• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
a_fahmy

PLZZZ help

8 posts in this topic

hi

 

few months ago i discovered that some sites remain in the location bar despite deleting the history , this is problem 1

 

 

a week ago , a virus named trojanbyte attacked my cpu and made the homepage change permanently ( became greatsearch.biz, an adult site) despite my trials to change it.

 

i tried removing the virus using norton anti virus but failed though i did what exactly is written in symantec about removing it.

 

i uninstalled norton and installed avast program which succeded in deleting the virus and other trojan viruses!!! which i didn't know that i got.

 

yet still the home page is the same 'cause the registry keys cannot be changed!!!

 

i thought it could be because of a spyware program so i installed spybot and used it to remove many spyware programs yet still the homepage is the same.

 

i then read about that it could be a malware :coolwebsearch so i used CWSHREDDER but it didn't detect anything , and said my cpu is clean

 

so finally i used hijackthis and here r the two files that u might need to help me

 

 

the file hijack.txt

 

Logfile of HijackThis v1.97.7

Scan saved at 03:17:16 ?, on 28/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\PROGRA~1\PROPEL~1\PropelAC.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\home\Application Data\aaee.exe

C:\WINDOWS\System32\wnscptr.exe

C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\PROPEL~1\PropelAC.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [Csso] C:\Documents and Settings\home\Application Data\aaee.exe

O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Refresh Pa≥ with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html

O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083838197449

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_cst.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C66DAD27-A471-40BB-A9FB-64F1F74BA0A9}: NameServer = 213.131.65.20 213.131.66.246

 

 

the other file is startuplist.txt

 

StartupList report, 28/05/2004, 03:17:22 ?

StartupList version: 1.52

Started from : C:\Documents and Settings\home\My Documents\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\PROGRA~1\PROPEL~1\PropelAC.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\home\Application Data\aaee.exe

C:\WINDOWS\System32\wnscptr.exe

C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

P2P Networking = C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

AltnetPointsManager = c:\program files\altnet\points manager\points manager.exe -s

SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

Propel Accelerator = C:\PROGRA~1\PROPEL~1\PropelAC.exe

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

Csso = C:\Documents and Settings\home\Application Data\aaee.exe

WNSI = C:\WINDOWS\System32\wnscptr.exe

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=

run=C:\windows\system32\yahooprogss.exe

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe

SCRNSAVE.EXE=

drivers=

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\LIVING~1.SCR

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

MyWebSearch Search Assistant BHO - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL - {00A6FAF1-072E-44cf-8957-5838F569A31D}

myBar BHO - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC}

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

mwsBar BHO - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL - {07B18EA1-A523-4961-B6BB-170DE4475CCA}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[{11111111-1111-1111-1111-111111111157}]

CODEBASE = ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[MSSecurityAdvisor Class]

InProcServer32 = C:\WINDOWS\System32\mssecadv.dll

CODEBASE = http://download.microsoft.com/download/0/5...b?1083838197449

 

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]

CODEBASE = http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

 

[{2119776A-F1AD-4FCD-9548-F1E1C615350C}]

CODEBASE = http://www.stop-sign.com/pub/download/stop-sign_cst.cab

 

[YInstStarter Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll

CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

 

[EARTPatchX Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll

CODEBASE = http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

 

[PatchCtl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\patchx.dll

CODEBASE = file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

 

[MediaTicketsInstaller Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX

CODEBASE = http://www.mt-download.com/MediaTicketsInstaller.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

CODEBASE = http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

 

[CRegistryDownload Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\RegDload.dll

CODEBASE = http://download.paltalk.com/download/0.x/regdload.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

System: C:\WINDOWS\system32\system32.dll

 

--------------------------------------------------

End of report, 8,764 bytes

Report generated in 0.031 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

 

would u plzzzzzz help me (concerning both problems)

 

thanks in advance

Share this post


Link to post
Share on other sites

hey

 

no one is helping .?? anyone can tell me if i wrote something wrong or if that is not the suitable forum???

 

anyone say anything

Share this post


Link to post
Share on other sites

should i delete all lines containing greatsearch.biz or what

]

 

plzzzzzzzz someone help me , i am desperate

Share this post


Link to post
Share on other sites

a_fahmy

 

do a search on this forum for a post by ed brubaker entitled greatsearch biz defeated, follow his instructions.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0