both of the domains that are showing up in my browser "Back"
queue (doubleclick.net and atdmt.com) have multiple entries, to catch all of
the "versions" of their domain names. (I should add that this DOES appear
to be working. What I didn't mention in my original problem description is
that when these spurious URLs *do* get added into my browser's "Back" queue,
they never get seen. In other words, when I *do* click on the "Back"
button, "nothing happens". Except that the top URL gets "popped" off of the
queue. So if I click the "Back" button again, I go back to where I should
have the first time. And if there were *three* spurious URLs inserted, the
first three times I click the "Back" button, "nothing happens"; but then the
next time I click it, I get back to where I thought I should have.

So that seems to indicate to me that the HOSTS file *is* intercepting those
domain names, and redirecting them to 127.0.0.1 (my local system) correctly
(i.e., "ignoring" them). But my question is regarding how to KEEP THEM OUT
of the queue, not how to NOT process them.
========================================================================
OK, so up to this point, I think I'm pretty much "up to date" on everything
you've mentioned so far. So let's continue...

4. Then start here:

Download HijackThis, free, here:

http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)

I forgot to mention -- among all of the other things I listed that I do for
the sake of my system's security -- that I also have CWShredder, and
HiJackThis. However, I typically only use those as a "last resort". Well,
not the CWShredder -- I *have* found good uses for that in the past. But of
course the things about HijackThis is that it doesn't really help *my
system*, but simply gives me tons and tons of information that "might" be of
some help, if I can find the proper place to post it.

Then go to one of the following forums:

Thanks for the list of forums -- that should be helpful. OK, so this may
have become my "last resort". I guess if there's nothing else to do, and
nowhere else to look, I suppose that I should go the "HijackThis" route.
Thanks for all of the pointers, and the links to the HijackThis forums.
I'll try that, and see where it gets me.

Thanks again for your help.

 

[Jim Byrd]

Hi Frank - That may well apply. Add IESpyAd as I previously recommended,
and if that doesn't fix it, then manually add any listed ad sites from the
dropdown to the Restricted Zone as Martin has advised on Frank's page.

 

[Frank D. Nicodem, Jr.]

Download HijackThis, free, here:
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

Thanks for the additional comments, BTW. I'll look at IESpyAd; it's about
the only one I *haven't* run.

In any case, I did run a current copy of HijackThis, and I was actually
surprised at how "clean" my system really is. Before posting it on any of
the HijackThis forums, I thought I'd pass it by here, just for any
additional comments. Let me know if you see anything "suspect"; right now,
I don't.
-----------------------------------------------------
Frank Nicodem
(e-mail address removed)



Logfile of HijackThis v1.99.1
Scan saved at 11:03:48 AM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis 1.99.0001.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://www.dell.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no
file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} -
F:\Applications\Graphics\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
E:\Program Files\Adobe Acrobat 7\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
F:\APPLIC~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -
F:\Utilities\Program Files\RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} -
F:\UTILIT~1\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -
F:\Utilities\Program Files\RoboForm\RoboForm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -
F:\Applications\Graphics\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CoolSwitch] F:\Utilities\System\Windows XP Power
Toys\taskswitch.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program
Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [pccguide.exe] "F:\Utilities\Program Files\Trend
Micro\pccguide.exe"
O4 - HKLM\..\Run: [sunasDTServ] F:\Utilities\Program
Files\CounterSpy\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] F:\Utilities\Program
Files\CounterSpy\sunasServ.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://F:\Utilities\Program Files\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Utilities\Program
Files\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://F:\Utilities\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Utilities\Program
Files\RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://F:\Utilities\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Utilities\Program
Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet
Explorer\Plugins\npwrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet
Explorer\Plugins\npwrqxrx.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: IntelWireless - C:\Program
Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
F:\Applications\Music\iPod\Updater\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend
Micro Incorporated. - F:\UTILIT~1\PROGRA~1\TRENDM~1\PcCtlCom.exe
O23 - Service: PDEngine - Raxco Software, Inc. - F:\Utilities\Program
Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. -
F:\Utilities\Program Files\PerfectDisk\PDSched.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel
Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware -
F:\Utilities\Program Files\SiSoftware Sandra Professional
2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware -
F:\Utilities\Program Files\SiSoftware Sandra Professional
2005\RpcSandraSrv.exe
O23 - Service: ScsiAccess - Unknown owner -
F:\Applications\Multimedia\ProShowGold\ScsiAccess.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro
Incorporated. - F:\UTILIT~1\PROGRA~1\TRENDM~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -
F:\UTILIT~1\PROGRA~1\TRENDM~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -
F:\UTILIT~1\PROGRA~1\TRENDM~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program
Files\Intel\Wireless\Bin\WLKeeper.exe

 

[Jim Byrd]

Hi Frank - Did you deliberately and intentionally install "MyWay"? In the
circles I move in, it's considered spyware - normally co-installed with
KaZaa as a BHO - "Speedbar" - but you can get it some other ways. Some
people do intentionally install it as part of the MyWay portal. It's
certainly co-opted your Search functionality.

--
Regards, Jim Byrd, MS-MVP
My Blog Defending Your Machine here:
http://defendingyourmachine.blogspot.com/

Download HijackThis, free, here:
You may also get it here if that link is blocked:

http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

Thanks for the additional comments, BTW. I'll look at IESpyAd; it's
about the only one I *haven't* run.

In any case, I did run a current copy of HijackThis, and I was
actually surprised at how "clean" my system really is. Before
posting it on any of the HijackThis forums, I thought I'd pass it by
here, just for any additional comments. Let me know if you see
anything "suspect"; right now, I don't.
-----------------------------------------------------
Frank Nicodem
(e-mail address removed)



Logfile of HijackThis v1.99.1
Scan saved at 11:03:48 AM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis 1.99.0001.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://www.dell.com
R3 - URLSearchHook: (no name) -
{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208}
- F:\Applications\Graphics\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe
Acrobat 7\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
F:\APPLIC~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no
file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -
F:\Utilities\Program Files\RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} -
F:\UTILIT~1\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} -
(no file) O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -
F:\Utilities\Program Files\RoboForm\RoboForm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -
F:\Applications\Graphics\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CoolSwitch] F:\Utilities\System\Windows XP Power
Toys\taskswitch.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program
Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [pccguide.exe] "F:\Utilities\Program Files\Trend
Micro\pccguide.exe"
O4 - HKLM\..\Run: [sunasDTServ] F:\Utilities\Program
Files\CounterSpy\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] F:\Utilities\Program
Files\CounterSpy\sunasServ.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Utilities\Program
Files\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Utilities\Program
Files\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://F:\Utilities\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Utilities\Program
Files\RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://F:\Utilities\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Utilities\Program
Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet
Explorer\Plugins\npwrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet
Explorer\Plugins\npwrqxrx.dll
O16 - DPF: ppctlcab -
http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF:
{2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
-
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin
Class) -
http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: IntelWireless - C:\Program
Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
F:\Applications\Music\iPod\Updater\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) -
Trend Micro Incorporated. - F:\UTILIT~1\PROGRA~1\TRENDM~1\PcCtlCom.exe
O23 - Service: PDEngine - Raxco Software, Inc. - F:\Utilities\Program
Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. -
F:\Utilities\Program Files\PerfectDisk\PDSched.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel
Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware -
F:\Utilities\Program Files\SiSoftware Sandra Professional
2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware -
F:\Utilities\Program Files\SiSoftware Sandra Professional
2005\RpcSandraSrv.exe
O23 - Service: ScsiAccess - Unknown owner -
F:\Applications\Multimedia\ProShowGold\ScsiAccess.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro
Incorporated. - F:\UTILIT~1\PROGRA~1\TRENDM~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro
Inc. - F:\UTILIT~1\PROGRA~1\TRENDM~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc.
- F:\UTILIT~1\PROGRA~1\TRENDM~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program
Files\Intel\Wireless\Bin\WLKeeper.exe

 

[Gary Smith]

Yes, in fact it does. In that simple circumstance, I went to the URL you
mentioned, clicked on "Recent tips", and immediately my "Back" queue had a
URL inserted into it named:

ad.doubleclick.net/ad/msft.spon

That's exactly what used to happen to me when I had doubleclick in my
HOSTS file to block it. The effect was so annoying that I subsequently
removed all blocking entries from my HOSTS file except for ads.x10.com, a
site so annoying that I never want to hear about it again.

I now have doubleclick.net in the restricted sites zone, where it's
forbidden to store cookies, and I just ignore the ads.

Further note: Having read the a later response, I put ad.doubleclick.net
back into my HOSTS file and tried the JSI site again. This time the ads
were blocked, but the function of the back button was not disrupted the
way it had been formerly. This may be the solution for you.

Doing this experiement reminded me of the other reason I removed blocking
entries from my hosts file -- they slow slow things down. Whenever a
request is redirected to 127.0.0.1, IE waits for for a response until the
timeout period expires. Of course, there won't be a response, and the
delay itself can sometimes be as annoying as the ads.