Solved

0websearch.com hijack

Posted on 2004-08-27
3
3,200 Views
Last Modified: 2010-04-11
My start page has been hijacked by 0websearch.com, which is another Cool Web Search variant.  I've tried using:
AdAware
Spybot
CWSshredder
But 0websearch keeps coming back.  It's also slowing my internet access down to a standstill.
Here's my HijackThis log:
Logfile of HijackThis v1.98.0
Scan saved at 10:09:27 AM, on 08/27/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\inetdata\services.exe
C:\Documents and Settings\Matt A\Application Data\tnbt.exe
C:\WINDOWS\System32\gwbg.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\Program Files\Winad Client\Winad.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\temp\msbb.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\System32\ckfgdti.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\rasmxs.exe
C:\Documents and Settings\Matt A\My Documents\Mike\HijackThis.exe
C:\Program Files\Web_Rebates\WebRebates0.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.0websearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {16F13950-E111-09C2-8752-62550DA17332} - C:\WINDOWS\System32\zrjwy.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem301.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [snwhgh] C:\WINDOWS\snwhgh.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [lctncrnu] C:\WINDOWS\System32\ckfgdti.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\MATTA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - HKCU\..\Run: [Eedh] C:\Documents and Settings\Matt A\Application Data\tnbt.exe
O4 - HKCU\..\Run: [Rektaso] C:\WINDOWS\System32\gwbg.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - Startup: Download Plus.lnk = C:\Documents And Settings\Matt A\Application Data\DownloadPlus.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=1410034e63421c6276e37e8bf5645952a3eebe92994e27fb038ef9aab2dbb5f64b3c03d8bbaecff2c425caf87b9b80472aee6c343a4777936cdd3c9f8fc88041:13f5dbdd0db4740d5e4c040db7735484
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6ABE48A-7713-4175-BB29-ECA56A702AD8}: NameServer = 65.32.1.73,65.32.2.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{A6ABE48A-7713-4175-BB29-ECA56A702AD8}: NameServer = 65.32.1.73,65.32.2.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{A6ABE48A-7713-4175-BB29-ECA56A702AD8}: NameServer = 65.32.1.73,65.32.2.146

HELP! I can't get anything done with this things slowing me down.  Help ASAP!
0
Comment
Question by:themikecooke
  • 2
3 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11914053
Hello themikecooke =)

Ok so First Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
About:Buster ==> http://www.downloads.subratam.org/AboutBuster.zip
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then TURN OFF ur system Restore and Fix the Following etnries !!!!

========================================================
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.0websearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {16F13950-E111-09C2-8752-62550DA17332} - C:\WINDOWS\System32\zrjwy.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem301.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [snwhgh] C:\WINDOWS\snwhgh.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [lctncrnu] C:\WINDOWS\System32\ckfgdti.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\MATTA~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - HKCU\..\Run: [Eedh] C:\Documents and Settings\Matt A\Application Data\tnbt.exe
O4 - HKCU\..\Run: [Rektaso] C:\WINDOWS\System32\gwbg.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=1410034e63421c6276e37e8bf5645952a3eebe92994e27fb038ef9aab2dbb5f64b3c03d8bbaecff2c42
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
======================================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool(Stinger) and delete all viruses it found
4. Run the Above Spyware Removal tools and delete everything they detect
5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.

!! GOOD LUCK !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11914067
and for more info. on gettinmd rid of that res:// hijakcer, u can follow the instruction here also >> http://www.pchell.com/support/onlythebest.shtml
0
 
LVL 1

Expert Comment

by:ekummel
ID: 11919303
Do this:
Go to this directory:
C:\WINNT\Downloaded Program Files (or if you're XP, then it's: C:\Windows\Downloaded Program Files)
You will see a bunch of files. Look under the column called "Status". Look at the ones that say "Installed"
Now, right click on one and select "Properties". Under the "General" Tab, look at the line that says "Codebase". This is usually a URL. This URL will most likely be the website that is giving you the problem. It will say something like "http://www.0websearch.com"
Keep on right-clicking and checking the properties of all these files until you find the one that looks suspicious (you can narrow the choices down by looking at the creation data column and finding only those that coorespond to the timeframe when this started)
Once you find the one you're looking for, right click on the file and select "remove"

This should solve your problem.
Ed
web/gadget guru
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question