I've got BlazeFind.SearchEnhancer.ISTbar PLEASE HELP!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hoc, Jul 15, 2004.

  1. hoc

    hoc Private E-2

    So, I've been working for two days on this problem and everything I try doesn't seem to be able to get rid of this "spyware", "hacker" or whatever it is. I've used SpyBot Search and Destroy & TZ Spyware & Adware Removal. Both tell me that the problem is this

    BlazeFind.SearchEnhancer.ISTbar

    I attempted to fix the problem and while it says that it's fixed, it's still there. Pop Ups, my home page has been changed to Blazefind and there are some funky "Search" Bars at the top of my browser.
    I am running Windows 2000 on an HP e-pc computer. I have also run Hijackthis and my log is below. Can anyone PLEASE help me get rid of this. I'm not a total computer idiot, but I'm not a "Majorgeek", so I may need a little more explanation.
    thanks so much for anyones help.
    Josh

    Logfile of HijackThis v1.98.0
    Scan saved at 1:44:21 PM, on 7/15/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\WindUpdates\WinUpdt.exe
    C:\WINNT\system32\oayrwug.exe
    C:\Program Files\WindUpdates\WinKA.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WINDOW~4\WinSB.DLL
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
    O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB.DLL
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [zzvxus] C:\WINNT\system32\oayrwug.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...05f72cb55925:0db69b72ff39cfe5e585d7b34e81015d
     
    hoc, Jul 15, 2004
    #1
  2. Hawk

    Hawk Private E-2

    Hawk, Jul 16, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    WHAT? Lot of weird posts by you man. You need to do the nornal routine. Did you check for uninstallers, run AD-Aware, CWSHredder? Did you do it from safe mode?

     
    Major Attitude, Jul 16, 2004
    #3
  4. hoc

    hoc Private E-2

    I couldn't find any uninstalls and I ran Ad-aware, spybot and CWShredder. Nothing seems to get rid of this.

    I'm going to try the above deletions and see what happens.

    Any other knowledge or help would be greatly appreciated.

    thanks
    Josh
     
    hoc, Jul 16, 2004
    #4
  5. hoc

    hoc Private E-2

    Hawk: I didn't see the two HKEY entries to remove. I don't have anything that says isearch.

    Major Attitude: what exactly should I do from safe mode and how do I get into safe mode?

    This is really starting to bother me. I keep getting pop up ads and my home page is constantly being reset to Blazefind.com

    If anyone else has this problem, please help me get rid of it.

    thanks
    Josh
     
    hoc, Jul 16, 2004
    #5
  6. Hawk

    Hawk Private E-2

    Isearch is also named as "BlazeFind.SearchEnhancer.ISTbar" by Spybot S&D and "istbar" by Adware, or "SmartSearch". I believe this is installed by a security flaw in Java or (some people have reported) by a download prompted by Windows Media Player.

    Hawk :)
     
    Hawk, Jul 16, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think there is more wrong here than what you mentioned.

    Before continuing, make sure you have enabled viewing of hidden files and folders in Windows Explorer: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    First before fixing everything, I need youu to answer some questions:
    1) Do you use the P2P Networking stuff?
    My opinion is it should be removed (use Add/Remove programs to uninstall) but the decision is up to you.
    2) Do you have any idea what this WindUpdates stuff is?
    Did you install it?
    I don't like the looks of it and think that should be uninstalled too unless you can tell me what it really is and that it is valid site.
    Check Add/Remove programs for an uninstall. If it does not have one, it is probably malware.

    3) I think a may see a trace of peper trojan (the oayrwug.exe). Please run this: http://www.memorywatcher.com/uninst.exe

    4) Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINNT\systb.dll

    then click OK. If a dialog box confirming this action appears, click OK.

    5) Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINNT\nem219.dll

    then click OK. If a dialog box confirming this action appears, click OK.

    6) Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINNT\mxTarget.dll

    then click OK. If a dialog box confirming this action appears, click OK.

    7) Now make sure you have Ad-aware installed and UPDATED.
    Get it here: http://www.majorgeeks.com/download506.html
    Install it and click the Check for Updates Now button.

    8) Download an install the VX2 Cleaner Plugin for Ad-aware: http://www.majorgeeks.com/download4283.html
    Read the info on that link on how to install and run the plugin. Run the VX2 cleaner pluging!
    9) Go here and read how to perform a full scan with Ad-aware: http://www.lavahelp.com/howto/fullscan/index.html
    Perform the full scan with Ad-aware and clean what it finds.

    10) Shutdown all Internet Explorer sessions, run HijackThis and have it fix:
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)

    11) Reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    12) Repeat the VX2 cleaner and Ad-aware full scan procedure.

    13) Delete these files (if found):
    C:\WINNT\systb.dll
    C:\WINNT\nem219.dll
    C:\WINNT\mxTarget.dll

    14) After this post a new HijackThis log.

    There is more to do but let's start with the above. Don't forget to answer the questions.
     
    chaslang, Jul 16, 2004
    #7
  8. hoc

    hoc Private E-2

    CHASLANG:

    THANK YOU SO MUCH!!!

    IT SEEMS TO BE BACK TO NORMAL, WITH MY SAME OLD HOMEPAGE AND NO POP UP ADS!!!

    You folks are absolutely amazing!
    Thank you so much for the help.

    Josh

    p.s. I don't use the P2P stuff and I did remove it.
    The Windupdates, when I went to remove them, a box came up saying that it is needed for some of the free software that may have on my machine. Without it, they may not work. One of the programs I have is Photoshop 7.0, which is a necessity for my business; so I decided not to remove it and see what happens. It doesn't seem to be effecting my machine any longer.
     
    hoc, Jul 16, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Post another HijackThis log. There was more stuff that was wrong in you log. Like the Win Searchbar hijack (winsb.dll and mybar.dll).

    I don't think WindUpdates has anything to do with legitimate software like Photoshop. I think it is referring to other malware crap. In addition Photoshop is not free software. They are most likely referring to the toolbars they forced on you.
     
    chaslang, Jul 16, 2004
    #9
  10. hoc

    hoc Private E-2

    Chaslang:
    here is my latest log. Let me know if there is anything else I should get rid of:
    thanks again,
    Josh


    Logfile of HijackThis v1.98.0
    Scan saved at 7:20:21 PM, on 7/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\WindUpdates\WinUpdt.exe
    C:\Program Files\WindUpdates\WinKA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\INTERN~1\iexplore.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
    C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.auctionhelper.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
    O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe"
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
     
    hoc, Jul 19, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What is this stuff with rebates? Do you use it?
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    And do you have any idea what the next item is? Is does not look good to me.
    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe"

    And I still don't like WindUpdates.

    If you are not having any problems though, we can just leave all this alone.
    I also see mixed opinions on the web for WinSB.dll. Some say remove it, some say it is fine and is part of the IEService stuff I also see in your log. Do you know what those (IEservice and WinSB.dll) are from? Look at the paths to the files maybe that will help you figure it out.
     
    chaslang, Jul 20, 2004
    #11
  12. hoc

    hoc Private E-2

    I don't use the web rebate stuff and I do see it. I actually tried to remove it once before, but that was before I got rid of the Blazefind stuff. Is the best way to remove that stuff to restart my PC in Safe Mode, then run HijackThis and delete it from there? Is it ok to just close the browser that I have open now, run HijackThis and remove it from there?

    The other lines you are asking about don't mean much to me. I'm guessing I can get rid of them as well.

    thanks
    Josh
     
    hoc, Jul 20, 2004
    #12
  13. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    just my 02 on this
    WindUpdates and WebRebates are just malicious crap that needs to be deleted, find the folders in program files and rename them to something totally different, then open up your task manager and end the processes
    WinKA.exe
    WinUpdt.exe
    WebRebates1.exe
    WebRebates0.exe
    then you can delete those folders
    as for that IEservice stuff im not 100% sure but they look dodgy to me?

    I would also reccomend running something like this to clean out your temp files etc
    http://www.majorgeeks.com/download4191.html
    and its a nice frre handy app to keep and run on a regular basis ;)
     
    General_Lee_Stoned, Jul 20, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good to have a second opinion General. I have not like that stuff from the very beginning.
     
    chaslang, Jul 20, 2004
    #14
  15. hoc

    hoc Private E-2

    General and Chaslang:

    I found the folder in Program files, however I am unable change the name of Windupdates...it says the folder is in use. I tried to end the processes from my task manager and then change the folder name, but that didn't work either. It doesn't seem like I'm able to remove them and keep them away. I'm not sure that it's doing much harm (that I know of), as my system seems to be running well, but if it's something I need to get out, I'm having difficulty doing so. I even tried running Hijackthis and getting rid of it through there, but when I rescan, they show up again.

    If it's not a problem, I'll leave it...but if it's definitely something that needs to be removed, I am going to need additional help in doing so.

    thanks again for all of your work....it is greatly appreciated. I may post another thread when I get home from home computer to try to clean that one out as well.
    J
     
    hoc, Jul 21, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Look in Control Panel/AddRemove Programs for an uninstall program.
     
    chaslang, Jul 21, 2004
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds