Spyware Search Bar

[John]

Hi,
Several months ago a search bar called 'bolt up grey'
appeared in my internet explorer however I got rid of it
using spyware programs however, it has came back again
and I have ran Spyware Blaster, Ad-Aware 6, Bazooka,
Spybot but none of them have detected it.

The search bar is not in My Program Files either. I have
searched all files and folders on my computer and still
no sign of it, any help ?

Thanks.

 

[war17]

Some website has hijacked your Search.

1. Use the following scanners to find and remove the website.

SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
or
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html

2. Some porn websites redirects links to their websites using your HOSTS
file. Do a search for the HOSTS (without extension) file and remove the
entry.

3. If still no joy, download HijackThis from Spywareinfo download page

http://www.spywareinfo.com/program/hijackthis.html

Run the program and you will find many entries. Most are OK. Post the log. I
will find the problem for you.

4. For future preventive maintenance, turn off ActiveX in Security tab.

 

[John]

here is the HijackThis log :-

Logfile of HijackThis v1.97.7
Scan saved at 17:43:15, on 06/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Messenger Plus! 2\MsgPlus1.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\PROGRA~1\SEEKAD~1\default view.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\John Telfer\My Documents\My
Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://searchweb2.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://searchweb2.com/passthrough/index.html?
http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://uk.red.clientapps.yahoo.com/customize/btyahoo/defau
lts/su/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet Explorer
provided by BTopenworld
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,Shellnext = http://www.btopenworld.com/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-
6BB168A70310} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-
DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-
DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-
786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-
7695ECA05670} - C:\Program Files\Yahoo!
\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-
0B5F309A0E64} - C:\Program Files\Microsoft
Money\System\mnyside.dll
O2 - BHO: (no name) - {5F5A1060-48D7-251A-AD8D-
37481A05D0B6} - C:\PROGRA~1\MEDIAL~1\FOUR TONS.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-
9704C93F453E} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-
00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bolt up grey - {1275B163-EFAF-5997-1743-
3CC5FC56F7F1} - C:\PROGRA~1\MEDIAL~1\FOUR TONS.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-
BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program
Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common
files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [defy4] C:\PROGRA~1\SEEKAD~1\default
view.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program
Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program
Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1
\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: BigFix.lnk = C:\Program
Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Download with &DAP -
C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Si&milar Pages -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:
START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}
(Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} -
http://www.uproar.com/applets/activex/shizmoo/flipside_web
18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei/Smi
leyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276}
(yucsetreg Class) - C:\Program Files\Yahoo!
\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) - C:\Program Files\Yahoo!
\common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.c
ab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/08cfa404b360bb691216/netzip/RdxIE601.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix
Class) - http://acceso.masminutos.com/aplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.
cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg
Class) -
http://www2.flingstone.com/cab/2000XP/new/bridge.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000}
(YahooYMailTo Class) -
http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}
(YAddBook Class) -
http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3}
(webhelper Class) -
http://register.btinternet.com/templates/btwebcontrol023.c
ab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA944F28-B474-
4681-A389-396F76E21465}: NameServer = 213.120.62.99
213.120.62.102

 

[John]

The toolbar is no longer appearing as I deleted the
searchbar2 file that was found when I scanned using
HijackThis but thanks for your time mate.