Explorer Reloads on Startup (?), Hijacking of Searches

Hey Guys,

A couple weeks back, I got a drive by that tossed UnspyPC on my computer, and also seems to have inserted the IE window popups and fake system message popups for Winfixer as well. These popups could circumvent popup stoppers. I uninstalled UnspyPC and was able to rid myself of those bothersome popups after doing a little research. However, I suspect this infection or another has left some artifacts of note behind.

Just to start, let me say that Spybot S&D, Ad-Aware SE Personal, AVG Free, and Webroot Spysweeper all seem to agree that my system is clean, yet some odd behavior persists. I have also handled all the suspicious entries all of them found, and removed anything that seems remotely "not right" with Hijack This (I am a tech, so no, I didn't just go willy-nilly fixing items, no worries there). They keep all showing clean with no new entries or reappearing removed items now. I am also unable to pin down anything odd in my processes running or using Startup List.

When I boot the machine, my desktop and background appear, but then the screen will flick to black for a moment, and return to normal. This happens as much as 2-3 times before the system finishes. I suspect this is indicative of Explorer.exe being altered and forced to reload to accomodate something. Also, on the final instance, I can see the outline trace of a window of some kind appear for just a split second, not even long enough for the screen to fill in the window and let me see anything about it. It occupies maybe the top quarter of the screen.

In addition, website links and searches get hijacked. Es[ecially if the links have to do with spyware removal and the like, it will redirect me to other, probably bogus software sites. For instance, attempts to search for and then go to the homepage for Spybot S&D will be redirected to any number of bogus tools, such as Stopzilla, to name one that I recall off the top of my head. Other types of links are also hijacked and redirected to "relevant" (sorta) Google search results.

Anyone got any tips/info/ideas? I really want to kill this garbage once and for all. Some work with Spyware Blaster and Hosts file editing has killed the redirects, but I still hear IE trying to click through several pages fairly often, apparantly with these attempts failing due to the Host file edits. It's annoying, and I hate running a dirty system, when I normally am able to keep it tidy and clean.

 

OK, ran through the instructions as given.

-CCleaner ran and I had it remove what it found.
-MS Malicious Software Removal - Found nothing.
-Ad-Aware SE - Found nothing
-Spybot S&D - Found nothing.
-MS AntiSpyware - Found nothing.
-CWShredder - Found and removed cws.svchost32 and cws.smartsearch
-Kill2Me - Found nothing.
-BitDefender - Found and removed/healed some items. Everything it found was in my old Sent Mail folders as near as I could see.
-Panda - Says it found things, but I can't see what or post the log, because in safe mode, the window it opened was too small to see the right hand side of the readout where it gave this info, and I had no ability to scroll over or enlarge the window.

Since BitDefender found some Swen traces, I also ran a quick instance of Symantec's FixSwen tool to be sure it wasn't actively working. No problems found there, either.

I still have the issue at startup with apparant reloading of Explorer (seems to have settled into doing it twice every time), and the window-flicker. I've attached the BitDefender log, and HJT log.

I've also uploaded a short (15sec) MPG video of my computer as it loads up, so that you can see exactly what I do. It's not big, but serves well enough to show the issue. You can see the screen flick to black at about 5 seconds, then it returns and flicks immediately back to black at about 6-7 seconds, then you can make out the window tracing at 9-10 seconds or so for just a brief moment. The files is 320x240 and about 1.5MB in size. You may need to doublesize it to be able to see the window-trace depending on your resolution. That MPG is at http://www.capturedprey.com/images/startup.mpg

 

I may have overlooked that the HJT version has been updated since I got the one I had on hand, but I certainly did follow everything exactly as your instructions directed, other than getting ahold of the new version.

Here is the new logfile for the current version of HJT.

 

Did the whole Uninstallation of Unspy and the Wareout remover bit when I first found the fixes to remove that bothersome Winfixer crud. But did it again to be sure.

Unspy has not reappaeared in the Add/Remove programs dialogue. Here's the report for Wareout.

Just for reference, immediately upon Wareout completing, the same double-flicker of the screen and the phantom window
trace appeared.

 

Alright, backed up DMDES to a safely removed memory stick, and delete the original from safe mode. Also did a Registry search. Found two references to it. Both were in HKLM\software\webroot\spysweeper\startup\id24, and I deleted both keys after exporting them to the same memory stick to be safe.

I've attached the Ewido log. I had it take care of the little it found (1 item IIRC).

I've also attached a Kapersky log and a fresh HJT log. Kapersky didn't find any Explorer infections, but did find the same (apparantly latent) infection attempts in my old mail storage folders (unfortunately, I havn't got the option of deleting these without dire need to do so, I have a fair bit of necessary stuff in those folders, and it would be insanely arduous to manually find and destroy all the individual messages from the two programs that found things in them). I did go in and destroy the four folders on my external drive that Kapersky indicated contained Trojans and such in the program zip files, and shooed them out of my recycle bin.

The good news is, I only saw the screen "skip" once this reboot. The split-second window still appeared.

 

**PS**

Normally I'd have assumed DMDES was a Spy Sweeper file, but the fact that googling it comes up with zilch for results, would instead indicate it was a randomly generated file.

**EDIT** Scratch that, just did it one more time to see if Wareout would find any odd files again, and I got the double-flicker again. Grah.

Also, yes, Spysweeper is a paid version, but I intend to "return" it, so to speak. Although it found a lot during it's free trial that got me to buy it, it didn't actually solve it, and I suspect the same issues would have been found/foxed by a couple of these other tools we've used here anyhow.

 

I am aware that Warez is not a particularly friendly product. But it is most definately not the source of this issue. The program was downloaded on my old PC quite some time ago, and proved ineffective anyway. For that reason, as well as it;s known shaky reputation, it was never used again, and never installed in this computer at all. It existed only as an unopened, untouched file on my external mass storage drive where my massive archive of installer files goes. So no worries there. At any rate, all four of those folders and the unopened Zips inside them are destroyed now.

I take it, then, that you are suggesting I keep Spysweeper and see if I change my mind.

 

Understood. Personally, I am opposed to paying for something unless it does a remarkably better job than free tools I can find with a little effort searching.

That aside, apparantly it looks fairly clean. Any more thoughts, or should I remove my Host files protections and pray? Because beyond that, I'm about *this* close to reloading the system from scratch to eliminate the issues for sure.

 

I have used IE Spyad. SpywareBlaster has also been put to use. I also found a tool that was recommended by other sites, during my earlier general search for help removing the Browser Hijacker problem. Among the solutions and help ideas was a file which could be simply run, and would add a whole mess of problematic sites to the Hosts file, preventing them from ever loading by simply redirecting them to the system at the "dead" IP addy.

 

Here's the info from the Host file on it's origins.

# This MVPS HOSTS file is a free download from: #
# http://www.mvps.org/winhelp2002/ #

 

Well, I removed the Hosts file alterations (actually, just renamed them and tossed in a new Hosts file with just Localhost as normal). Seems, for now at least, as if the redirector got busted by something we did. I suppose I can live with the screen flickings if that;s the worst I have left.

Shall I keep Broweser Hijack Blaster, or is that one generally not worth the effort?

 

No, what I meant was that the Hosts file was redirecting anything on the list of sites installed into it by what I showed you previously to the Localhost address that is always in the host file by default. That's what the MVPS Hosts file does, effectively.

 

Err, no, sorry. What I meant is that it looks, for now at least, as if the browser hijacker got busted by something we did here. I am now able to do a Google on, to usemy old example, Spybot, and not be redirected.

 

Think "busted" like the reference used when you get busted by the cops. Hence, since I'm not being redirected when I try and do things that used to trigger the hijacker to redirect me, it seems that the Hijacker got "busted" by some part of what you had me run through.

I still have the odd flicker at startup, but I suppose if that's the worst of it, I can handle that.