Jump to content


Photo

Please Help!! CWS Shredder cant remove 0websearch.


  • Please log in to reply
1 reply to this topic

#1 Helltore

Helltore

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 July 2004 - 02:56 PM

Hi all,

My home page continues to be reset to 0websearch.com. I have ran SpyBot S&D, Ad-Aware, CWS Shredder and HijackThis to no avail. Shredder say he removes it, but 10~15 seconds later BHODaemon says it's back. And it is. My home page gets set back to 0websearch.com... I've tried everything I can think of. BHODaemon has this to say:

File name {Not found} _Malware 1/00.07.dll, *.**.**.dll, (*=digit) - CoolWebSearch parasite variant

PLEASE HELP!!!

Here is my HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 12:51:53 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\Program Files\WebSpy Live\Live.exe
C:\WINDOWS\SYSTEM32\etlitr50.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\WINDOWS\System32\WsReportBho.dll
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\navnt\vptray.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [Live.exe] "C:\Program Files\WebSpy Live\Live.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Entrust.lnk = C:\WINDOWS\SYSTEM32\etlitr50.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...0e1e2729109a237
O17 - HKLM\System\CCS\Services\Tcpip\..\{F003C883-CFAE-4346-B47D-DA1A75FA64E2}: NameServer = 10.128.24.254,10.128.26.254

#2 Helltore

Helltore

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 July 2004 - 01:30 PM

Bump, I found the problem and fixed it myself. If anyone else has this problem look for winlogon.exe in the c:\windows\inetdata directory. If it exists, boot to safe mode, kill this directory, reboot normally and run CWS Shredder and your favorite SpyBot S&D, Ad-Aware etc.

Have fun...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button