•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 430,100 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,183 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums
Views: 3067 | Replies: 13
 |
•
•
Join Date: Sep 2004
Posts: 4
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
I have never posted to receive help before, but I need help more than ever now. I have some sort of program that is infecting my computer. It has replaced my old wallpaper on my desktop with some cryptic message that portrays itself as a warning. When I get on IExplorer the home page is a blue page that reads a similar warning. the address is as follows: C:\WINDOWS\secure.html. Also there are some links that possibly lead to e-shredder.com at the bottom though I have not dared to click on them. If anyone can help me with my dilemna, I would appreciate it. Please let me know what information you need and i will gladly provide it. Thank you in advance.
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,830
Reputation:
Rep Power: 22
Solved Threads: 432
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#2
Sep 5th, 2004
Download & instal Spybot S&D from here. Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot
Download about:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.
Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Click here for instructions on how to boot into safe mode.
Boot up in safe mode.
Run about:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.
Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.
Reboot your computer in normal mode.
Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot
Download about:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.
Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Click here for instructions on how to boot into safe mode.
Boot up in safe mode.
Run about:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.
Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.
Reboot your computer in normal mode.
Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Sep 2004
Posts: 4
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#3
Sep 5th, 2004
Thanks for the direction. I had downloaded, updated, and tried Spybot prior to posting my original message. It did locate and fix the majority of the spyware located on my computer, but there are 2 problems it could not fix. Problem 1. "DSO Exploit." I clicked on it and attempted to fix it. Spybot notified me that the problem files had been deleted, but when I ran spybot again, the DSO Exploit was still there. Problem 2. "IE Plugin" Spybot said it was unable to remove this problem and asked if Spybot could run again after I reboot. I marked yes and rebooted, but again Spybot was unable to remove the IE Plugin problem. The IE plugin has one entry and the entry reads as follows: "Executable C:\WINDOWS\winserv.exe" The text of the entry is preceded by a warning sign.
I have downloaded and run hijackthis. Here is the log that it produced:
-----------------------------------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 10:34:54 AM, on 9/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\System32\windllsys32.exe
C:\Documents and Settings\Nicolas\Application Data\ttuh.exe
C:\WINDOWS\System32\jaee.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\system32\scagent.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Nicolas\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O2 - BHO: (no name) - {623BDBE8-51A2-4566-A391-291F48C958DF} - C:\WINDOWS\System32\dncag.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SysA] C:\windows\system32\winwht32.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Nicolas\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Pfwi] C:\WINDOWS\System32\jaee.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...dceabcca450006
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
O18 - Filter: text/plain - {6A420490-FBAD-42EB-9E57-4DE3F5B131D8} - C:\WINDOWS\System32\dncag.dll
O21 - SSODL: System - {94826AB4-1115-4692-B6EC-26C6F5ECABFE} - C:\WINDOWS\system32\system32.dll
-----------------------------------------------------------------------------------
I have used hijackthis once in the past and i was able to, under very strict guidelines, remove some problematic lines. I don't remember the log in the past being as long as this log, which may point to the stem of some of my current problems.
I appreciate the response and thank you in advance for any future assistance you may provide.
I have downloaded and run hijackthis. Here is the log that it produced:
-----------------------------------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 10:34:54 AM, on 9/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\System32\windllsys32.exe
C:\Documents and Settings\Nicolas\Application Data\ttuh.exe
C:\WINDOWS\System32\jaee.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\system32\scagent.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Nicolas\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O2 - BHO: (no name) - {623BDBE8-51A2-4566-A391-291F48C958DF} - C:\WINDOWS\System32\dncag.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SysA] C:\windows\system32\winwht32.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Nicolas\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Pfwi] C:\WINDOWS\System32\jaee.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...dceabcca450006
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
O18 - Filter: text/plain - {6A420490-FBAD-42EB-9E57-4DE3F5B131D8} - C:\WINDOWS\System32\dncag.dll
O21 - SSODL: System - {94826AB4-1115-4692-B6EC-26C6F5ECABFE} - C:\WINDOWS\system32\system32.dll
-----------------------------------------------------------------------------------
I have used hijackthis once in the past and i was able to, under very strict guidelines, remove some problematic lines. I don't remember the log in the past being as long as this log, which may point to the stem of some of my current problems.
I appreciate the response and thank you in advance for any future assistance you may provide.
•
•
Join Date: Jun 2004
Location: Virginia
Posts: 253
Reputation:
Rep Power: 5
Solved Threads: 12
Posting Whiz in Training
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#4
Sep 5th, 2004
If you have all of your windows updates from Microsoft, ignore the DSO Exploit that Spybot S&D picks up...its a bug with Spybot. You can set it to ignore it if you want.
•
•
Join Date: Sep 2004
Posts: 4
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#5
Sep 5th, 2004
•
•
•
•
Originally Posted by deonnanicole
If you have all of your windows updates from Microsoft, ignore the DSO Exploit that Spybot S&D picks up...its a bug with Spybot. You can set it to ignore it if you want.
I do not have all my windows updates from microsoft. I attempted to get them but everytime the windowsupdate webpage begins to load I get redirected to some generic highjacker homepage.
•
•
Join Date: Jun 2004
Location: Virginia
Posts: 253
Reputation:
Rep Power: 5
Solved Threads: 12
Posting Whiz in Training
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#6
Sep 5th, 2004
I had missed so many of my updates that I couldn't get them all to download...if there is some way you can get to the page and order the Security Updates CD, you could do that. And it's very possible once you get the hijack fixed, that you could download them from the website...if that is the case, I would do that as soon as I got everything else fixed. Wish I knew more to tell you that would help. 
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,830
Reputation:
Rep Power: 22
Solved Threads: 432
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#7
Sep 6th, 2004
Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop (in a folder on the desktop is fine) & not directly on your hard drive). Then we can continue . We do not want to lose any back-ups by running hijackthis from a temp folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
You can also do the following:
Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Iinternet Explorer, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Reboot after doing this & post another log please.
. We do not want to lose any back-ups by running hijackthis from a temp folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
You can also do the following:
Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Iinternet Explorer, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Reboot after doing this & post another log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Sep 2004
Posts: 4
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#8
Sep 7th, 2004
Thank you. Will try both of those things...
•
•
Join Date: Oct 2004
Posts: 5
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#9
Oct 6th, 2004
Hey Mcam,
You still have a problem getting rid of DSO Exploit? I have just been successful in getting rid of it. If you (or anyone else) is still having difficulties let me know I will share.
You still have a problem getting rid of DSO Exploit? I have just been successful in getting rid of it. If you (or anyone else) is still having difficulties let me know I will share.
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,830
Reputation:
Rep Power: 22
Solved Threads: 432
Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html
#10
Oct 7th, 2004
•
•
•
•
Originally Posted by bigleedog
Hey Mcam,
You still have a problem getting rid of DSO Exploit? I have just been successful in getting rid of it. If you (or anyone else) is still having difficulties let me know I will share.
Can you share anyway?
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
•
•
•
•
apple browser cd choose computer crack debian defender dell development download drm fiji im install internet leopard linux malware microsoft mobile news office open operating operating system os photo registry research security server software source spyware survey system technology tiger torvalds tweaks ubuntu unix upgrade virus vista windows windows update windows vista xp
- Previous Thread: Need browser help. Hijack This log
- Next Thread: New Hijack log
