# websearch = crash



## Shaolinwind (Jul 30, 2006)

Ok this is SCREWED up.

If I search in yahoo, the search comes up, an error message shows and says that it cannot find the page it had just brought up.  I can hit back and click a link fast and the page comes up.. But if I don't act fast the error comes up, and gives me a "page not found" 404 type error.  I reset, I checked for virii, and did a spybot search, then rebooted again.  I am pretty confounded.


----------



## Bob Hubbard (Jul 30, 2006)

I'm thinking a browser hijacker.....what web browser are you using?


----------



## Shaolinwind (Jul 30, 2006)

Bob Hubbard said:
			
		

> I'm thinking a browser hijacker.....what web browser are you using?


 
Internet explorer


----------



## mantis (Jul 30, 2006)

Shaolinwind said:
			
		

> Internet explorer


go ahead and start using firefox 1.5.  do not install any extensions though.  
and then who uses yahoo man?!
havent you heard of "google"? that's the new thing man haaha


----------



## Bob Hubbard (Jul 30, 2006)

Shaolinwind said:
			
		

> Internet explorer


what spyware scanners did you use?

Also, can you try a different browser, firefox recommended?


----------



## Shaolinwind (Jul 30, 2006)

mantis said:
			
		

> go ahead and start using firefox 1.5. do not install any extensions though.
> and then who uses yahoo man?!
> havent you heard of "google"? that's the new thing man haaha


 
Hey man, just because you are a 5 hour drive doesn't mean I don't intend to come and beat you with a bar of soap wrapped in a towel. :whip:


----------



## Bob Hubbard (Jul 30, 2006)

Ah....bar of soap.  I'd been using liquid soap to beat folks....didn't work.

*corrects notes* :wavey:


----------



## OUMoose (Jul 30, 2006)

Opera FTW.


----------



## mantis (Jul 30, 2006)

Bob Hubbard said:
			
		

> Ah....bar of soap.  I'd been using liquid soap to beat folks....didn't work.
> 
> *corrects notes* :wavey:


no the liquid still works
you just have to make them drink it!

shaolinwind:
I mean seriously man, who in this world still uses IE and yahoo! come on man.  oh, btw, there's something called a plane, a car, or a bike if you want to come from nor cal... i assume  you havent heard of those either!


----------



## matt.m (Jul 30, 2006)

I use the full version of spy sweeper, I am running IE 7.  Use Adaware SE.  That is good too, and don't forget Norton.

Good luck with everything man.


----------



## Shaolinwind (Jul 30, 2006)

mantis said:
			
		

> no the liquid still works
> you just have to make them drink it!
> 
> shaolinwind:
> I mean seriously man, who in this world still uses IE and yahoo! come on man. oh, btw, there's something called a plane, a car, or a bike if you want to come from nor cal... i assume you havent heard of those either!


 
You are only adding to the pain and suffering you will have to endure before I allow you the sweet relief of death, you know that right?


----------



## Shaolinwind (Jul 30, 2006)

Shaolinwind said:
			
		

> You are only adding thr your pain and suffering you will have to endure before I allow you the sweet relief of death, you know that right?


 
For the record, mantis and I are good freinds.


----------



## Kreth (Jul 31, 2006)

mantis said:
			
		

> I mean seriously man, who in this world still uses IE and yahoo!


Well, I don't use Yahoo, but for many of us that um... browse from work, IE is the only option...


----------



## Grenadier (Jul 31, 2006)

This sounds a lot like the Cool Web Search scumware.  

You may want to get the latest version of "Hijack This!" and run it.  

Post your logs here; there are many folks who can help tell you what to safely remove.


----------



## Andrew Green (Jul 31, 2006)

Kreth said:
			
		

> Well, I don't use Yahoo, but for many of us that um... browse from work, IE is the only option...



Then what you need to do is beat your IT dept over the head with a stick, which is what they should be doing to anyone they catch infecting their system.... I mean using Explorer


----------



## mantis (Jul 31, 2006)

Kreth said:
			
		

> Well, I don't use Yahoo, but for many of us that um... browse from work, IE is the only option...


I could careless about work man. that's alright who cares about work computers!  however if you're annoyed by IE at work all it takes is one LUNCH with the IT guy. you dont have to pay for him, only sit with him for like 3 min's on the lunch table.  that's much more than IT people expect.... well unless you work for a big corp then there's no point behind that.


----------



## Kreth (Jul 31, 2006)

mantis said:
			
		

> I could careless about work man. that's alright who cares about work computers! however if you're annoyed by IE at work all it takes is one LUNCH with the IT guy. you dont have to pay for him, only sit with him for like 3 min's on the lunch table. that's much more than IT people expect.... well unless you work for a big corp then there's no point behind that.


Um... I am an IT guy. However, I work for a large company, and the group that handles applications is in another city about 3 hours away.


----------



## mantis (Jul 31, 2006)

Kreth said:
			
		

> Um... I am an IT guy. However, I work for a large company, and the group that handles applications is in another city about 3 hours away.


sounds like your application people are stuck with IT policies, arent they?
sorry to make IT people sound so anti-social. i work in that field too, no offense


----------



## Kreth (Jul 31, 2006)

mantis said:
			
		

> sounds like your application people are stuck with IT policies, arent they?
> sorry to make IT people sound so anti-social. i work in that field too, no offense


I actually prefer FF, but with asset tracking on the PCs here, I can't even install it, unless I want to run it from a flash drive.


----------



## mantis (Jul 31, 2006)

Kreth said:
			
		

> I actually prefer FF, but with asset tracking on the PCs here, I can't even install it, unless I want to run it from a flash drive.


which company do you work for?

shaolinwind -- sorry this thread isnt about you anymore


----------



## Kreth (Jul 31, 2006)

mantis said:
			
		

> which company do you work for?


Why, going to give my boss a call?


----------



## OUMoose (Jul 31, 2006)

Kreth said:
			
		

> Well, I don't use Yahoo, but for many of us that um... browse from work, IE is the only option...


Does your security policy leave the USB ports enabled?  

If not, there's always Portable Firefox, which is totally self-contained in the USB drive.  There's also a Portable Thundebird, GAIM, FTP, and a bunch of other usefull stuff on that site.  

For reference, portable Opera is a bit ugly in rendering pages.  Not sure why.  Might have to play with it some more.  :idunno:


----------



## mantis (Jul 31, 2006)

Kreth said:
			
		

> Why, going to give my boss a call?


neah
looking for a job


----------



## Shaolinwind (Aug 1, 2006)

Grenadier said:
			
		

> Post your logs here; there are many folks who can help tell you what to safely remove.


 
Okie! Logs posted.

Logfile of HijackThis v1.99.1
Scan saved at 12:08:06 AM, on 8/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1143672085\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\WINDOWS\System32\19bbc311.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SEANFE~1\LOCALS~1\Temp\Rar$EX00.813\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143672085\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [19bbc311.exe] C:\WINDOWS\System32\19bbc311.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [19bbc311.exe] C:\Documents and Settings\Sean Fergesun\Local Settings\Application Data\19bbc311.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\CLI.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01AD29F7-6768-0B5F-55D9-38640181A173} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {0C8816B7-AE27-4FED-3E37-49997561DD53} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {0F2F4D09-0197-743B-7FC2-7EEA4085E400} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {0F638AA6-6F8B-0F2E-0773-3B9354694B5B} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1769F295-749B-7014-E5B4-1B1018527006} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {1B8FC50C-116C-4429-9740-2B4105FEF7E2} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {1DE3DDAF-F2BA-48B0-0B5E-3837101AA9C0} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {27B846AD-E482-218B-EE88-550D5107F184} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {2BF1ADFC-5D5C-17E8-7ABC-4B1D2B1DF9DA} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38AF79FB-0913-1E37-9A67-72D012D100E3} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {3D219E37-DA01-241A-5926-33787ABC1C00} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {3FF7A275-6B5D-2F28-F2D0-7C6759E7BD65} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {412CB625-4686-103B-3BC6-61F543290FE7} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4FCC7557-3004-1390-9D5A-0E3D13ADFE1C} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {527F8ED1-5901-4AAF-6F97-7A1753F7DCE7} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {62F3FAFE-54EA-6470-2FB0-6FB21EB2BB6C} - http://85.255.115.229/1/gdnUS250.exe
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/portal/verizon/passwdchg/activex/DSLControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85401DE9-FCE4-4F3C-91D5-490696768B4F}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\System32\viruxz.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


----------



## Bob Hubbard (Aug 1, 2006)

ok, this concerns me : gdnUS250.exe

Seems to indicate the presence of either a virus or spyware. (Thing called Downloader, puts in a a backdoor)

Don't have the time right now to really dig more.


Install FireFox, goto http://housecall.trendmicro.com/ and use their free scan service. It'll take an hour or 2 to run.

I'll try and do more research later.


----------



## Kreth (Aug 1, 2006)

Bob Hubbard said:
			
		

> ok, this concerns me : gdnUS250.exe
> 
> Seems to indicate the presence of either a virus or spyware. (Thing called Downloader, puts in a a backdoor)


It's a dialer. Run the scan like Bob suggested. Then run HJT again.



			
				mantis said:
			
		

> neah
> looking for a job


I work for NYSEG, a utility in Upstate NY.


----------



## Bob Hubbard (Aug 1, 2006)

These lines concern me, but I couldn't find any info on them.
C:\WINDOWS\System32\19bbc311.exe

O4 - HKCU\..\Run: [19bbc311.exe] C:\Documents and Settings\Sean Fergesun\Local Settings\Application Data\19bbc311.exe

O4 - HKLM\..\Run: [19bbc311.exe] C:\WINDOWS\System32\19bbc311.exe


This one looks to be spyware
O4 - HKLM\..\Run: [rock] rock.exe


----------



## Kreth (Aug 1, 2006)

Bob Hubbard said:
			
		

> These lines concern me, but I couldn't find any info on them.


It's probably another dialer, or spyware that uses random characters as the name of the exe.


----------

