Spyware Warrior

[winnick]

...

[suzi]

Hi winnick and welcome to the forum.

I haven't heard of this application before. Have you used it or are you affiliated with it in some way?

Interestingly enough, someone registered as a member here just before you did:

http://www.spywarewarrior.com/profile.php?mode=viewprofile&u=3247 user name mazheen

with a link to the site for Browser Hijack Recover(BHR) as their homepage.

Is that just coincidence or do you know that person?

Suzi
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[winnick]

...

[suzi]

I decided to try this program out since it said it has a trial version. I downloaded and installed it, but it wouldn't run. Immediately it said I had 0 days left on the trial and my only option was to register it.



Has anyone else had this problem?
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[Nick]

I tried it out and it is basicly hijackthis with a few extras. The way it is presents it's findings is in a different order than hijackthis, but like hijackthis, it shows both good and bad items. Therefore you can screw up your computer if you fix everything it lists. Some of the extras it offers that hijackthis doesn't includes deleting temp files and or disabling regedit. All of these features are avalable in other free tools. Not worth spending money on. It is similar to Adware Away, but lacks many of the extra features that Adware Away has that hijackthis doesn't.

You will still have to decide what is good and what is bad. The program does not do it for you.
_________________
Nick's Security Ticker

[Nick]

Here's the codes it uses for it's "logs" Very similar to hijackthis.

[winnick]

[blender]

Hi

I downloaded the program from download.com (file date Sept 16/04)

This the same version you have Suzi?

Got it to run....and these are the results:

Logfile of Browser Hijack Recover(BHR) v1.0
http://www.wamasoft.com/hijack/
Log created on 9/19/2004 1:40:05 PM
Microsoft Windows XP Professional Service Pack 1 (Build 2600) <--I like this part (shows home/pro)
Does not show IE version/service packs

[Process Manager] - [Process]
SystemRoot\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin Bulldog\upsd.exe
vsmon.exe <--notice it does not show where this is running from? (I know its fine...part of zone alarm)
C:\WINDOWS\System32\EXSHOW95.EXE
C:\WINDOWS\System32\EXSHOW.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
zlclient.exe <--same comment as above
C:\documents and settings\Blender\desktop\tools\regprot\regprot.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Browser Hijack Recover\bhr.exe

[IE Options]
[IE Options] - [Normal]
R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richardthelionhearted.com/~merijn/
R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Window Title = Blender's Internet Explorer
R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,BackBitmap = <-- ?

[IE Options] - [IE Menu]
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserSaveAs = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoFileNew = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserClose = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoFileOpen = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoTheaterMode = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoViewSource = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBandCustomize = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoToolbarCustomize = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoFavorites = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoAddingChannels = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserOptions = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserContextMenu = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoOpeninNewWnd = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoSplash = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoJITSetup = 0

[IE Options] - [Internet Opions]
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, GeneralTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, HomePage = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Cache = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, History = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Colors = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, links = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Fonts = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Languages = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Accessibility = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, SecurityTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, ContentTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Ratings = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Certificates = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, FormSuggest = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, FormSuggest Passwords = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Profiles = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, ConnectionsTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, DialupAutodetect = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, EnableAutoProxyResultCache = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Connection Settings = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Connwiz Admin Lock = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Proxy = 0

[IE Options] - [IE Search Hooks]

[IE Add-Ons] - [Toolbars]
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

[IE Add-Ons] - [Explorer Bars]
O9 - Extra "View" Explorer Bars: Search Band - {30D02401-6A81-11D0-8274-00C04FD5AE38} - C:\WINDOWS\System32\browseui.dll
O9 - Extra "View" Explorer Bars: Media Band - {32683183-48a0-441b-a342-7c2a440a9478} - C:\WINDOWS\System32\browseui.dll

[IE Add-Ons] - [Context Menu]
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

[IE Add-Ons] - [BHOs]
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: No Name - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

[IE Add-Ons] - [Tools Menu]
O9 - Extra "Tool" Menu Item: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (null) <--interesting duplicate "bug" as with HJT

[IE Add-Ons] - [Tools Button]
O9 - Extra "Tool" Menu Item: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (null) <--ditto

[System Options]

[AutoLoad]
04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run EXSHOW95.EXE = EXSHOW95.EXE
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run VSOCheckTask = "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run VirusScan Online = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe <--load location shows here
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run RegProt = c:\documents and settings\Blender\desktop\tools\regprot\regprot.exe /start
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run CleanUp = C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - C:\Documents and Settings\Blender\Start Menu\Programs\Startup\desktop.ini =
O4 - C:\Documents and Settings\Blender\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\PROGRA~1\SPYWAR~2\sgmain.exe

I wont show entire HJT log but just the additional items HJT shows compared to Browser hijack Recover:

Running processes:

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4360/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O20 - AppInit_DLLs:

As you can see I have several 016s (all ok)...none show up in the BHR log. Is this because of a whitelist built into the program?

Those 016s sometimes are the only clue what the victim is infected with.

Will be interesting to test on my "infection box"

I gather no update capability is available unless the program is purchased?
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You