Thebestse.com spyware/browser hijack :: Removal instructions

Fix thebestse.com browser hijack using HijackThis
Alternatively, to fix it using HijackThis...

If you're not comfortable with modifying your registry or your hosts file, you can download HijackThis, run it, and in the list it generates check off entries very similar to the following then click 'Fix checked':

O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O4 - Global Startup: sytem32exe.pf
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

Plus all lines which include "thebestse". E.g.:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
...and so on.

Plus any line which starts with: O1 - Hosts: 69.93.33.155

Often the following are present:
O1 - Hosts: 69.93.33.155 msn.com
O1 - Hosts: 69.93.33.155 search.msn.com
O1 - Hosts: 69.93.33.155 www.msn.com
O1 - Hosts: 69.93.33.155 www.google.com
O1 - Hosts: 69.93.33.155 google.com
O1 - Hosts: 69.93.33.155 altavista.com
O1 - Hosts: 69.93.33.155 www.altavista.com
O1 - Hosts: 69.93.33.155 yahoo.com
O1 - Hosts: 69.93.33.155 www.yahoo.com


Next, reboot & delete the files mentioned in the previous post (sytem32.exe, sytem32exe.pf, systeminit.exe, sstyle.css).

For fixing problems with other spyware, adware, etc., see here: 'Spyware, Browser Hijacks, or other Yuckware? Check here 1st'

Another variant I found...

seems I had an extra file associated with this:

sytem32exe.pf a prefetch file?

if you don't get rid of this one it'll restore everything when you reboot.

searching all files folders for sytem32 should yield this if it's there

Thanks, fcsun69!
Was it also in your Startup forder? I went ahead & added it to the instructions above, with the assumption that that's where you found it.

suggest you add "pay close attention to the spelling of SYTEM" not SYSTEM. i missed it the first time and my search did not turn up the "bad" file.
largrasr

OK I'll add it right here: See largrasr's post above.

Thebestse.com spyware/browser hijack :: Removal instructions
Wish I found your forum sooner because it took me a while to stumble through on my own the few steps you listed in getting rid of the that hijacker. Didn't find bestse.com but rather "www.motor-search.info" In addition, I found it inserted the hijacker in mplayer2.exe but the SFP log reported the invalid version was detected, put the bogus mplayer2.exe in Windows\System\sfp\archive, and restored the legitimate mplayer2.exe.

It also added a few links to IE Favorites - Viagara, sex, etc.

Although the Windows Media Player icon was still on desktop, the wmplayer.exe was gone - I'm guessing that's a tie-in to the bogus mplayer2.exe. However I just reran the Media Player setup and everything was fine.

I moved "systeminit.exe", the bogus "mplayer2.exe" and "sstyle.css" to another folder.

bookmarking.

Can anyone help me with coolshader.com. Don't know how to get rid of it. Thanks

coolshader is a new variant of thebestse, which itself is a variant of coolwebsearch ... the removal instructions above should work, with the addition of find-and delete-if-found "coolshader*". First, though, you might want to download and run CWSShredder, I see it has been updated in the last day or so (it updates frequently ... current version is 1.55). It won't hurt, and it could help. Its usually most effective to run hijack killers from safemode, BTW.

One Variant of "thebestse"... "your-search&qu
Hello All, and thanks for helping me get rid of the Subject variant.

FYI: the variant that hit my Windows XP Pro
Included: systeminit.exe, sstyle.css, and www.your-search.com.
Excluded: sytem32.exe, sytem32exe.pf, www.thebestse.com, and no "hosts" reference to 69.93.33.155.
note: I also found sstyle.css in the C:\ directory.

I initially used a demo program "Security Task Manager" (STM) to determine systeminit.exe was the culprit. STM showed that the systeminit.exe file contained text to generate three Desktop shortcut icons names ("Sex-Drugs?", "Viagara?", and "????whatever")

Then I Googled to this forum.

Again, Thanks a Million!
Jim

No problem.

And thanks for the info, Jim.

coolshader help please!
Hi,
I think my computer is infected with coolshader. I don't know anything about fixing it but I did read the messages above and I used HijackThis. This is what my scan results show. Can you please tell me which files are the ones I need to fix?

thanks
Judy
======================

Logfile of HijackThis v1.97.7
Scan saved at 9:12:06 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\sxchost.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\system32\config\services.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\dl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Documents and Settings\Ken\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\sxchost.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WindowsMGM] C:\WINDOWS\winmgm32.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

HELP
How do you protect your computer from getting all these spyware/browser?? Is there any program that I can get to protect my computer from all of that??

Re: HELP

See here: How did I get infected in the first place?

Re: coolshader help please!
Judy Scherer,
Please do not use this topic to post HijackThis logs. For those who would like help with examining log files, start a new topic in the Computers forum (do not post on the end of someone else's as that can be confusing). The subject line for your topic should be as descriptive as possible (preferably mentioning particular files or websites involved with the problem), & logs should always be accompanied by plain English as to what problems you are actually experiencing. Please also make sure to describe what, if any, steps you've already taken to try to solve it on your own.

Before asking for help on these boards, please make sure you've taken the following steps:

- Run the latest version of CWShredder
- Install, update then run both Spybot S&D & Ad-Aware
- Update your virus definition files, then run a virus scan of your system. (If you don't have a virus scanner installed, at the least run the latest version of Stinger, which will remove some common baddies.)

Ensuring that all these instructions are followed makes things easier for everyone, & will mean that you're more likely to receive help when you need it. Thanks!

(More detailed steps you can take on your own can be found here: Spyware, Browser Hijacks, or other Yuckware? Check here 1st)


__________

Spybot
SpywareBlaster
Ad-Aware
CWShredder
HijackThis
Housecall online A/V scan
Stinger

well I got that thing "coolshader" and at first I really didn't know where it came from until I came to this forum and it helped a lot. So now I'm just wondering how can I protect my computer from those kind of browsers?

This Microsoft Knowledgebase Article will offer some pertinent tips. In short, keep your Operating System and browser fully updated, use a real-time-scan-enabled antivirus, also kept fully updated, and use one or more of the popular, often free, antispyware applications, likewise fully updated. Some sort of adblocking/popup-blocking software is a good idea, too, and there are a variety of free ones out there. A good, properly configured firewall is another excellent idea, and there are both paid and free ones aplenty. Now, with your shields up, pay attention when you surf; be sure you're not accepting a download instead of closing a popup. Be very cautious of anything that promises to speed up your browsing, improve your dowloading, enhance your searching, do cute things with your cusor, earn you instant riches, or dazzle you with spectacular screensavers, for instance. ICQ, IRC, and P2P filesharing are significant entry points for yuckwear. Be cautious with email; never open an attachment from anyone you don't know, and if an unrequested or unexpected attachment arrives apparently from someone you do know, save it and scan it with your antivirus before opening it ... in fact, scanning all attachments before opening, and all discs other than brand new, sealed, shrinkwrapped commercial disks before running, is a good idea. Be particularly cautious of any email that requests you to "Reconfirm your log in ID" or anything of that sort. If you just use your head while running around in computerland, you'll find yourself far less likely to have occasion to bang your head in frustration on your desktop.

Be careful out there; there are all sorts of critters just looking for an opportunity to bite the unwary and unwise. Security and privacy are your responibility. See to them, or suffer the consequences.

Thank you "TIMBERLANDKO"