Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected With Inqwire Search

  • This topic is locked This topic is locked
5 replies to this topic

#1 nonplus


  • Members
  • 3 posts
  • Local time:06:18 AM

Posted 14 November 2005 - 04:08 PM

Hi there,

I've recently been infected with Inqwire Search popups. 95% of the time, I use Firefox to browse, but Inqwire popups pop up in IE, often when I'm not even browsing the web. It happens a lot more when I first boot the computer, then stops until the next time I reboot. I've run Ad-Aware, Spybot, Norton, TrendMicro, and a few others, and none of them can find the problem. Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:03 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Daemon\daemon.exe
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Azureus\Azureus.exe
E:\Program Files\Trillian\trillian.exe
E:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
E:\Program Files\SAV\DefWatch.exe
E:\Program Files\SAV\Rtvscan.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SAV\VPTray.exe
O4 - HKCU\..\Run: [AWMON] "E:\PROGRA~1\AD-AWA~1.06\Ad-Watch.exe"
O4 - Startup: Azureus.lnk = E:\Program Files\Azureus\Azureus.exe
O4 - Startup: Trillian.lnk = E:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120623225671
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Keynote Connector Launcher) - http://xms.keynote.com/applications/connec...torLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\SAV\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - E:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\SAV\Rtvscan.exe

Thanks for any help you can give me.

BC AdBot (Login to Remove)


#2 JG427


  • Members
  • 241 posts
  • Local time:06:18 AM

Posted 18 November 2005 - 06:21 PM

Hi, nonplus.

As you might have guessed, hijackthis does not show any infection.
I suspect that internet explorer is allowing the popups.

Let's try the following steps:

Install a hosts file to block many bad sites and advertisers, including inqwire related sites and links.
Blocking Unwanted Parasites with a Hosts File
Once the hosts file is downloaded, place it in the folder at C:\WINDOWS\SYSTEM32\DRIVERS\ETC.

Download and install IE-Spyad.
IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.

Download CCleaner and run the installer.
CCleaner is a utility that will remove unused and temporary files from your system.
Before running ccleaner, uncheck cookies on the windows and applications tabs, if you have cookies you do not want to remove.
Click the run cleaner button, allow it to run, then exit.

If you would like to turn the hosts file off and back on or to back it up, download the Hoster from here.
Create a new folder for hoster and unzip into the folder.
Start hoster and you should see your hosts file listed on the left.
Click the " backup hosts file" button
To turn off the hosts file, click the restore hosts button or remove all blocked items button.
To turn it back on, click "restore backup hosts file"

Try going to www.inqwire.com with your hosts file on.
You should get page cannot be displayed and see a red icon in the lower right corner that says restricted sites ( from the IE-SPYAD list)

Did this stop your Inqwire Search popups?
Posted Image

#3 nonplus

  • Topic Starter

  • Members
  • 3 posts
  • Local time:06:18 AM

Posted 22 November 2005 - 12:35 PM

Thanks JG427.

It's been about 4 days and no popups so far (but then again they weren't a daily occurrence).

Anyway, things look pretty good so far.

Feel free to close this thread, and if I have this problem again, I can simply start a new thread listing all of the steps I've taken.

Thank you.

#4 JG427


  • Members
  • 241 posts
  • Local time:06:18 AM

Posted 22 November 2005 - 04:48 PM

That's good news so far!

If you wouldn't mind, maybe you can reply again with an update in a few days.
I would like to verify that these steps solved the problem.

From what I have read, the problem is that a javascript from a third party advertiser is allowed to run when you visit some web pages.
IE-SPYAD kicks many of those sites into the restricted zone which does not allow active scripting.
Any sites in the hosts file will not be allowed to load at all, which includes ad links within the web page you visit.

You will need to update both programs when updates are available.
Updates are announced in the software forum at SpywareInfo.

The author of IE-SPYAD has more tips to secure internet explorer at his site.
Protecting Your Privacy & Security
Check under browser configuration.
Posted Image

#5 nonplus

  • Topic Starter

  • Members
  • 3 posts
  • Local time:06:18 AM

Posted 30 November 2005 - 10:42 PM

8 days later, and still no problems.

I suspect that a program that was running (Quotetracker), which had ads cycle on it, may have had an ad that allowed javascript or something to run and start opening popups. Seems to be fine now with the changes.

Thank you.

Edited by nonplus, 30 November 2005 - 10:43 PM.

#6 JG427


  • Members
  • 241 posts
  • Local time:06:18 AM

Posted 30 November 2005 - 11:09 PM

Glad we could help. :thumbsup:

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users