Solved

Changes in IE default pages, etc.. - Detected by SpySweeper.

Posted on 2004-08-29
15
535 Views
Last Modified: 2008-03-06
Hai Experts,

I have 2 Questions:

(1)

With my SpySweeper activated, i get (everytime i restart i get this.)

----------------------------------------------------------------------------------------------------
Internet Explorer Hijack Shield

SysSweeper has detected changes in your IE default pages, such as the search page.

To Restore the new .................  
-----------------------------------------------------------------------------------------------------

(2)

If i enter invalid URL, along with  'Page not found' i get texts like: search on the web ......
If i deactivate some of my application in my SystemStart ( from 'msconfig' command), the problem is solved.

My Quetion is how i can permanently remove these unnecessary applications from my system.

Thanks
0
Comment
Question by:ldbkutty
  • 6
  • 5
  • 2
  • +2
15 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 400 total points
Comment Utility
Hello ldbkutty =)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

then Run them one by one in SAFEMODE to delete everything they detect !!!!

After that reboot back in Normal Mode and if u still face the problem, then Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 
LVL 32

Author Comment

by:ldbkutty
Comment Utility
>> then Run them one by one in SAFEMODE to delete everything they detect !!!!
>> After that reboot back in Normal Mode.

Could you please tell me what does SAFEMODE and Normal Mode here?

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Normal Mode is that mode in which u are running ur system now, with all devices and background applications and services :)

and Safemode means there will be no additional devices, background services and applications... this mode is basically for troubleshooting windows problems..... and as most of the spywares and viruses run their files in background in normal mode, they can interrupt with the Removal tools and cannot be deleted easily.... so we run those tools in Safemode :)

How to get into safemode >> http://www.computerhope.com/issues/chsafe.htm

Also one more thing,,,,, in ur msconfig>Startup section, untick all applications, and just leave the ones which are for ur Antivirus and Firewall softwares.... :)
0
 
LVL 32

Author Comment

by:ldbkutty
Comment Utility
oh, yeah Ok...its system safemode and normal mode...

will back soon, thanks again.
0
 
LVL 32

Author Comment

by:ldbkutty
Comment Utility
Hi,

With Spybot, I removed some spywares and adwares.

but everytime, i scan with Spybot, it shows me 'DSO Exploit'. Even though i removed it, if i scan again, i get the same problem.

Pls tell me how i cna get rid of it.

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Now as u have scanned with the above tools... can u post here the LOG from hijakcthis scan :)
and these DSO Exploits are nothing but just a BUG in Spybot..... visit this page for some solutions to this problem.

Spybot keeps finding DSO exploit
http://www.computing.net/windowsxp/wwwboard/forum/104837.html
0
 
LVL 32

Author Comment

by:ldbkutty
Comment Utility
I am getting the problem still....(i thought a spy toolbar went out if i disabled some things in SystemStart, but its still there) :-(

Please have a look at this:

http://jaggybala.clawz.com/CalendarTool/SpywareProblem.JPG

( A toolbar below 'Google' pop-up blocker and error page which is weird.)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 32

Author Comment

by:ldbkutty
Comment Utility
This is my Log File.

Logfile of HijackThis v1.98.2
Scan saved at 02:28:45, on 08/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
D:\Backups\Phone-Applications\hotfoon4.exe
C:\Programme\Webroot\Shredder\spshredder.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Programme\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\SmartFTP\SmartFTP.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\jaggy\Desktop\protect-computer\HijackThis.exe
C:\Programme\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [OnlineCdrom] C:\PROGRA~1\ATOMDE~1\32third.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [HOTFOON2] D:\Backups\Phone-Applications\hotfoon4.exe /h
O4 - HKCU\..\Run: [Spam Shredder] "C:\Programme\Webroot\Shredder\spshredder.exe" -tray
O4 - HKCU\..\RunOnce: [unPopUpWasher] unPopUpWasher.exe rm
O4 - Startup: WinMySQLadmin.lnk = C:\Dokumente und Einstellungen\jaggy\Desktop\mysql4\mysql-4.1.1a-alpha\bin\winmysqladmin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer = 141.44.1.2,141.44.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB873E8C-D6D6-4749-8FF7-93D8DD601200}: NameServer = 141.44.1.2,141.44.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1805A68D-44FB-49C5-A9E6-1E9EE9AD81AF}: NameServer = 141.44.1.2,141.44.1.1


Thanks.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 400 total points
Comment Utility
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html
==============================

Close all Explroer windows, then check this line and click on Fix Checked !!!!
restart and now check for the problem ??
0
 
LVL 1

Expert Comment

by:Extortioner15
Comment Utility
with Hijackthis, delete:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ozpteqhxwdglyzw.com/Xb/Kg89Ik0_z_L8LKd0zYlU2DbYQOtVZohCG3GWNpFejqsT_mAZ30feuuBG0zMHQ.html

then run CWShredder again, and if that doesnt help, I suggest you use StartpageGuard ( http://www.webattack.com/get/startpageguard.shtml )

Happy (and safe) Surfing
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Extortioner15 ..... repeating what an Expert has already suggested is not Allowed :)
0
 
LVL 1

Expert Comment

by:Extortioner15
Comment Utility
I did not repeat an answer, I suggested you were right and I said if that didnt work, he had to install Startpageguard!
Now lets stay ontopc shall we?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>>  I suggested you were right and I said if that didnt work, he had to install Startpageguard!
well u didn't mention abt me even there..... but never mind,,,, leave it !!!! :)
0
 
LVL 4

Expert Comment

by:EFernandes
Comment Utility
If you still can't solve the problem, try the SpyBot Search&Destroy. You can find it at http://beam.to/spybotsd
Good luck
0
 
LVL 6

Assisted Solution

by:nomi17
nomi17 earned 100 total points
Comment Utility
Spybot cleans out the DSO Exploit but there is a registry entry that needs to be modified so that
Spybot will not list it again.  Only follow these instructions if you are comfortable modifying the registry.
It is also recommended to back up your registry before making any changes.
Otherwise you can leave it.  No harm being done.

Click Run -> regedit
Find the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

On the left pane delete 1004
On the left pane right click to add a New DWord value

Name it 1004
Double click to open this entry and enter a value of 3 (hex base)

Close the Registry.

Now when you run SpyBot it will no longer detect the DSO Exploit.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now