• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Mac daddy 101

0websearch is ruining my life, PLEASE HELP

10 posts in this topic

i have been hi-jacked....

 

my browser homepage keeps getting reset to 0websearch, this is a part of the 'Coolwebsearch' family.

 

I am running windows XP professional and it is fully updated.

 

I have run ad-aware,spybot S&D, torjan-hunter, Webroot spy sweeper, Hijack -this, norton anti-virus and CW shredder. CW found the infection - CWS.Yexe and it keeps finding and removing this every single time i run it.

 

i am in serious need of an answer on how to remove this bastard for good, as i have tried everything i can think of.

 

Here is the log file from High jack

 

Logfile of HijackThis v1.97.7

Scan saved at 10:31:08 PM, on 13/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\DAP\DAP.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MSI\Live Update 3\LMonitor.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\WINDOWS\inetdata\winlogon.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSI\Core Center\CoreCenter.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\HJT\HijackThis 2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

F1 - win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra button: SideFind (HKLM)

O9 - Extra button: Run DAP (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O15 - Trusted Zone: www.mt-download.com

O15 - Trusted Zone: install.xxxtoolbar.com

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...AB?38180.364375

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

 

p.s i will :love: the person that figures out what to do.

Share this post


Link to post
Share on other sites

Hello, I fixed my 0websearch.com Hijack by going to DOS mode (win 98 :D ) and removed by deleting the services.exe located at windows/inetdata. Thus far 0websearch has not popped up in tha last 15 minutes (use to come up every 15 seconds) with my spyblocker.

 

In your case, try running hijack this and see if the winlogon.exe is causing the hijack (I suspect this maybe it).

 

I am not very knowlegable in computer but I was so desperate with this 0websearch crap that I even contemplated on running del *.* :grrr:

 

Good Luck!!! and my thanks to merjin and hijack this. Can someone develop a bug to send to the Russians who developed the cool web search??? Remind me to talk to my Filipino programmer who developed the I love you virus.

 

Keep us posted. HIJACKING SHOULD BE ILLEGAL!!!!

Edited by gonzaldp

Share this post


Link to post
Share on other sites

I have recently gotten rid of this hijack on XP by doing the following:

manually remove the executable. In this case the file was services.exe located in

c:\windows\inetdata\services.exe

To manually delete this file:

1. Click on "Start" then "Run" and enter "CMD" and click OK .. This opens a CMD window.

2. Change directory to above directory

cd\windows\inetdata <enter>

3. Change attributes for this file if necessary

attrib services.exe -h -s <enter> (removes hidden and system charactristics)

4. Delete the file or rename it

del services.exe <enter>

5. Leave CMD window

Exit <enter>

Next you need to remove the registry entries: Be sure and back up Registry before any attempts to alter the registry.

You can run Hijackthis and look for the following entries...Delete these

HKCU\software\Microsoft\Internet Explorer\Main,Start Page_Bak = http://0webserach.com/

HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

 

Please note in your case it is winlogon.exe instead of services.exe. Also note that it is located in the inetdata directory!!! Not system32!!!

gonzaldp had it nailed in his reply, let us know if you were successful.

 

Sure hope this helps you!

Share this post


Link to post
Share on other sites

This 0websearch is really giving me a headache, It keeps changing my browser home page, How do I get rid of this. HELP PLEASE.

Share this post


Link to post
Share on other sites

Please give us more information...Operating system, etc.

Download and run the following free programs. (you can locate these freebies with a Yahoo search)

Ad aware

Spybot Search and Destroy

Hijackthis

Once you have run Ad aware and Spybot, then run Hijackthis and include this listing in your post.

You might also review the above solutions. Good Luck!!!!

Share this post


Link to post
Share on other sites

Please follow these instructions on using CWShredder also before running please check for updates for the latest version.

-reboot after using CWShredder

 

Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywareinfo.com/index.php?showtopic=11150

-reboot after using Ad-Aware SE

 

Run a scan of hijackthis and place a check by the following in bold and fix. Remember to close ALL browswers and windows when running hijackthis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

F1 - win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

 

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

 

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

 

O9 - Extra button: SideFind (HKLM)

 

O15 - Trusted Zone: www.mt-download.com

O15 - Trusted Zone: install.xxxtoolbar.com

 

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.

 

*optional fix*

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra button: Run DAP (HKLM)

You are using DAP which is not technically malware, but it may include malware and allow it into your system. You can find safer alternatives here: http://www.spywareinfo.com/downloads.php?cat=dlman#dlman To remove it, fix these items with HJT and then remove it in Add/Remove Programs

 

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

 

 

Reboot into Safe mode instructions here: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

 

Then show all hidden files instructions here: http://service1.symantec.com/SUPPORT/tsgen...002092715262339

 

Now navigate to the following directory and delete all in bold.

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\inetdata

*optional fixes*

C:\PROGRA~1\DAP\

C:\WINDOWS\System32\P2P Networking

C:\Program Files\Kazaa\kazaa.exe

 

Reboot and run a new scan of hijackthis and post the log

Share this post


Link to post
Share on other sites

About CWShredder. I've tried to update it and it can't. Is there a more recent version downloadable? Mine is 1.44.2

 

Thanks,

 

Aaron

Share this post


Link to post
Share on other sites

This topic is a little old, but for people who do searches on it this is how I removed it. Start Windows XP in safe mode (push f8 at the beginning of powerup and choose safe mode). Go into windows and delete the folder INETDATA. Restart. You will get a message saying that windows can not find those files. Duh, you deleted them :lol: . I'm not sure how to get windows to stop looking for the files. Its somewhere in the Registry, and I learned the hard way not to mess with that. As most of us my know spyware won't stop this doodad yet. Neither will hi-jack this. As of 9-10-04 anyways. You could always stay away from cheap pornsites :p . For us who can't though you can use this method.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0