themikecooke
asked on
0websearch.com hijack
My start page has been hijacked by 0websearch.com, which is another Cool Web Search variant. I've tried using:
AdAware
Spybot
CWSshredder
But 0websearch keeps coming back. It's also slowing my internet access down to a standstill.
Here's my HijackThis log:
Logfile of HijackThis v1.98.0
Scan saved at 10:09:27 AM, on 08/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSP Sv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\inetdata\servic es.exe
C:\Documents and Settings\Matt A\Application Data\tnbt.exe
C:\WINDOWS\System32\gwbg.e xe
C:\WINDOWS\System32\dllcac he\IExplor e.exe
C:\Program Files\Winad Client\Winad.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\temp\msbb.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\System32\ckfgdt i.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmg r.exe
C:\WINDOWS\System32\rasmxs .exe
C:\Documents and Settings\Matt A\My Documents\Mike\HijackThis. exe
C:\Program Files\Web_Rebates\WebRebat es0.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\In ternet Explorer,CustomizeSearch = ,
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = res://C:\WINDOWS\system32\ shdocpe.dl l/asst.htm l
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.0websearch.com/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\ shdocpe.dl l/asst.htm l
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ shdocpe.dl l/asst.htm l
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = res://C:\WINDOWS\system32\ shdocpe.dl l/asst.htm l
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINDOWS\system32\ shdocpe.dl l/asst.htm l
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = res://C:\WINDOWS\system32\ shdocpe.dl l/asst.htm l
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB- 00C04FD644 97} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4 A4827C2E4C 8} - C:\WINDOWS\nem219.dll
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D D56626C6C4 2} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {16F13950-E111-09C2-8752-6 2550DA1733 2} - C:\WINDOWS\System32\zrjwy. dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-0 3CA8155F0B 3} - (no file)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0 EA71C0748E 4} - C:\WINDOWS\wsem301.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4 ED8E67DBBB 8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8 C3E1CE4B34 4} - C:\WINDOWS\System32\nvms.d ll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-A B25173A3E1 4} - C:\WINDOWS\System32\mscb.d ll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A 5D97F8BC8F 1} - C:\WINDOWS\System32\apuc.d ll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-E D6A80FD66D A} - C:\WINDOWS\System32\msbe.d ll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B 72A4567E48 6} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup 20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\servic es.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [snwhgh] C:\WINDOWS\snwhgh.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebat es0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [lctncrnu] C:\WINDOWS\System32\ckfgdt i.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\MATTA~1\LOCAL S~1\Temp\d jtopr1150. exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window .exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs .exe
O4 - HKCU\..\Run: [Eedh] C:\Documents and Settings\Matt A\Application Data\tnbt.exe
O4 - HKCU\..\Run: [Rektaso] C:\WINDOWS\System32\gwbg.e xe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\servic es.exe
O4 - Startup: Download Plus.lnk = C:\Documents And Settings\Matt A\Application Data\DownloadPlus.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T p1150\scri 1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B 3F6EC39B80 7} - C:\Program Files\SideFind\sidefind.dl l
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9 92EE8E6BAD 6} - http://public.windupdates.com/get_file.php?bt=ie&p=1410034e63421c6276e37e8bf5645952a3eebe92994e27fb038ef9aab2dbb5f64b3c03d8bbaecff2c425caf87b9b80472aee6c343a4777936cdd3c9f8fc88041:13f5dbdd0db4740d5e4c040db7735484
O16 - DPF: {386A771C-E96A-421F-8BA7-3 2F1B706892 F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\T cpip\..\{A 6ABE48A-77 13-4175-BB 29-ECA56A7 02AD8}: NameServer = 65.32.1.73,65.32.2.146
O17 - HKLM\System\CS1\Services\T cpip\..\{A 6ABE48A-77 13-4175-BB 29-ECA56A7 02AD8}: NameServer = 65.32.1.73,65.32.2.146
O17 - HKLM\System\CS2\Services\T cpip\..\{A 6ABE48A-77 13-4175-BB 29-ECA56A7 02AD8}: NameServer = 65.32.1.73,65.32.2.146
HELP! I can't get anything done with this things slowing me down. Help ASAP!
AdAware
Spybot
CWSshredder
But 0websearch keeps coming back. It's also slowing my internet access down to a standstill.
Here's my HijackThis log:
Logfile of HijackThis v1.98.0
Scan saved at 10:09:27 AM, on 08/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSP
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\inetdata\servic
C:\Documents and Settings\Matt A\Application Data\tnbt.exe
C:\WINDOWS\System32\gwbg.e
C:\WINDOWS\System32\dllcac
C:\Program Files\Winad Client\Winad.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\temp\msbb.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\System32\ckfgdt
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmg
C:\WINDOWS\System32\rasmxs
C:\Documents and Settings\Matt A\My Documents\Mike\HijackThis.
C:\Program Files\Web_Rebates\WebRebat
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D
O2 - BHO: (no name) - {16F13950-E111-09C2-8752-6
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-0
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-A
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-E
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\servic
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [snwhgh] C:\WINDOWS\snwhgh.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebat
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [lctncrnu] C:\WINDOWS\System32\ckfgdt
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\MATTA~1\LOCAL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs
O4 - HKCU\..\Run: [Eedh] C:\Documents and Settings\Matt A\Application Data\tnbt.exe
O4 - HKCU\..\Run: [Rektaso] C:\WINDOWS\System32\gwbg.e
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\servic
O4 - Startup: Download Plus.lnk = C:\Documents And Settings\Matt A\Application Data\DownloadPlus.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9
O16 - DPF: {386A771C-E96A-421F-8BA7-3
O16 - DPF: {41F17733-B041-4099-A042-B
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
HELP! I can't get anything done with this things slowing me down. Help ASAP!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
and for more info. on gettinmd rid of that res:// hijakcer, u can follow the instruction here also >> http://www.pchell.com/support/onlythebest.shtml
Do this:
Go to this directory:
C:\WINNT\Downloaded Program Files (or if you're XP, then it's: C:\Windows\Downloaded Program Files)
You will see a bunch of files. Look under the column called "Status". Look at the ones that say "Installed"
Now, right click on one and select "Properties". Under the "General" Tab, look at the line that says "Codebase". This is usually a URL. This URL will most likely be the website that is giving you the problem. It will say something like "http://www.0websearch.com"
Keep on right-clicking and checking the properties of all these files until you find the one that looks suspicious (you can narrow the choices down by looking at the creation data column and finding only those that coorespond to the timeframe when this started)
Once you find the one you're looking for, right click on the file and select "remove"
This should solve your problem.
Ed
web/gadget guru
Go to this directory:
C:\WINNT\Downloaded Program Files (or if you're XP, then it's: C:\Windows\Downloaded Program Files)
You will see a bunch of files. Look under the column called "Status". Look at the ones that say "Installed"
Now, right click on one and select "Properties". Under the "General" Tab, look at the line that says "Codebase". This is usually a URL. This URL will most likely be the website that is giving you the problem. It will say something like "http://www.0websearch.com"
Keep on right-clicking and checking the properties of all these files until you find the one that looks suspicious (you can narrow the choices down by looking at the creation data column and finding only those that coorespond to the timeframe when this started)
Once you find the one you're looking for, right click on the file and select "remove"
This should solve your problem.
Ed
web/gadget guru