Changes in IE default pages, etc.. - Detected by SpySweeper.

Posted on 2004-08-29
Last Modified: 2008-03-06
Hai Experts,

I have 2 Questions:


With my SpySweeper activated, i get (everytime i restart i get this.)

Internet Explorer Hijack Shield

SysSweeper has detected changes in your IE default pages, such as the search page.

To Restore the new .................  


If i enter invalid URL, along with  'Page not found' i get texts like: search on the web ......
If i deactivate some of my application in my SystemStart ( from 'msconfig' command), the problem is solved.

My Quetion is how i can permanently remove these unnecessary applications from my system.

Question by:ldbkutty
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +2
LVL 65

Assisted Solution

SheharyaarSaahil earned 400 total points
ID: 11927741
Hello ldbkutty =)

Download these tools and install them:
AdAware ==>
SpyBot  ==>
SpySweeper >>
SpywareBlaster >>
CoolWebShredder ==>
Stinger >>

then Run them one by one in SAFEMODE to delete everything they detect !!!!

After that reboot back in Normal Mode and if u still face the problem, then Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
LVL 32

Author Comment

ID: 11927756
>> then Run them one by one in SAFEMODE to delete everything they detect !!!!
>> After that reboot back in Normal Mode.

Could you please tell me what does SAFEMODE and Normal Mode here?

LVL 65

Expert Comment

ID: 11927771
Normal Mode is that mode in which u are running ur system now, with all devices and background applications and services :)

and Safemode means there will be no additional devices, background services and applications... this mode is basically for troubleshooting windows problems..... and as most of the spywares and viruses run their files in background in normal mode, they can interrupt with the Removal tools and cannot be deleted easily.... so we run those tools in Safemode :)

How to get into safemode >>

Also one more thing,,,,, in ur msconfig>Startup section, untick all applications, and just leave the ones which are for ur Antivirus and Firewall softwares.... :)
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 32

Author Comment

ID: 11927772
oh, yeah Ok...its system safemode and normal mode...

will back soon, thanks again.
LVL 32

Author Comment

ID: 11927832

With Spybot, I removed some spywares and adwares.

but everytime, i scan with Spybot, it shows me 'DSO Exploit'. Even though i removed it, if i scan again, i get the same problem.

Pls tell me how i cna get rid of it.

LVL 65

Expert Comment

ID: 11927836
Now as u have scanned with the above tools... can u post here the LOG from hijakcthis scan :)
and these DSO Exploits are nothing but just a BUG in Spybot..... visit this page for some solutions to this problem.

Spybot keeps finding DSO exploit
LVL 32

Author Comment

ID: 11927932
I am getting the problem still....(i thought a spy toolbar went out if i disabled some things in SystemStart, but its still there) :-(

Please have a look at this:

( A toolbar below 'Google' pop-up blocker and error page which is weird.)
LVL 32

Author Comment

ID: 11927933
This is my Log File.

Logfile of HijackThis v1.98.2
Scan saved at 02:28:45, on 08/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\jaggy\Desktop\protect-computer\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [OnlineCdrom] C:\PROGRA~1\ATOMDE~1\32third.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [HOTFOON2] D:\Backups\Phone-Applications\hotfoon4.exe /h
O4 - HKCU\..\Run: [Spam Shredder] "C:\Programme\Webroot\Shredder\spshredder.exe" -tray
O4 - HKCU\..\RunOnce: [unPopUpWasher] unPopUpWasher.exe rm
O4 - Startup: WinMySQLadmin.lnk = C:\Dokumente und Einstellungen\jaggy\Desktop\mysql4\mysql-4.1.1a-alpha\bin\winmysqladmin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} -
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB873E8C-D6D6-4749-8FF7-93D8DD601200}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer =,

LVL 65

Accepted Solution

SheharyaarSaahil earned 400 total points
ID: 11927938
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

Close all Explroer windows, then check this line and click on Fix Checked !!!!
restart and now check for the problem ??

Expert Comment

ID: 11933054
with Hijackthis, delete:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

then run CWShredder again, and if that doesnt help, I suggest you use StartpageGuard ( )

Happy (and safe) Surfing
LVL 65

Expert Comment

ID: 11933094
Extortioner15 ..... repeating what an Expert has already suggested is not Allowed :)

Expert Comment

ID: 11933169
I did not repeat an answer, I suggested you were right and I said if that didnt work, he had to install Startpageguard!
Now lets stay ontopc shall we?
LVL 65

Expert Comment

ID: 11933205
>>  I suggested you were right and I said if that didnt work, he had to install Startpageguard!
well u didn't mention abt me even there..... but never mind,,,, leave it !!!! :)

Expert Comment

ID: 11933526
If you still can't solve the problem, try the SpyBot Search&Destroy. You can find it at
Good luck

Assisted Solution

nomi17 earned 100 total points
ID: 11935668
Spybot cleans out the DSO Exploit but there is a registry entry that needs to be modified so that
Spybot will not list it again.  Only follow these instructions if you are comfortable modifying the registry.
It is also recommended to back up your registry before making any changes.
Otherwise you can leave it.  No harm being done.

Click Run -> regedit
Find the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

On the left pane delete 1004
On the left pane right click to add a New DWord value

Name it 1004
Double click to open this entry and enter a value of 3 (hex base)

Close the Registry.

Now when you run SpyBot it will no longer detect the DSO Exploit.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I get rid of pop ups on my MAC? 9 2,942
EE experience on sites similar to VirusTotal? 4 163
Ransomware and encrypted backups 5 156
SMTP log file for IMSVA 5 72
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question