Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 561
  • Last Modified:

Changes in IE default pages, etc.. - Detected by SpySweeper.

Hai Experts,

I have 2 Questions:

(1)

With my SpySweeper activated, i get (everytime i restart i get this.)

----------------------------------------------------------------------------------------------------
Internet Explorer Hijack Shield

SysSweeper has detected changes in your IE default pages, such as the search page.

To Restore the new .................  
-----------------------------------------------------------------------------------------------------

(2)

If i enter invalid URL, along with  'Page not found' i get texts like: search on the web ......
If i deactivate some of my application in my SystemStart ( from 'msconfig' command), the problem is solved.

My Quetion is how i can permanently remove these unnecessary applications from my system.

Thanks
0
ldbkutty
Asked:
ldbkutty
  • 6
  • 5
  • 2
  • +2
3 Solutions
 
SheharyaarSaahilCommented:
Hello ldbkutty =)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

then Run them one by one in SAFEMODE to delete everything they detect !!!!

After that reboot back in Normal Mode and if u still face the problem, then Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 
ldbkuttyAuthor Commented:
>> then Run them one by one in SAFEMODE to delete everything they detect !!!!
>> After that reboot back in Normal Mode.

Could you please tell me what does SAFEMODE and Normal Mode here?

Thanks.
0
 
SheharyaarSaahilCommented:
Normal Mode is that mode in which u are running ur system now, with all devices and background applications and services :)

and Safemode means there will be no additional devices, background services and applications... this mode is basically for troubleshooting windows problems..... and as most of the spywares and viruses run their files in background in normal mode, they can interrupt with the Removal tools and cannot be deleted easily.... so we run those tools in Safemode :)

How to get into safemode >> http://www.computerhope.com/issues/chsafe.htm

Also one more thing,,,,, in ur msconfig>Startup section, untick all applications, and just leave the ones which are for ur Antivirus and Firewall softwares.... :)
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
ldbkuttyAuthor Commented:
oh, yeah Ok...its system safemode and normal mode...

will back soon, thanks again.
0
 
ldbkuttyAuthor Commented:
Hi,

With Spybot, I removed some spywares and adwares.

but everytime, i scan with Spybot, it shows me 'DSO Exploit'. Even though i removed it, if i scan again, i get the same problem.

Pls tell me how i cna get rid of it.

Thanks.
0
 
SheharyaarSaahilCommented:
Now as u have scanned with the above tools... can u post here the LOG from hijakcthis scan :)
and these DSO Exploits are nothing but just a BUG in Spybot..... visit this page for some solutions to this problem.

Spybot keeps finding DSO exploit
http://www.computing.net/windowsxp/wwwboard/forum/104837.html
0
 
ldbkuttyAuthor Commented:
I am getting the problem still....(i thought a spy toolbar went out if i disabled some things in SystemStart, but its still there) :-(

Please have a look at this:

http://jaggybala.clawz.com/CalendarTool/SpywareProblem.JPG

( A toolbar below 'Google' pop-up blocker and error page which is weird.)
0
 
ldbkuttyAuthor Commented:
This is my Log File.

Logfile of HijackThis v1.98.2
Scan saved at 02:28:45, on 08/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
D:\Backups\Phone-Applications\hotfoon4.exe
C:\Programme\Webroot\Shredder\spshredder.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Programme\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\SmartFTP\SmartFTP.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\jaggy\Desktop\protect-computer\HijackThis.exe
C:\Programme\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [OnlineCdrom] C:\PROGRA~1\ATOMDE~1\32third.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [HOTFOON2] D:\Backups\Phone-Applications\hotfoon4.exe /h
O4 - HKCU\..\Run: [Spam Shredder] "C:\Programme\Webroot\Shredder\spshredder.exe" -tray
O4 - HKCU\..\RunOnce: [unPopUpWasher] unPopUpWasher.exe rm
O4 - Startup: WinMySQLadmin.lnk = C:\Dokumente und Einstellungen\jaggy\Desktop\mysql4\mysql-4.1.1a-alpha\bin\winmysqladmin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer = 141.44.1.2,141.44.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB873E8C-D6D6-4749-8FF7-93D8DD601200}: NameServer = 141.44.1.2,141.44.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer = 141.44.1.2,141.44.1.1


Thanks.
0
 
SheharyaarSaahilCommented:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html
==============================

Close all Explroer windows, then check this line and click on Fix Checked !!!!
restart and now check for the problem ??
0
 
Extortioner15Commented:
with Hijackthis, delete:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html

then run CWShredder again, and if that doesnt help, I suggest you use StartpageGuard ( http://www.webattack.com/get/startpageguard.shtml )

Happy (and safe) Surfing
0
 
SheharyaarSaahilCommented:
Extortioner15 ..... repeating what an Expert has already suggested is not Allowed :)
0
 
Extortioner15Commented:
I did not repeat an answer, I suggested you were right and I said if that didnt work, he had to install Startpageguard!
Now lets stay ontopc shall we?
0
 
SheharyaarSaahilCommented:
>>  I suggested you were right and I said if that didnt work, he had to install Startpageguard!
well u didn't mention abt me even there..... but never mind,,,, leave it !!!! :)
0
 
EFernandesCommented:
If you still can't solve the problem, try the SpyBot Search&Destroy. You can find it at http://beam.to/spybotsd
Good luck
0
 
nomi17Commented:
Spybot cleans out the DSO Exploit but there is a registry entry that needs to be modified so that
Spybot will not list it again.  Only follow these instructions if you are comfortable modifying the registry.
It is also recommended to back up your registry before making any changes.
Otherwise you can leave it.  No harm being done.

Click Run -> regedit
Find the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

On the left pane delete 1004
On the left pane right click to add a New DWord value

Name it 1004
Double click to open this entry and enter a value of 3 (hex base)

Close the Registry.

Now when you run SpyBot it will no longer detect the DSO Exploit.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 6
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now