IE Bullshit

Pablo Sanchez · Post by **Pablo Sanchez** » 2003-06-03 10:04am

Right, apparently I accidentally downloaded something that has messed up my IE. That is, when I right click on any part of a website, I get the usual options, plus quick-links to sites that I don't intend to visit. How would I go about getting rid of them?

Durandal · Post by **Durandal** » 2003-06-03 03:10pm

Pablo Sanchez wrote:Right, apparently I accidentally downloaded something that has messed up my IE. That is, when I right click on any part of a website, I get the usual options, plus quick-links to sites that I don't intend to visit. How would I go about getting rid of them?

Look for anything suspicious in Add/Remove Programs.

Brother-Captain Gaius · Post by **Brother-Captain Gaius** » 2003-06-03 05:52pm

Run Adaware or a similar program as well... the spammers have been getting bolder as of late

Pablo Sanchez · Post by **Pablo Sanchez** » 2003-06-03 07:28pm

I did both and came up empty. It's rather annoying having random pornographic quicklinks under my right click, and I can't for the life of me think of how they could have gotten there.

phongn · Post by **phongn** » 2003-06-03 08:01pm

You could attempt a system restore if you really need to.

Datana · Post by **Datana** » 2003-06-03 11:06pm

Do you know what plugin is installed? If you do, you might be able to go through and simply delete all references to it in the Registry. A similiar program infested a coworker's machine in lab, but it was easy to trace because it misinstalled itself and provided an error message pointing to the appropriate file (BMEB.DLL) every time someone right-clicked instead of giving links.

Is there a way to get to an "about" screen for the plugin? Also, do the pr0n links appear as DHTML overlays, or as part of the right click menu? There isn't enough information to really nail it down at this point, so some more details would help.

EDIT: Something else to look for: many adware programs install a file into C:\Windows\Downloaded Program Files. Take a look there for anything suspicious.

phongn · Post by **phongn** » 2003-06-03 11:12pm

IE does not have a listing of ActiveX controls, plugins or other libraries, unfortunately.

Datana · Post by **Datana** » 2003-06-03 11:46pm

phongn wrote:IE does not have a listing of ActiveX controls, plugins or other libraries, unfortunately.

IE 5 and 6 show ActiveX controls as extra items in C:\Windows\Downloaded Program Files (apart from other plugins stored there by Microsoft); you can't delete them from there, but you can trace them back to their OCX files, at least, and kill the Registry entries for those then delete the OCX itself. Standard Netscape-style plugins, however, aren't shown in this directory, nor are special library files like DLLs.

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2003-06-04 01:31am

HijackThis

Please DL and run HT, then post the log (the 'Scan' button will change to a 'Save Log' button. hit that, and save. Notepad will come up with the log. PLEASE POST THE LOG. I can generally spot and kill very nearly any infection with HT.

Then download and instal Spybot SD and SpywareBlaster.

Pablo Sanchez · Post by **Pablo Sanchez** » 2003-06-04 09:55am

Einhander Sn0m4n wrote:Please DL and run HT, then post the log (the 'Scan' button will change to a 'Save Log' button. hit that, and save. Notepad will come up with the log. PLEASE POST THE LOG. I can generally spot and kill very nearly any infection with HT.

I spotted and fixed them. They were fairly obvious with that nice little program. Thanks!

Then download and instal Spybot SD and SpywareBlaster.

The problem was probably that I was looking at internet porn and not paying attention to what I was doing (there's only enough blood in the body to run one thing at a time, no?).

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2003-06-04 06:24pm

Pablo Sanchez wrote:
Einhander Sn0m4n wrote:Please DL and run HT, then post the log (the 'Scan' button will change to a 'Save Log' button. hit that, and save. Notepad will come up with the log. PLEASE POST THE LOG. I can generally spot and kill very nearly any infection with HT.
I spotted and fixed them. They were fairly obvious with that nice little program. Thanks!

Then download and instal Spybot SD and SpywareBlaster.
The problem was probably that I was looking at internet porn and not paying attention to what I was doing (there's only enough blood in the body to run one thing at a time, no?).

LMAO!!!!

Can you still post the log? Generally these things like to invite their buddies into your comp too...

MKSheppard · Post by **MKSheppard** » 2003-06-04 07:23pm

Don't fucking use IE, other than vital sites you NEED to visit. Use Opera. No way in hell can opera be fucked over

Pablo Sanchez · Post by **Pablo Sanchez** » 2003-06-04 08:12pm

Einhander Sn0m4n wrote:LMAO!!!!

Can you still post the log? Generally these things like to invite their buddies into your comp too...

I had my brother look at it. It's cool.

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2003-06-04 08:32pm

Pablo Sanchez wrote:
Einhander Sn0m4n wrote:LMAO!!!!

Can you still post the log? Generally these things like to invite their buddies into your comp too...
I had my brother look at it. It's cool.

Ah ok.

Durandal · Post by **Durandal** » 2003-06-06 12:16pm

MKSheppard wrote:Don't fucking use IE, other than vital sites you NEED to visit. Use Opera. No way in hell can opera be fucked over

Opera is adware shit. Use Firebird.

Crown · Post by **Crown** » 2003-06-06 01:29pm

I had the same problem as Pablo, Einy could you have a look at the following log;

Code: Select all

Logfile of HijackThis v1.94.0
Scan saved at 3:25:20 AM, on 6/7/2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://I18079.wabu.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.stardestroyer.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://I18079.wabu.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.rmit.edu.au:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.stardestroyer.net/"); (C:\Documents and Settings\Stefanos Plitas\Application Data\Mozilla\Profiles\default\uor084cl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stefanos Plitas\Application Data\Mozilla\Profiles\default\uor084cl.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7e6c7227-c555-4f46-b07b-6203136ec0bc} - C:\DOCUME~1\STEFAN~1\APPLIC~1\cdrbroaiethk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
O3 - Toolbar: pwmoaadsiyb - {f3cbb343-7082-441a-afd2-7f651548420b} - C:\DOCUME~1\STEFAN~1\APPLIC~1\cdrbroaiethk.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [viethdr] C:\DOCUME~1\STEFAN~1\APPLIC~1\aplcrdve.exe -QuieT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape 6\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://81.216.10.59/cult.cab
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj Class) - http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B4C1699-5CB0-4109-9005-8890EB5F6E13}: Domain = s1318.wabu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{41228E8A-38B9-4545-BC20-A3D31C89B65E}: Domain = s1318.wabu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{58DAD2AE-5030-4ECD-BDAD-7867B6E74D4A}: Domain = s1318.wabu.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B4C1699-5CB0-4109-9005-8890EB5F6E13}: Domain = s1318.wabu.com

Anything with the 'wabu' website I want to get rid of, as well as the 'pwmoaadsiyb' toolbar.

Now for the toolbar I assume I just go to the appropriated directory and delete the file, but what about the 'wabu' website that keeps resetting its self as my homepage? Mind you they both appeared together so one would hope that deleting the toolbar would solve the other issue. If that's what I am meant to do that is (delete the toolbar).

Help me Einy!

Xon · Post by **Xon** » 2003-06-06 03:14pm

[RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

Realplayer?!?

Your using that spyware POS?

Unless there is a good reason for you to use that, ditch realplayer.

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2003-06-06 04:45pm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://I18079.wabu.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://I18079.wabu.com/searchbar.html
O2 - BHO: (no name) - {7e6c7227-c555-4f46-b07b-6203136ec0bc} - C:\DOCUME~1\STEFAN~1\APPLIC~1\cdrbroaiethk.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
O3 - Toolbar: pwmoaadsiyb - {f3cbb343-7082-441a-afd2-7f651548420b} - C:\DOCUME~1\STEFAN~1\APPLIC~1\cdrbroaiethk.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [viethdr] C:\DOCUME~1\STEFAN~1\APPLIC~1\aplcrdve.exe -QuieT
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - ht tp://81.216.10.59/cult.cab
]O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj Class) - ht tp://installs.hotbar.com/installs/hotbar/programs/hotbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B4C1699-5CB0-4109-9005-8890EB5F6E13}: Domain = s1318.wabu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{41228E8A-38B9-4545-BC20-A3D31C89B65E}: Domain = s1318.wabu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{58DAD2AE-5030-4ECD-BDAD-7867B6E74D4A}: Domain = s1318.wabu.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B4C1699-5CB0-4109-9005-8890EB5F6E13}: Domain = s1318.wabu.com

J00 H4v3 t3h LOP.COM infection!
You also have RabidBlaster (rb32.exe porn-dialer downloader: watch your phone bills and REFUSE TO PAY anything that says 'adult', 'video', etc... or if it's from a company called Alyon)
Kill the Hotbar thing too. That's known spyware.

Check and remove all that I posted, then reboot.

Red is LOP, Blue is Real, Green is RapidBlaster, Yellow is ISTBar/Aupdate, and orange is Hotbar.

EDIT: Two sites to help you read up on the shitware (I'm assuming) you just pasted.
http://www.doxdesk.com/parasite/
www.spywareinfo.com

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2003-06-06 04:50pm

BTW to prevent this bullshit from ever happening again, get SpybotSD and SpywareBlaster (www.spywareinfo.com)

And stay the hell away from Messenger Plus! (www.spywareinfo.com)

Crown · Post by **Crown** » 2003-06-07 12:22am

_-~{HUGS}~-_

Spybot did it!

Thanks Einy!

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2003-06-07 01:35am

Ya welkum! Any time you need anything spyware-related, post a HijackThis log and I'll see about it

Crown · Post by **Crown** » 2003-06-07 01:38am

The thing that pissed me off is that I ran Adaware and Registry Mechaninc and nadda. But spybot took care of that!

StarDestroyer.Net BBS

IE Bullshit

IE Bullshit

Re: IE Bullshit

HELP ME EINY!!!!

Re: HELP ME EINY!!!!