Superwebsearch

Hello,
I just joined tonight. And have followed all the steps posted at http://forums.majorgeeks.com/showthread.php?t=35407
I had to use IE6 yesterday (and today at Bitdefender-it couldn’t finish scanning because IE6 shutdown) and seem to have superwebsearch on my computer. Ad-Aware SE and Spybot didn't find anything. But when I ran Hijack This yesterday, it found:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/

I had it clean the two entries. When I ran Spysweeper it found: Ezula iLookup, version 2.0 Adware: WildMedia, version 1. I had it clean everything. When I rebooted Spyware Blaster popped up with this:

BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 13:05:22 10/06/2004 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Bar
Old Value: <none>
New Value: http://www.superwebsearch.com/ie/
User Action Taken: RESTORE OLD VALUE

I don't know how to clean this up. In all the searching I've done, there isn't one file relating to any of the spyware found on my machine. So, my question is why is superwebsearch still trying to change my home page? I've also run CWShredder and mini removal coolwebsearch smartkiller, nothing has been found. This is the latest HJT log:
I question this entry C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS What is it? I haven't downloaded anything from Lanovation.

Logfile of HijackThis v1.97.7
Scan saved at 5:42:22 PM, on 10/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Thank you,
Sharon

LOG DELETED BY chaslang: please follow forum rules on HJT posting and get the current HJT version.

 

I apologize for posting the HJT log before being asked.
Sharon

 

Hi Sharon,

Your HijackThis is out of date. Download an up-to-date version and EXTRACT it from the ZIP file to its own, safe folder - C:\Program Files\HijackThis
Logs should be saved as .txt files and posted as attachments via the "Attachment Manager" tool.

Did you look in Add or Remove Programs for suspicious looking entries?
Were you in Safe Mode with System Restore off when you ran through the tutorial?

Take a look in your Downloaded Program Files folder or run a search of your computer for the following and remove them if found:
i-lookup.com
globalwebsearch.com
superwebsearch.com
traffichog.com
searchbus.com
globaltoolbar.com

More info:
http://www.doxdesk.com/parasite/ILookup.html

Regarding C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS, I can't find anything good about it. I think it has something to do with remote access to your computer. Gateway, maybe? I believe it may be legitimate – Chaslang, our resident genius, will know better than I.

Sorry I couldn't be of more assistance. Let us know if you find ILookup or anything like it.

Hang in there

PP

 

That must have been what got stuck in my tiny brain! I knew I had seen it before!

PP

 

PP & Chaslang,
Thank you for the help. Attached is the new log of HJT. Yes, I ran everything in safte mode I searched for the files you listed and nothing was found. Nothing was found in Add or Remove Programs. Followed everything at http://www.doxdesk.com/parasite/ILookup.html and everything came up negative. I didn't download any PRISMXL.SYS stufff. I'm thinking it has to be something that gets loaded into this computer with one of the gateway disks. I reformatted this computer two weeks ago. This is the information found when I clicked on properties for PRISMXL:
size: 64.0 KB (65,536 bytes)
Created: Wednesday, September 08, 2004, 3:52:06 PM
Modified: Wednesday, September 08, 2004, 3:52:06 PM
If it helps, this is some of what can be viewed when I open the file:
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library

Runtime Error!
Yesterday after I ran HSremove, spywareGuard popped up with the message my search page was being changed to the HSremove page.
Today the same problem except it was being changed to google. Spy Sweeper gave me the same message. About:Buster didn't find anything. I'm at a loss. There's obviously something hiding in this computer.
Sharon

 

PRISMXL is part of the Lanovation PRISM software. It's ok so far as I can tell.


Download this application. (requires free registration) http://www.majorgeeks.com/download172.html
a-squared (a²) Personal Edition 1.1


Reboot your machine into safe mode. Find this file on your PC and remove it

E:\content\include\XPPatchInstaller.CAB

Then run the A-squared program I asked you to download.
While still in safe mode, make a new HJT log.

Then reboot to normal mode and get ANOTHER HJT log and post them BOTH so we can compare.

 

Kodo,
I did everything as you said. I could not manually find E:\content\include\XPPatchInstaller.CAB so I had HJT fix it. Ran a-2, it didn't find anything. When I rebooted, Spyware Guard gave another warning that my search page was being reset to www.superwebsearch.com
Sharon

 

Chaslang,
I stated in my first post "I had to use IE6 yesterday (and today at Bitdefender-it couldn’t finish scanning because IE6 shutdown)" I don't know why it isn't showing, AvxScan Online is installed on my computer. I am running Sun Java. My settings were already set as suggested http://forums.majorgeeks.com/showthread.php?t=35407 , they have been since I got this computer. Until you mentioned Antispy Pro, I didn't realize it was on my computer. No, I did not download it. I'll certainly be looking for it and removing it. I am running Trend Micro Internet Security.
Sharon

 

Chaslang,
I should have clarified, I was at Bitdefender in normal mode. I have cable internet and cannot connect in safe mode. I'm baffled as to why Trend didn't show up. I run it every other day. I just came from Bitdefender, it completed the scan and didn't find anything. IE6 had an error and shut down the first time at Bitdefender. I will post the results of your suggestions in the morning.
I do appreciate the help.
Thank you,
Sharon

 

Chaslang,
Attached is the HJT log. SypwareGuard and Spysweeper warned of the homepage being changed from www.superwebsearch to www.majorgeeks.
I'm sorry, I thought the scans were the same. I'll go right now.
Sharon

 

Chaslang,
My computer seems to be getting slower and superwebsearch wanted to change the pages again. Could something be hiding in registry or maybe changing the name of the files? What ever it is, it doesn't want to give up. I really hope I'm not going to have to reformat this computer to get rid of this stuff.
I did perform the online scans. Trend says my computer is clean. This is what RAV said:
C:\Program Files\Common Files\Webroot Shared\Internet.dll - Backdoor:Win32/Ferat.1_0 -> Suspicious
C:\Program Files\WinRAR\Default.SFX - PWS:Win32/Banker -> Infected
How could Bitdefender and Trend find my computer clean and RAV found something?
Sharon

 

Chaslang,
There wasn't a version tab when I clicked on properties.
Type of file: Application Extension
Opens with: Unknown application

Location: C:\Program Files\Common Files\Webroot Shared
Size: 31.0 KB (31,744 bytes)
Size on disk: 32.0 KB (32,768 bytes)

Created: Thursday, September 09, 2004, 7:22:33 AM

Modifies: Monday, May 17, 2004, 5:05:18 AM

Accessed: Today, October 09, 2004, 3:39:36 PM

Symantec Online Scan results:
78579 files scanned, 0 file(s) infected on your disk drives.


No viruses were detected in memory.


I'm running Spy Sweeper Program Version 3.0.0 (Build 113) Using Spyware Definitions 403
and Window Washer 5.5 (Build 5.5.1.19)

Oh my gosh, you won't believe what's in this registry, it's not good! Here's and example:

HKEY_USERS\S-1-5-21-789336058-492894223-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\startsurfing.com
HKEY_USERS\S-1-5-21-789336058-492894223-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\steamycock.com
HKEY_USERS\S-1-5-21-789336058-492894223-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sterva.com
this stuff starts at 008i.com-zyban-zocor-levitra.com.
There's too much to list. How in the world did this garbage get in here? I've never heard of any these sites. I'm going to start searching about them.

Registar Lite found for superwebsearch HKEY_USERS\S1-5-21-789336058-492894223-7253455...
There are two entries for it.
It didn't find anything for www.abroadsoftware.com.
regsvr32 /u Ineb.dll -The specified module could not be found

regsvr32 /u GWS.dll -The specified module could not be found

regsvr32 /u Chgrgs.dll -The specified module could not be found

regsvr32 /u abeb.dll -The specified module could not be found

regsvr32 /u bmeb.dll -The specified module could not be found

regsvr32 /u sbus.dll -The specified module could not be found

regsvr32 /u drbr.dll -The specified module could not be found

attrib -s -r -h Ineb.dll File not found - Ineb.dll
del Ineb.dll Could Not Find C:\WINDOWS\system32\Ineb.dll

attrib -s -r -h GWS.dll File not found - GWS.dll
del GWS.dll Could Not Find C:\WINDOWS\system32\GWS.dll

attrib -s -r -h Chgrgs.dll File not found - Chgrgs.dll
del Chgrgs.dll Could Not Find C:\WINDOWS\system32\Chgrgs.dll

attrib -s -r -h abeb.dll File not found - abeb.dll
del abeb.dll Could Not Find C:\WINDOWS\system32\abeb.dll

attrib -s -r -h bmeb.dll File not found - bmeb.dll
del bmeb.dll Could Not Find C:\WINDOWS\system32\bmeb.dll

attrib -s -r -h sbus.dll File not found - sbus.dll
del sbus.dll Could Not Find C:\WINDOWS\system32\sbus.dll

attrib -s -r -h drbr.dll File not found - drbr.dll
del drbr.dll Could Not Find C:\WINDOWS\system32\drbr.dll

Sharon

 

Chaslang,
The entries for superwebsearch are also in Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\. Yes, I'm still getting warnings about superwebsearch.
Sharon

 

Changlang,
I ran Spybot again in safemode and it came up with this:
CoolWWWSearch: IE Search page (Registry change, nothing done)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.google.com
and this is what's in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
http://www.superwebsearch.com/ie/
Before I had Spybot restore it, the registry had an entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.coolwwwsearch.com$
When I had Spybot repair it I wasn't able to connect to the internet. So, I had to have it restored.
Sharon

 

I apologize about notepad, I was reading your directions and forgot to close it. Did as you said. Rebooted to normal mode, Spysweeper and SpywareGuard
warned of the pages being changed to www.superwebsearch.com again. Registar Lite didn't find anything other than Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
I went to Panda online scan last night, it came back clean.
Sharon

 

I did all of this in safemode. They were not running. I ran HJT in safemode also.

 

I owe you an apology, I'm sorry! After I disabled the software I should have rebooted into safe mode again.

I disabled everything (I hope). Did as you said. When I rebooted into normal mode and turned everything on, I still got the same warnings. Could there possibly be something that's in the bios?

There were two copies of superwebsearch in Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

Sharon

 

No, I'm the only account on this machine. Yes, I've searched the registry and can't find anything. With everything I've read all over the net, and all the files superwebsearch is supposed to leave, I can't find any of them on this computer, not from any varient. What baffles me is, all the times I've run everything in safe mode, spybot didn't find anything until today. One thing I did notice the last time I booted back to normal mode, something flashed quickly in the background as windows booted to the desktop. What if I set up another account as administrator and try to clean everything again? Would that make a difference? I don't want to have to reformat again. I'd have to backup a lot of stuff, and that leaves the possibility of backing up this bug.
Sharon

 

Yes.

 

Chaslang,
I rebooted my computer into safemode, this time logging on as administrator. Went through all the directions you have given me. Got all the same results. The only difference is when I ran Registrar Lite it didn't find superwebsearch, not even in Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
I'm attaching a HJT log from safe mode and normal mode.
Sharon

 

SpywareGuard and Spy Sweeper warned the search pages were being changed to http://www.superwebsearch.com/ie/

 

Both IE6 and Mozilla Firefox kept their homepages to www.majorgeeks.com.
After installing Spy Sweeper and rebooting, I didn't get any warnings. I'm only posting one HJT log because they were identical. One thing I noticed last night, every setting of Trend firewall had been reset to disable. That wasn't the way it was set up. If my modem is disconnected when booting up, the computer boots quite fast like it did before this mess with it connected. If it's connected it takes close to three minutes to boot. This makes me think there is something in the background trying to take over.
Sharon

 

No, it isn't related to: http://kb.trendmicro.com/solutions/...olutionID=18278
My computer was pretty fast until this mess.
The log was before I re-installed Spy Sweeper. I will attach a new one. I re-enabled my firewall settings last night. It has shown activity from Internet Assigned Numbers Authority, Asia Pacific Network Information Centre, UUNET Technologies, Inc., ThePlanet.com Internet Services, Inc., and Earthlink, Inc.
I'm on cable. I'll also attach the results of the commands. Why isn't Spy Sweeper giving me any warnings now that I don't have SpywareGuard or Spyware Blaster installed? Is it possible the spyware is finally gone? I don't want to get my hopes up!
Sharon

 

Installed SpywareBlaster, no problems. HJT log is identical to the one posted.

 

Re-installed SpywareGuard. Rebooted twice without warnings. HJT log looks fine.

 

Yes, that's right. It seems to be getting a little better. One other problem that's happened since all this (or it's a coincidence) my scanner will not work. I've un-installed and installed at least four times. It's the same error, scanner dll not found.

Sharon

 

With all your hours of help, the spyware problem is hopefully solved. Thank you very much!

Yes, I did reboot for both. I can't find the DLL on the installation disk. It was on the pc. The scanner probably died. Plustek hasn't put out drivers for the model I have and most likely won't. I'm probably going to buy an Epson scanner.
Sharon

 

Did as you said, got the scanner working. It sounded like it was grinding glass. I think it bit the dust!
Thank you,
Sharon