I have never posted to receive help before, but I need help more than ever now. I have some sort of program that is infecting my computer. It has replaced my old wallpaper on my desktop with some cryptic message that portrays itself as a warning. When I get on IExplorer the home page is a blue page that reads a similar warning. the address is as follows: C:\WINDOWS\secure.html. Also there are some links that possibly lead to e-shredder.com at the bottom though I have not dared to click on them. If anyone can help me with my dilemna, I would appreciate it. Please let me know what information you need and i will gladly provide it. Thank you in advance.
mcam 0 Newbie Poster
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Download & instal Spybot S&D from here. Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot
Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.
Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Click here for instructions on how to boot into safe mode.
Boot up in safe mode.
Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.
Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.
Reboot your computer in normal mode.
Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
DuncanIdaho commented: Definitely THE expert here +1
mcam 0 Newbie Poster
Thanks for the direction. I had downloaded, updated, and tried Spybot prior to posting my original message. It did locate and fix the majority of the spyware located on my computer, but there are 2 problems it could not fix. Problem 1. "DSO Exploit." I clicked on it and attempted to fix it. Spybot notified me that the problem files had been deleted, but when I ran spybot again, the DSO Exploit was still there. Problem 2. "IE Plugin" Spybot said it was unable to remove this problem and asked if Spybot could run again after I reboot. I marked yes and rebooted, but again Spybot was unable to remove the IE Plugin problem. The IE plugin has one entry and the entry reads as follows: "Executable C:\WINDOWS\winserv.exe" The text of the entry is preceded by a warning sign.
I have downloaded and run hijackthis. Here is the log that it produced:
-----------------------------------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 10:34:54 AM, on 9/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\System32\windllsys32.exe
C:\Documents and Settings\Nicolas\Application Data\ttuh.exe
C:\WINDOWS\System32\jaee.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\system32\scagent.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Nicolas\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O2 - BHO: (no name) - {623BDBE8-51A2-4566-A391-291F48C958DF} - C:\WINDOWS\System32\dncag.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SysA] C:\windows\system32\winwht32.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Nicolas\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Pfwi] C:\WINDOWS\System32\jaee.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=714b9e99bb1ec51fadc828f5983e23109b906c2b320d9f1b39ed54699be7e97f4caf42694383070009646062296ff92e68cfba8c:eb8a1fb09d00c5943edceabcca450006
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
O18 - Filter: text/plain - {6A420490-FBAD-42EB-9E57-4DE3F5B131D8} - C:\WINDOWS\System32\dncag.dll
O21 - SSODL: System - {94826AB4-1115-4692-B6EC-26C6F5ECABFE} - C:\WINDOWS\system32\system32.dll
-----------------------------------------------------------------------------------
I have used hijackthis once in the past and i was able to, under very strict guidelines, remove some problematic lines. I don't remember the log in the past being as long as this log, which may point to the stem of some of my current problems.
I appreciate the response and thank you in advance for any future assistance you may provide.
deonnanicole 5 Posting Whiz in Training
If you have all of your windows updates from Microsoft, ignore the DSO Exploit that Spybot S&D picks up...its a bug with Spybot. You can set it to ignore it if you want.
mcam 0 Newbie Poster
If you have all of your windows updates from Microsoft, ignore the DSO Exploit that Spybot S&D picks up...its a bug with Spybot. You can set it to ignore it if you want.
I do not have all my windows updates from microsoft. I attempted to get them but everytime the windowsupdate webpage begins to load I get redirected to some generic highjacker homepage.
deonnanicole 5 Posting Whiz in Training
I had missed so many of my updates that I couldn't get them all to download...if there is some way you can get to the page and order the Security Updates CD, you could do that. And it's very possible once you get the hijack fixed, that you could download them from the website...if that is the case, I would do that as soon as I got everything else fixed. Wish I knew more to tell you that would help. :)
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop (in a folder on the desktop is fine) & not directly on your hard drive). Then we can continue :). We do not want to lose any back-ups by running hijackthis from a temp folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
You can also do the following:
Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Iinternet Explorer, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Reboot after doing this & post another log please.
mcam 0 Newbie Poster
Thank you. Will try both of those things...
bigleedog 0 Newbie Poster
Hey Mcam,
You still have a problem getting rid of DSO Exploit? I have just been successful in getting rid of it. If you (or anyone else) is still having difficulties let me know I will share.
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Hey Mcam,
You still have a problem getting rid of DSO Exploit? I have just been successful in getting rid of it. If you (or anyone else) is still having difficulties let me know I will share.
Can you share anyway? :)
bigleedog 0 Newbie Poster
No problem. First of all, this worked for me and I'm using windows xp. I am using (among many more lol) spybot: search and destroy. When you use this program it will say that you have DSO Exploit on your computer. Go ahead and tell the program to fix, and after the green check marks come up, click on the plus icon on the left of the "DSO Exploit". This will bring about a drop down list that describes the path and all that jazz. Now this is what I did...write down the paths of all the items listed. After that, run regedit.exe, and locate the items one by one and right click on them and delete them. **** This did not mess with my computer, but not sure about all ****
Try running search and destroy again and hopefully will come up without dso exploit. Then restart your computer just to make sure and check again. This is the procedure that worked for me and have not seen it since. -Bigleedog
bigleedog 0 Newbie Poster
Please let me know if this helps anyone. :)
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Would not personally advise anyone to start dabbling with their registry. My preferred method is to ensure that all Windows updates are installed & if the DSO exploit warning persists, set Spybot to ignore it.
Thanks for your solution anyway bigleedog.
bigleedog 0 Newbie Poster
No problem. You know more than me. :) Good luck to all!
You wouldn't say that if you knew LOL. :).
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.