Spyware Virus?

I'm having a very unusual problem with Internet Explorer. Everytime I browse web pages, certain words are converted into links. For instance, every time the word "book" appears in the text of a page, it's blue, underlined, and is actually a link to an Amazon.com page. The same thing happens for the word "discover" but it happens to link to a news site. So far these are the only words that I've caught that have turned into links, but I still have never heard of anything like this happening. Also, all the addresses contained in the "fake links" always have the word "redirect" in them somewhere. I deleted all cookies, temporary files, and the history within Internet Explorer, but nothing happened, and Ad-aware hasn't caught anything that's causing this. I'd really like to get rid of this problem because it causes the pages to load slowly since it takes additional time to "insert" all the "fake links" and makes the pages freeze for several seconds during the loading process. Can anyone help?

 

Some pages have this built in to the site, but, in your case it does sound like spyware.

Post your HijackThis log.

http://www.majorgeeks.com/download3155.html

 

Harry Potter Virus?

Well, I've found a few more words that automatically convert to links, such as "intel" (which links me to a site for alienware computer hardware) and "Harry Potter" (which links me to Amazon.com). I'm guessing that all of the links have something to do with products that are sold on these specific sites. Amusing as this was at first, it's just getting annoying now since it repeatedly causes IE to freeze up for long periods of time while I attempt to browse. I've run Ad-Aware and Spybot, and still haven't routed out the problem. Please let me know how I can get IE to simply work like normal! Here is my HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 12:54:35 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\My Programs\Ad-aware\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\My Programs\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\MYPROG~1\POP-UP~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [CursorXP] C:\My Programs\Cursor XP\CursorXP.exe
O4 - Startup: Webshots.lnk = C:\My Programs\Webshots\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\MYPROG~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\MYPROG~1\DAP\dapextie2.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/021e0f24d1dd34b98c19/netzip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Re: Harry Potter Virus?

Does it look like this? This is server side, not client side. It is not spyware.

 

Re: Harry Potter Virus?

While you are here, get rid of these:

O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

I would, although I think they are just extra items on the IE toolbar.

Ria725, did you edit the Hijack This log?

We are missing the running processes.

 

Nope, just keep posting away.

My title is, ah....customized a bit by one of the mods

 

Anger the Gods...er mods.

Its rarely a title you want it to be

 

I was having the same prob. Compared my log with yours and found out that the culprit was the Download Accelerator Pro. Removed it and now it looks to be fixed.

 

Sorry guys, false alarm! DAP is not guilty!!

The problem is in the bhrw.dll file!! (in my case, the bhrw_ie.dll file, which causes the same problem)

O2 - BHO: (no name) - {40D20724-5D3A-43C8-9FF5-2B6F209DBD27} - C:\WINDOWS\system32\bhrw_ie.dll

This issue is NOT addressed by Ad-aware or Spybot (I tried both).

Just check the line which contais bhrw.dll or bhrw_ie.dll in Hijackthis! and click Fix checked. Then go to c:\windows\system32 dir and make sure that this file is deleted!

The issue is addressed in the following links:

http://www.d-a-l.com/help/showthread.php?t=10594

http://www.webuser.co.uk/cgi-bin/fo...r=99900&page=8&view=collapsed&sb=5&o=93&part=

http://computercops.biz/postt31102.html

http://castlecops.com/postt28784.html


In case somebody is looking for this info on the net (google etc), I compiled some keywords which could trigger the hyperlinks Explorer:

athlon mortgages hotels discover area51 alienware amazon visa mastercard book cruises vacation advanta flight "discount airfare" "american express" "rental cars" "airline tickets" note "video card"