Solved

Changes in IE default pages, etc.. - Detected by SpySweeper.

Posted on 2004-08-29
15
539 Views
Last Modified: 2008-03-06
Hai Experts,

I have 2 Questions:

(1)

With my SpySweeper activated, i get (everytime i restart i get this.)

----------------------------------------------------------------------------------------------------
Internet Explorer Hijack Shield

SysSweeper has detected changes in your IE default pages, such as the search page.

To Restore the new .................  
-----------------------------------------------------------------------------------------------------

(2)

If i enter invalid URL, along with  'Page not found' i get texts like: search on the web ......
If i deactivate some of my application in my SystemStart ( from 'msconfig' command), the problem is solved.

My Quetion is how i can permanently remove these unnecessary applications from my system.

Thanks
0
Comment
Question by:ldbkutty
  • 6
  • 5
  • 2
  • +2
15 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 400 total points
ID: 11927741
Hello ldbkutty =)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

then Run them one by one in SAFEMODE to delete everything they detect !!!!

After that reboot back in Normal Mode and if u still face the problem, then Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 
LVL 32

Author Comment

by:ldbkutty
ID: 11927756
>> then Run them one by one in SAFEMODE to delete everything they detect !!!!
>> After that reboot back in Normal Mode.

Could you please tell me what does SAFEMODE and Normal Mode here?

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11927771
Normal Mode is that mode in which u are running ur system now, with all devices and background applications and services :)

and Safemode means there will be no additional devices, background services and applications... this mode is basically for troubleshooting windows problems..... and as most of the spywares and viruses run their files in background in normal mode, they can interrupt with the Removal tools and cannot be deleted easily.... so we run those tools in Safemode :)

How to get into safemode >> http://www.computerhope.com/issues/chsafe.htm

Also one more thing,,,,, in ur msconfig>Startup section, untick all applications, and just leave the ones which are for ur Antivirus and Firewall softwares.... :)
0
 
LVL 32

Author Comment

by:ldbkutty
ID: 11927772
oh, yeah Ok...its system safemode and normal mode...

will back soon, thanks again.
0
 
LVL 32

Author Comment

by:ldbkutty
ID: 11927832
Hi,

With Spybot, I removed some spywares and adwares.

but everytime, i scan with Spybot, it shows me 'DSO Exploit'. Even though i removed it, if i scan again, i get the same problem.

Pls tell me how i cna get rid of it.

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11927836
Now as u have scanned with the above tools... can u post here the LOG from hijakcthis scan :)
and these DSO Exploits are nothing but just a BUG in Spybot..... visit this page for some solutions to this problem.

Spybot keeps finding DSO exploit
http://www.computing.net/windowsxp/wwwboard/forum/104837.html
0
 
LVL 32

Author Comment

by:ldbkutty
ID: 11927932
I am getting the problem still....(i thought a spy toolbar went out if i disabled some things in SystemStart, but its still there) :-(

Please have a look at this:

http://jaggybala.clawz.com/CalendarTool/SpywareProblem.JPG

( A toolbar below 'Google' pop-up blocker and error page which is weird.)
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 32

Author Comment

by:ldbkutty
ID: 11927933
This is my Log File.

Logfile of HijackThis v1.98.2
Scan saved at 02:28:45, on 08/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
D:\Backups\Phone-Applications\hotfoon4.exe
C:\Programme\Webroot\Shredder\spshredder.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Programme\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\SmartFTP\SmartFTP.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\jaggy\Desktop\protect-computer\HijackThis.exe
C:\Programme\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [OnlineCdrom] C:\PROGRA~1\ATOMDE~1\32third.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [HOTFOON2] D:\Backups\Phone-Applications\hotfoon4.exe /h
O4 - HKCU\..\Run: [Spam Shredder] "C:\Programme\Webroot\Shredder\spshredder.exe" -tray
O4 - HKCU\..\RunOnce: [unPopUpWasher] unPopUpWasher.exe rm
O4 - Startup: WinMySQLadmin.lnk = C:\Dokumente und Einstellungen\jaggy\Desktop\mysql4\mysql-4.1.1a-alpha\bin\winmysqladmin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer = 141.44.1.2,141.44.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB873E8C-D6D6-4749-8FF7-93D8DD601200}: NameServer = 141.44.1.2,141.44.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer = 141.44.1.2,141.44.1.1


Thanks.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 400 total points
ID: 11927938
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html
==============================

Close all Explroer windows, then check this line and click on Fix Checked !!!!
restart and now check for the problem ??
0
 
LVL 1

Expert Comment

by:Extortioner15
ID: 11933054
with Hijackthis, delete:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html

then run CWShredder again, and if that doesnt help, I suggest you use StartpageGuard ( http://www.webattack.com/get/startpageguard.shtml )

Happy (and safe) Surfing
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11933094
Extortioner15 ..... repeating what an Expert has already suggested is not Allowed :)
0
 
LVL 1

Expert Comment

by:Extortioner15
ID: 11933169
I did not repeat an answer, I suggested you were right and I said if that didnt work, he had to install Startpageguard!
Now lets stay ontopc shall we?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11933205
>>  I suggested you were right and I said if that didnt work, he had to install Startpageguard!
well u didn't mention abt me even there..... but never mind,,,, leave it !!!! :)
0
 
LVL 4

Expert Comment

by:EFernandes
ID: 11933526
If you still can't solve the problem, try the SpyBot Search&Destroy. You can find it at http://beam.to/spybotsd
Good luck
0
 
LVL 6

Assisted Solution

by:nomi17
nomi17 earned 100 total points
ID: 11935668
Spybot cleans out the DSO Exploit but there is a registry entry that needs to be modified so that
Spybot will not list it again.  Only follow these instructions if you are comfortable modifying the registry.
It is also recommended to back up your registry before making any changes.
Otherwise you can leave it.  No harm being done.

Click Run -> regedit
Find the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

On the left pane delete 1004
On the left pane right click to add a New DWord value

Name it 1004
Double click to open this entry and enter a value of 3 (hex base)

Close the Registry.

Now when you run SpyBot it will no longer detect the DSO Exploit.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Malicius website protection from system 32? 15 74
Help with possible virus 16 135
Info tools for social network surveillance 12 109
antivirus on mac 8 73
As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now