Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WebSearch toolbar can't be removed! HELP PLEASE!


  • Please log in to reply

#1
safecite

safecite

    New Member

  • Member
  • Pip
  • 4 posts
Hello there!

I got serious spyware trouble and I'll cut right to the chase.

I'm apparently infected with the WebSearch toolbar from Websearch.com and can't seem to "shake it"!

I got a desktop computer and a newer laptop computer and usually use mainly the desktop to go online and have done so very few times with the laptop. However, on BOTH computers, I found to have the WebSearch toolbar and now I practically can't get internet access to work due to this s..t!

What is worse is, that I have protected myself in the best possible way and I NEVER compromise on protection. I usually install nothing or won't go online before I have protection enabled on every possible problem that is out there today.

Both of my pc's run Windows 2000 , FAT 32.

My protection includes: AVG Antivirus 7.0; Zone Alarm Firewall (newest version); Spywareblaster, Pest Patrol and Spybot Search and Destroy with tea-timer enabled.

So, far I never had serious problems, untill 2-3 weeks ago when the first problems with the internet started. It seemed to be unstable in the beginning and then got worse and worse and at the moment it doesn't work 90% of the time at all and usually only briefly and very badly for the rest of the time which has been like that for the last 6-7 days. That goes for both computers though I didn't really use the laptop for internet access.

Despite all of the above mentioned protection and my ACTIVELY SCANNING Pest Patrol, I find that WebSearch has installed itself on BOTH of my computers. My firewall, AVG Antivirus etc. is ALWAYS updated and defined as well as enabled!

While I briefly had a connection to the internet I downloaded two trials of spyware scanners that claimed to be able to do the job on the "very resistant" WebSearch toolbar which were Webroot Spy Sweeper and Spyware Doctor. After install (updates were only partially possible due to the netproblem!) it seems that WebSearch only fights more against being removed properly by denying me even more often access to the internet and usually blocking it at all and even though Pest Patrol is set to scan at reboot and finds and gives the possibility to "delete" WebSearch toolbar it CONSTANTLY re-installs itself again and again, no matter how many times I seem to remove, delete and scan for it with all the scanners I got time after time when I reboot.

Usually WebSearch is found here by Pest Patrol:

HK_local_computer --> Software --> Microsoft --> Internet Explorer --> ActiveX Compatibility --> and then the key itself.

Besides that, it usually disables in Spybot Search and Destroy after reboot 1 item (which is probably the protection against it!) and besides that - not always but many times - 1 item of protection in Spywareblaster that then both can be enabled again but get on reboot once again disabled.

Now, after I have tried to scan with two scanners that claimed to be able to do the job but still seem like if they couldn't, I am still unable to get on the net which I desperately need in order to be able to work in my profession!

Furthermore, I tried to check with HijackThis but couldn't after an analysis on the net nor to MY best knowledge find anything that looked somehow suspicious. I'm not a specialist, but this is only my opinion so far.

The last thing that might be of interest is that I besides the message in Pest Patrol that I can "delete" and get confirmation of the same got yesterday a pop-up message on my desktop computer that "Pest Patrol might not be optimal installed for your needs on your system" or something like that and "ask your system administrator or someone with administrator rights for help on this topic". But I(!) am the system administrator on my computers and I HAVE all the rights, so this message seems like yet another mystical attempt to confuse me or it's just WebSearch that seems to have corrupted something in Pest Patrol. I don't remember the exact text but it is close to what I just mentioned above. This message just showed up on the desktop computer and hasn't shown on the laptop.

As a last resort I downloaded and installed "Adware.WebSearch remover" from Symantec's site but it just stated each time after a scan that it isn't able to find the hijacker on the system, which apparently isn't correct.

I have to add, that there ISN'T any toolbar showing up in Internet Explorer which i ONLY use for Windows 2000 updates. To go on the internet I ONLY use Opera and/or Firefox 1.0!

I'm really at the end of my knowledge and I can really only see WebSearch as the real problem to all this trouble but besides that I'd also like to know HOW on earth it could penetrate my protection that I so far thought was pretty secure as this is obviously not holding back all of the troubles out there and that of course worries me now a lot!

I also got to say, that I used Bearshare to download some files and hereafter moved them around between the two computers I gotta admit. So, maybe it has been "sleeping" in some of those files but what I don't understand is WHY I can't seem to "shake it"???

If there is anybody out there who has some good ideas I'd be incredibly happy to hear from you as soon as possible as it really is - I think - only about this one hijacker which though seems to be untouchable and invincible to me so far.

The only way out I know is a format of both computers which I at this point am not a big fan of as I got files I'd like to keep. And even though I should format one of the two computers and after that move some of the "secure" files back again from the other one after which I'd also format that one, I still have no idea if this crap gets with them back again onto the first formatted computer??!

Is it possible??? Can this hijacker re-install on a "clean" pc if I did it this way?

I'd be most greatful for ANY help on this problem!

I say thanks already now for your kind help!

Greetings

safecite
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Yes. A hijacker can hide so deep in your system that it can (re-)infect you days later.

Post your HijackThis log if you still require help.

You may also find this read about ADSinteresting:
http://www.bleepingc...eams-tut25.html

Regards,
  • 0

#3
safecite

safecite

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Yes. A hijacker can hide so deep in your system that it can (re-)infect you days later.

Post your HijackThis log if you still require help.

You may also find this read about ADSinteresting:
http://www.bleepingc...eams-tut25.html

Regards,

View Post


Hello Metallica!

And thanks for your reply. Well, I didn't get any answer in a long time and since I was desperate for help had to ask somewhere else. It all worked out fine for my desktop and laptop and now I can access the internet again on both as well as spyware is being scanned away as far as possible.

I also got my hijackthis log from the desktop analysed and that one should be okay by now. But I still haven't done the last thing with the hijackthis log yet in regards to my laptop.

However, I think that I should better do that and so, I'd like to ask if you would take a look at that if I post it here and tell me about the possible bad stuff.

Please, let me know.

Thanks already now for your reply. :tazz:

Greetings

safecite
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Sure. Post the log and I'll have a look.

Regards,
  • 0

#5
safecite

safecite

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Sure. Post the log and I'll have a look.

Regards,

View Post


Hello Pieter!

Thanks for wanting to take a look.

Here is my hijackthis log for the laptop.

I scanned on several pages and think it ought to be okay as far as it is humanly possible, but you are the expert so I'll let you decide that.

I hope, that you are able to help me out. ;)

Thanks for taking a look and kind regards.

safecite :tazz:

PS: By the way, thanks also for the link to ADS. That was VERY interesting and good to know (well, it could be bad as well if things go wrong that is.) ;)


Logfile of HijackThis v1.99.1
Scan saved at 19:40:05, on 16-05-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CMTech\SMC Music Box MP3 Player\CmdUpdate.exe
C:\Program Files\Wsr\WinsysRsr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Documents and Settings\Administrator\Desktop\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...ilogin.srf?id=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [MMKey] C:\Program Files\Launch Manager\MMKey.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CmdUpdate] C:\Program Files\CMTech\SMC Music Box MP3 Player\CmdUpdate.exe
O4 - HKLM\..\Run: [WinsysRsr] C:\Program Files\Wsr\WinsysRsr.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...413/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
The only thing I don't recognize is this one.
O4 - HKLM\..\Run: [WinsysRsr] C:\Program Files\Wsr\WinsysRsr.exe

Any ideas what that is for?

Regards,
  • 0

#7
safecite

safecite

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

The only thing I don't recognize is this one.
O4 - HKLM\..\Run: [WinsysRsr] C:\Program Files\Wsr\WinsysRsr.exe

Any ideas what that is for?

Regards,

View Post



Yep, that one is harmless. It's for my Mp3-player, the software that I use to transfer the files or well..., part of that one. ;)

Looks, like all is okay then.

Thanks for wanting to take a look at the log. :tazz:

Greetings

safecite ;)
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
My pleasure. :tazz:

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP