Hi

I've got the following problem with my IE 6 SP1 and Win 2000
Seems an ad-software has finally found how to install itself on my system
One day after rebooting my PC, I've had the "Links" and "Address" toolbars
which have appeared in my task bar, and links I didn't know were rotating in
the "Links" toolbar.
I've found I had a new program running on startup, so I've removed it, and
removed the key in the registry. Indeed it has stopped the rotation of the
links, but the "Links" and "Address" toolbars were still appearing after
reboot. Since then I haven't found how to remove them. I've used Lavasoft
Ad-Aware and tried others "pest" finder tools, even checked a bit the
registry,
but nothing has worked. I'm obliged to unselect them any time I start my PC,
which is quite annoying.
One workaround I've found is to disable the Explorer Shell Extension with
TweakUI, but then I also loose my "Quick Launch" toolbar, which is not what
I would like.

Any idea ?

Thanks a lot

Alexandre Dumortier

Hi Alex,

Would you please go to <a target="_blank" href=http://www.spywareinfo.com/downloads.html>http://www.spywareinfo.com/downloads.html</a> , and download both Hijack This (in the "Detection and Removal" section), and Startuplist (in Startup Program Management")

Run both, and post the results here.

Sure, here are the results:

Hijack This Log
-----------------
Logfile of HijackThis v1.61.0
Scan saved at 11:16:43, on 16/10/2002
Platform: Windows NT 5.00.2195

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://maple/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
O2 - BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
O2 - BHO: {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
O2 - BHO: {8786386E-4B22-11D6-9C60-E5DA06D87378}
O2 - BHO: NAV Helper, {BDF3E430-B101-42AD-A544-FADC6B084872}
O3 - Toolbar: &Radio
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O9 - Extra button: Real.com
O9 - Extra button: Yahoo! Messenger
O9 - Extra 'Tools' menuitem: Yahoo! Messenger
O10 - Hijacked Internet access by New.Net
O11 - Options group: [JAVA_SUN] Java (Sun)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Startuplist
------------

StartupList report, 16/10/2002, 11:15:26
StartupList version: 1.34.0
Started from : C:\DOCUME~1\adu\LOCALS~1\Temp\StartupList.EXE
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\internat.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\adu\LOCALS~1\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[&gt;{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\winnt\System32\shmgrate.exe" OCInstallUserConfigIE

[&gt;{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\winnt\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: *Registry key not found*
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\NewDotNet\newdotnet4_50.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
(no name) - C:\WINNT\System32\BandObjs1,0,0,1.dll (file missing) - {8786386E-4B22-11D6-9C60-E5DA06D87378}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

At1.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{15589FA1-C456-11CE-BF01-00AA0055595A}]
CODEBASE = file://C:\Temp\BrowserDisc\IE6\Dutch\ie6setup.exe

[AcDcToday Control]
InProcServer32 = C:\WINNT\DOWNLO~1\ACDCTO~1.OCX
CODEBASE = file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

[NOXLATE-BANR]
InProcServer32 = C:\WINNT\DOWNLO~1\InstBanr.ocx
CODEBASE = file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

[InstaFred]
InProcServer32 = C:\WINNT\DOWNLO~1\InstFred.ocx
CODEBASE = file://C:\Program Files\AutoCAD 2002\InstFred.ocx

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash4/cabs/swflash.cab

[AcPreview Control]
InProcServer32 = C:\WINNT\DOWNLO~1\ACPREV~1.OCX
CODEBASE = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

--------------------------------------------------
End of report, 6.421 bytes
Report generated in 0,271 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Alex

Let me get this straight:

Are the Links and Address toolbars that keep reappearing the regular Internet Explorer toolbars, or are they third party additions?

Nothing in startup, but there are two IE Browser Helper Objects that need to be removed.

Download BHODemon: <a target="_blank" href=http://www.definitivesolutions.com/bhodemon.htm>http://www.definitivesolutions.com/bhodemon.htm</a>

Shut down IE, launch the program, and locate the following BHOs: BandObjs1,0,0,1.dll and newdotnet4_50.dll.

Highlight each one, click 'details', and in "Select Status" click disabled

Click OK, and close the program

Relaunch IE, tell us whethere there's any difference.

But please do describe these toolbars in more detail.

Yes, these are the regular Internet Explorer toolbars
Only a third-party software has changed their default attributes apparently
I can remove them (and I remove them) from the taskbar using the right button of the mouse,
then Toolbars-&gt;Links and Toolbars-&gt; Address
But the problem is that I have to do that every time I log in to Win2k....
After writting to you yesterday, I've tried BHODemon and deactivated BandObjs1,0,0,1.dll (which points
to C:\WINNT\System32\BandObjs1,0,0,1.dll, and this file doesn't exist).

It hasn't changed anything

This morning I've disabled newdotnet4_50.dll (C:\Program Files\NewDotNet\newdotnet4_50.dll
Readme.txt:
The New.net Client Application provides accessibility to the
New.net extensions sold at http://www.new.net. The
software installs at the OS (Operating System) level so that
all DNS functions for a New.net extension will work properly.
New.net registers domain names under extensions such as:

.AGENT
.INC
.LOVE
.SHOP
.SPORT

A full list of extensions offered by New.net is located at
http://www.new.net.
)
in addition to BandObjs1,0,0,1.dll which stayed disabled.

After rebooting, they still appear.....
And nothing has changed in IE
I really think that's something in the registry, but where ?

Alex

I've got some new info regarding the problem

When I log in with another account on my computer, the toolbars also appears, so it seems it is a general setting

And another small thing I've noticed only today. When I log in, the toolbars appear so I right-click on the taskbar and go to the "Toolbars" section
The possibilities there are:
Address (selected)
Links (not selected)
Desktop (not selected)
Quick Launch (selected)
Links (selected)

Notice the two "Links" occurences
When I deselect the last one, then it disappears from the "Toolbars" section, and I have:
Address (selected)
Links (not selected)
Desktop (not selected)
Quick Launch (selected)

Alex

Hi Alex,

I know about NewDotNet. It should go

See <a target="_blank" href=http://www.cexx.org/newnet.htm>http://www.cexx.org/newnet.htm</a>

About the toolbars, here's a workaround to hide them permanently.

Close all Internet Explorer windows.

Open your Registry, and drill down to HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383} (Your address bar)

Edit the CLSID by insterting a minus sign in front of it, so that it looks like so":
-{01E04581-4EEE-11d0-BFE9-00AA005B4383}

Do the same to {0E5CBF21-D15F-11D0-8301-00AA005B4383} in HKEY_CLASSES_ROOT\CLSID. That's your Links bar.

Close Regedit, and launch IE.

Your two toolbars should be gone.


Cheers, Tony

Hi

I've made the modifications in the registry, and indeed the toolbars do not appear again in my Windows 2000 taskbar, but of course (as you have said) they do not appear also in my Internet Explorer, which is quite annoying as well (I need at least the Address bar to type the URL's in IE).
I think my only chance will be to re-install everything on my machine and start from the beginning.

Alex