• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jessa_lee

cashsearch.biz hacked!

7 posts in this topic

Logfile of HijackThis v1.97.7

Scan saved at 5:44:56 PM, on 6/10/2004

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Edited by jessa_lee

Share this post


Link to post
Share on other sites

First things first - Let's fix the cachesearch Hijack and then we will deal with the others (Yes, there are others) ...

 

Please copy the contents of the quote box to notepad:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"System"=-

[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]

[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]

[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

Hit save as and give it the name clear.reg under the filename set file types to all files. Save it to the desktop. After you have completed that, double click the clear.reg file and when asked to merge say "Yes" and reboot.

 

Find this file system32.dll which is probably in either:

  • c:\windows\system32\system32.dll
  • c:\windows\system\system32.dll

... and delete it.

 

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Share this post


Link to post
Share on other sites

Alright. I made all your suggested changes. Is there more for me to do now? This is the new HJT log after those changes. (Thank you for all your help!!!)

 

*********

Logfile of HijackThis v1.97.7

Scan saved at 5:44:56 PM, on 6/10/2004

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\HJT\HijackThis.exe

Edited by jessa_lee

Share this post


Link to post
Share on other sites

Run either of these free online virus scans.

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

O4 - HKLM\..\Run: [Windows Update] C:\WINNT\mstaskss.exe

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\system32\IEXPLORE.EXE

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\msstasks.exe /u

O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\system32\windll32.exe

O4 - HKCU\..\Run: [WCPC] C:\WINNT\system32\wintsvcc.exe

 

The following is optional to delete as it is a resource hog:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleteed while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc lised are not present - Do not worry, just delete those that you can find. If no path is lited, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" .> "All Files and Folders" and type in the file name. You can delete it right from the search results window.

  1. DIRECTORY CONTENTS (But not the directory)
    • C:\Windows\Temp\
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Empty your "Recycle Bin"

[*]DIRECTORIES

  • Nothing Yet

[*]FILES

  • C:\WINNT\mstaskss.exe
  • C:\WINNT\system32\IEXPLORE.EXE
  • C:\WINNT\Downloaded Program Files\bridge.dll
  • C:\WINNT\msstasks.exe
  • C:\WINNT\system32\windll32.exe
  • C:\WINNT\system32\wintsvcc.exe
  • PURITYSCAN.EXE <= You will have to do a search for this file

Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

Completed next steps - here's the new log after reboot & running HJT again:

 

Thanks again!

 

***********

 

Logfile of HijackThis v1.97.7

C:\HJT\HijackThis.exe

Edited by jessa_lee

Share this post


Link to post
Share on other sites

Your log is looking clean :)

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0