Go Back   Technibble Forums > General Computers > Tech-to-Tech Computer Help

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 05-13-2012, 11:01 PM
computerdoctor computerdoctor is offline
 
Join Date: Apr 2012
Posts: 26
computerdoctor is an unknown quantity at this point
Question Intrusive Search Box Keeps Popping Up

My dad is running Windows 7 and had a strange thing start happening a couple of months ago. Whether he's in Outlook, Powerpoint, or IE, a large bluish box pops up titled "Search" and then says something like "To begin search, type in the box." I thought it was some adware/malware but I have scanned his computer with MalwareBytes, Eset, Vipre, and Webroot, oh and avast! Those scans have found infections, but NOTHING makes this go away. It only happens when he left clicks the mouse (though only intermittently). He's about to go crazy and take me there with him.
Reply With Quote
  #2  
Old 05-13-2012, 11:27 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,796
Xander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Why would you assume it's a virus? Have you looked at the software that's running in the background? It would seem fairly obvious based on how and when it's appearing.

Edit: Not trying to sound elitist or super-critical but there've been a lot of people here lately that start threads with "I spent 4 hours scanning for viruses" on symptoms that would normally not be virus-related. So, if something happens with a mouse click, look for mouse-related software...not a virus. Occam's Razor and all that.
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or something.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.
Never trust a "tech" with a hotmail address.


D7 question/idea/etc? Bring it to the D7 Forums.

Last edited by Xander; 05-14-2012 at 04:18 AM.
Reply With Quote
  #3  
Old 05-14-2012, 12:21 AM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,130
Mr.Mike is on a distinguished road
Default

Quote:
Originally Posted by Xander View Post
Why would you assume it's a virus? Have you looked at the software that's running in the background? It would seem fairly obvious based on how and when it's appearing.
^^Exactly this. Also, check your running services and perhaps run process explorer to see if there really is something malicious going on.
Reply With Quote
  #4  
Old 05-14-2012, 08:30 PM
coastcomputer coastcomputer is offline
 
Join Date: Sep 2009
Posts: 44
coastcomputer is an unknown quantity at this point
Default

is it imbedded into the application, similar to a toolbar? is it a popup?

when you search thru the box, what's it do? what's it search? where do you wind up?

what's the behavior of using the search box?
Reply With Quote
  #5  
Old 05-14-2012, 09:15 PM
computerdoctor computerdoctor is offline
 
Join Date: Apr 2012
Posts: 26
computerdoctor is an unknown quantity at this point
Question Search Behavior

I looked at the apps, processes, and services running when the search box is up. It does not appear that there is anything running that should not be.

As far as behavior, it acts like a normal search. It searches files and emails. I searched for "blonde" which are in some of his emails and I'm going to insert it now. The issue is the popping up on top of everything else randomly, or at least it appears to be random.
Reply With Quote
  #6  
Old 05-14-2012, 09:27 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,796
Xander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Could you run something like OTL or HijackThis and post what it logs? It still sounds like a perfectly legitimate (albeit unwelcome) piece of software.
Reply With Quote
  #7  
Old 05-14-2012, 10:29 PM
computerdoctor computerdoctor is offline
 
Join Date: Apr 2012
Posts: 26
computerdoctor is an unknown quantity at this point
Default

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:59:25 PM, on 5/14/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://awesomestart.com/battleroyale/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 255.255.255.255 broadcasthost
O1 - Hosts: ::1 localhost
O1 - Hosts: fe80::1%lo0 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManage r.exe" -launchedbylogin
O4 - HKLM\..\Run: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\GFI Software\VIPRE\SBAMTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://clicksoftware.webex.com/clie...x/ieatgpc1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: WRSVC - Webroot - C:\Program Files\Webroot\WRSA.exe

--
End of file - 8096 bytes
Reply With Quote
  #8  
Old 05-14-2012, 11:01 PM
numnutz numnutz is offline
 
Join Date: Nov 2009
Posts: 539
numnutz is an unknown quantity at this point
Default

are you using a proxy server? can you post a screen shot of the search box? have you checked installed programs for something that would do this?
Reply With Quote
  #9  
Old 05-14-2012, 11:16 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,796
Xander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Without pointing fingers at any of the software that I might suspect, have you tried a simple process of elimination?

Using Autoruns, turn off all non-MS softwares and reboot. The search box should not pop up. Then, bit by bit, start turning on one or two programs at a time. Lather, rinse, repeat.
Reply With Quote
  #10  
Old 05-14-2012, 11:43 PM
Paul Rodgers Paul Rodgers is offline
 
Join Date: Oct 2010
Posts: 2,031
Paul Rodgers will become famous soon enough
Default

I don't see anything out of the ordinary with the log you posted.

Is that the only symptom?

Can you post a screenshot of the installed programs in add/remove programs?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:58 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.