ACCOONA Super target web browser - Tech Support Forums

tractors · January 16th, 2005, 08:19 PM

My neighbor's pc is "infected" with spyware/adware AND it's been "hijacked" with a search optimizer called Accoona Super target (something like that)...We've run Webroot spyware sweeper, Spy Doctor, Scanned through the Symantec website, Scanned with the installed Norton's Internet Security,,,everything i can think of,,,even ran Reg Cleaner...And still cannot find where to get rid of this program. I have a copy of HiJack this I can install if needed. But other than that,,,how do iget rid of this thing and the annoyting pop-ups. Plz help!
Tractors

HeadBand · January 16th, 2005, 09:03 PM

sometimes, the things that tools cannot remove are as simple as going into add/remove programs and uninstalling

a few programs to try if you haven't already
adaware se
spybot s&d 1.3
microsofts antispyware beta
cw shredder

posting the hijack this log wouldnt hurt either

Xtreeme · January 16th, 2005, 09:15 PM

Some browser hijackers arent as innocent as spyware even. I found alot that spyware tools wouldnt remove were infact Trojans. Do a trojan/virus scan.

tractors · January 16th, 2005, 09:30 PM

We've scanned using Norton's Anti-Virus. Shouldn't that look for the Trojan virus? There is nothing showing in the Add-Remove program that will allow an uninstallation. Nothing shows up in Add-Remove Platinum either. I believe Webrrot Spyware sweeper is better that Ad-Aware Se or SpyBot...somebody correct me if I'm wrong....I'm going to her home to install and get a log from hijack this...How does one learn what should/shouldn't be in there? I also have CW shredder...one more thing...I'm trying to use a program called Real VNC to do some of this stuff from my home (without going to hers) and she can connect to me, but i cannot connect to her. All Norton Internet sec is turned off, Spy Sweeper is turned off, Spy Doctor is turned off Firewall is off, But I still cannot connect to her,,,could the two problems related? Thanks so far...Tractors

tractors · January 16th, 2005, 10:00 PM

Below is our hijackthis log. Please help if you can...I won't be able to reply until tomorrow so I'll thank you now.

Logfile of HijackThis v1.98.2
Scan saved at 8:57:12 PM, on 1/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\vwuyrr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\SM1BG.EXE
C:\DOCUME~1\HUNTER\LOCALS~1\Temp\bundle.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HUNTER\My Documents\Ken's Stuff\Highjack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvryx32.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\HUNTER\LOCALS~1\Temp\bundle.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098571168642
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6513741F-3EEC-46F6-8FB7-A0B29ADA9DCB}: NameServer = 166.102.165.11 166.102.165.13

phecky · January 16th, 2005, 10:28 PM

I just helped a friend check his laptop out. Long story short, I used the webroot/spysweeper stuff he had already to do some initial scans. 1st scan came up with 4 spyware apps- 2nd scan 4 more showed up two of which were on the 1st scan. Having never used this software before I wasn't exactly impressed with the results plus the fact it apparently comes with an IE toolbar that's most likely spyware itself. I then attempted to perform some simple tweaking by way of taskmanager and msconfig but found these to be either not accessable (msconfig) or absent of all window tabs (tskmngr)!! Not good! At this point I decided to run the easiest AV program I had available- Mcafee Stinger. Again, long story short, I uncovered 4 trojan/virus' and ended up doing a format reinstall to be safe.

Try to get a hold of Mcafee stinger- free download at Mcafee and run it just to see what it finds. It's not very big.

Xtreeme · January 16th, 2005, 10:29 PM

well I have had my virus scanner miss trojans. They arent typical virus. They look like a legit program hence get through. I use AntiVir and though its free I feel its better then mcaffe and Norton cause it has less resourse useage and how good it is at finding and deleting viri. And like I said it even misses some trojans. a2 is what has found them for me. Give it a try its free. You have to use your email to get it the pass. THey just send it to you in like 5 seconds and they dont spam or anything.

"a-squared (a²) is a complementary product to antivirus software and desktop firewalls on MS Windows computers. Antivirus software specializes in detecting classic viruses. Many available products have weaknesses in detecting other malicious software (Malware) like Trojans, Dialers, Worms and Spyware (Adware). a² fills the gap that malware writers exploit."

http://www.emsisoft.com/en/software/free/

Now the only problem I see in that list is

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

That looks mighty fishy. Like a browser hijacker did it.

Xtreeme · January 16th, 2005, 10:35 PM

"Again, long story short, I uncovered 4 trojan/virus' and ended up doing a format reinstall to be safe."

what about worms though? They imbed themselves in the MBR sometimes. I had a buddy that reformatted and installed 3x before he called me. His keyboard would stop working on a freshi install right as soon as windows would load. In DOS it would work. So I had him delete the partition in fdisk. And make a new one. Hence wipeing the MBR. THis completely fixed it. So if you ever format again to be on the safe side. Wipe the mbr by remaking the partition. Or use nero and back the system onto a dvd. IT actually wipes the MBR for you. Which is why I use nero now for system backups. Easier to use then ghost, and it works.

tractors · January 17th, 2005, 07:27 AM

Here'swhat we've done so far,,,since first post,,CW shredder found and eliminated 3 items, Deleted the 2 items suggested in the hijackthis log, Spybot found and eliminated 9 items,a-squared found and fixed/cleaned (don't remember number) items....found that clkoptimizer is one of the culprits...another is elitebar. one of them (or both) is running in memory and each time it's rebooted it's found to be there,,,,,wut do I do now? reformat is possible but not wanted yet. even installed sp2 hopin that would help
tractors....

large_nostril · January 17th, 2005, 09:03 AM

This might be a spware trace:
C:\WINDOWS\system32\vwuyrr.exe
If you don't know what that file is from, you should rename it 'vwuyrr.exe.org' or something.

This is spyware, rename it 'bundle.exe.org':
C:\DOCUME~1\HUNTER\LOCALS~1\Temp\bundle.exe

These are spyware traces, fix them in HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvryx32.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\HUNTER\LOCALS~1\Temp\bundle.exe

And these, which I believe you already fixed:
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

Run MS AntiVirus Beta. It has a method to scan for browser hijacks and will usually restore the defaults.

Restart the computer and see if your having the problems anymore.

If you are, open the task manager (Ctrl+Alt+Del) and post the processes here.

If you get any errors when you restart, they are probably from programs trying to startup that you just deleted. Post the errors here of you get any.

[EDIT]
Update, that kalvryx32.exe file, that's a mean little bugger. Don't know how I almost forgot this.

After you restart the computer (in safe-mode):
Delete C:\Windows\System32\kalv???32.exe (there will probably be multiple files like this just different # instead of ???).
Delete the contents of the Temp folder (C:\DOCUME~1\HUNTER\LOCALS~1\Temp)
Delete C:\Windows\System32\error32.dat
download and run the attached reg fix
[/EDIT]