Jump to content


Photo

0websearch is ruining my life, PLEASE HELP


  • Please log in to reply
9 replies to this topic

#1 Mac daddy 101

Mac daddy 101

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 July 2004 - 10:08 AM

i have been hi-jacked....

my browser homepage keeps getting reset to 0websearch, this is a part of the 'Coolwebsearch' family.

I am running windows XP professional and it is fully updated.

I have run ad-aware,spybot S&D, torjan-hunter, Webroot spy sweeper, Hijack -this, norton anti-virus and CW shredder. CW found the infection - CWS.Yexe and it keeps finding and removing this every single time i run it.

i am in serious need of an answer on how to remove this bastard for good, as i have tried everything i can think of.

Here is the log file from High jack

Logfile of HijackThis v1.97.7
Scan saved at 10:31:08 PM, on 13/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\HJT\HijackThis 2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?38180.364375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

p.s i will :love: the person that figures out what to do.

#2 Mac daddy 101

Mac daddy 101

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 July 2004 - 12:34 PM

any one??

#3 Mac daddy 101

Mac daddy 101

    Member

  • New Member
  • Pip
  • 3 posts

Posted 18 July 2004 - 03:16 AM

can someone PLEASE HELP ME or atleast try!

#4 gonzaldp

gonzaldp

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 July 2004 - 02:37 AM

Hello, I fixed my 0websearch.com Hijack by going to DOS mode (win 98 :D ) and removed by deleting the services.exe located at windows/inetdata. Thus far 0websearch has not popped up in tha last 15 minutes (use to come up every 15 seconds) with my spyblocker.

In your case, try running hijack this and see if the winlogon.exe is causing the hijack (I suspect this maybe it).

I am not very knowlegable in computer but I was so desperate with this 0websearch crap that I even contemplated on running del *.* :grrr:

Good Luck!!! and my thanks to merjin and hijack this. Can someone develop a bug to send to the Russians who developed the cool web search??? Remind me to talk to my Filipino programmer who developed the I love you virus.

Keep us posted. HIJACKING SHOULD BE ILLEGAL!!!!

Edited by gonzaldp, 27 July 2004 - 02:38 AM.


#5 Arky71950

Arky71950

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 July 2004 - 07:27 PM

I have recently gotten rid of this hijack on XP by doing the following:
manually remove the executable. In this case the file was services.exe located in
c:\windows\inetdata\services.exe
To manually delete this file:
1. Click on "Start" then "Run" and enter "CMD" and click OK .. This opens a CMD window.
2. Change directory to above directory
cd\windows\inetdata <enter>
3. Change attributes for this file if necessary
attrib services.exe -h -s <enter> (removes hidden and system charactristics)
4. Delete the file or rename it
del services.exe <enter>
5. Leave CMD window
Exit <enter>
Next you need to remove the registry entries: Be sure and back up Registry before any attempts to alter the registry.
You can run Hijackthis and look for the following entries...Delete these
HKCU\software\Microsoft\Internet Explorer\Main,Start Page_Bak = http://0webserach.com/
HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

Please note in your case it is winlogon.exe instead of services.exe. Also note that it is located in the inetdata directory!!! Not system32!!!
gonzaldp had it nailed in his reply, let us know if you were successful.

Sure hope this helps you!

#6 omj623

omj623

    Member

  • New Member
  • Pip
  • 1 posts

Posted 14 August 2004 - 10:10 PM

[B] This 0websearch is really giving me a headache, It keeps changing my browser home page, How do I get rid of this. HELP PLEASE.

#7 Arky71950

Arky71950

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 August 2004 - 08:57 AM

Please give us more information...Operating system, etc.
Download and run the following free programs. (you can locate these freebies with a Yahoo search)
Ad aware
Spybot Search and Destroy
Hijackthis
Once you have run Ad aware and Spybot, then run Hijackthis and include this listing in your post.
You might also review the above solutions. Good Luck!!!!

#8 DawsonV5

DawsonV5

    The Lurvely

  • Retired Staff - Helper
  • PipPipPip
  • 230 posts

Posted 15 August 2004 - 08:07 PM

Please follow these instructions on using CWShredder also before running please check for updates for the latest version.
-reboot after using CWShredder

Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
-reboot after using Ad-Aware SE

Run a scan of hijackthis and place a check by the following in bold and fix. Remember to close ALL browswers and windows when running hijackthis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://iinet.net.au
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O9 - Extra button: SideFind (HKLM)

O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...client/iftwclix.


*optional fix*
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)

You are using DAP which is not technically malware, but it may include malware and allow it into your system. You can find safer alternatives here: http://www.spywarein...cat=dlman#dlman To remove it, fix these items with HJT and then remove it in Add/Remove Programs

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywarein...m/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.


Reboot into Safe mode instructions here: http://service1.syma...001052409420406

Then show all hidden files instructions here: http://service1.syma...002092715262339

Now navigate to the following directory and delete all in bold.
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\inetdata
*optional fixes*
C:\PROGRA~1\DAP\
C:\WINDOWS\System32\P2P Networking
C:\Program Files\Kazaa\kazaa.exe

Reboot and run a new scan of hijackthis and post the log

#9 Achess

Achess

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 August 2004 - 12:59 PM

About CWShredder. I've tried to update it and it can't. Is there a more recent version downloadable? Mine is 1.44.2

Thanks,

Aaron

#10 AnonBoy

AnonBoy

    Member

  • New Member
  • Pip
  • 1 posts

Posted 10 September 2004 - 07:19 PM

This topic is a little old, but for people who do searches on it this is how I removed it. Start Windows XP in safe mode (push f8 at the beginning of powerup and choose safe mode). Go into windows and delete the folder INETDATA. Restart. You will get a message saying that windows can not find those files. Duh, you deleted them :lol: . I'm not sure how to get windows to stop looking for the files. Its somewhere in the Registry, and I learned the hard way not to mess with that. As most of us my know spyware won't stop this doodad yet. Neither will hi-jack this. As of 9-10-04 anyways. You could always stay away from cheap pornsites :p . For us who can't though you can use this method.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button