-
September 14th, 2005, 11:03 PM
#1
Member
Corrupt Search Results
I Used Spybot, Lavasoft ,webroot on my computer to search for Spyware, Adware.
I have noticed over the last two days that when i search on Google and Yahoo the first 4-5 results are all porn type sites , and they are the same sites coming up no matter what i search for or whether i search on Google/yahoo.
I even removed IE explorer and installed Firefox and the problem still happens.
Has anybody experience this problems ? if so can anyone help .
thanks
-
September 14th, 2005, 11:32 PM
#2
Here is an example of something like what you describe :
http://www.webpronews.com/insiderrep...leResults.html
I would suggest a thorough scan in safe mode. Carefully follow the directions in this tutorial :
http://www.antionline.com/showthread...hreadid=265440
Good luck, and let us know.
-
September 14th, 2005, 11:35 PM
#3
Update all your programs to their latest versions (Spybot has version 1.4 out now and Lavasoft has version 1.06 out now). Boot into Safemode (F8 when your computer is starting up and then choose Safe Mode) and run all your scans from there.
This prevents (99.9 percent of the time) the malware/spyware/crapware from starting up and interfering with the program scans.
Download and install HiJackThis (http://www.spywareinfo.com/~merijn/downloads.html). Run a scan and post the scan log here and let us have a look at it.
- X
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
September 16th, 2005, 07:37 PM
#4
Member
Ok , Ran Hijackthis in Safemode and below is the result. Also Any tips on avoiding this kind of browser hijacking software from infecting my computer ?
Logfile of HijackThis v1.99.1
Scan saved at 19:06:53, on 10/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\esi\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://renjo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [messageshield] C:\Program Files\Messageshield\messageshield.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-
September 16th, 2005, 08:01 PM
#5
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
Just click on the net-nucleus link
And WTF ?
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
September 16th, 2005, 08:05 PM
#6
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
These jump out right away.
O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll
This is fishy, but I am not sure what it is, so take care. It didn't show up on google.
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
Suspicious. A quick search shows the last one is trojan related.
I would start looking at these.
Take care when playing with the registry like this. You can do damage. I have just had a quick look at this. The first group I would go ahead with, and I would do away with the "eied_s7.cab". The rest call for some more digging.
Good luck.
/beat me Jinx
-
September 16th, 2005, 08:05 PM
#7
Logfile of HijackThis v1.99.1
Scan saved at 19:06:53, on 10/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\esi\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://renjo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [messageshield] C:\Program Files\Messageshield\messageshield.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I highlighed what I would remove....
You can always restore...
Not sure what that awbeta is???
Personally...if I dont know what it is...and cant find anything on goole other then other hijackthis logs...I delete.
You can always restore.
You may need to do this in safe mode
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
September 16th, 2005, 08:10 PM
#8
Originally posted here by mooret
O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll
This really caught my eye. Most of the problems with wrong content stem from bad dlls. This one is what I think is causing those issues.
-
September 16th, 2005, 08:21 PM
#9
Also Any tips on avoiding this kind of browser hijacking software from infecting my computer ?
Switch to Firefox.
Get a registry protector like RegProt.
Make antivirus/spyware scanning (in safemode) a regular habit.
Use a firewall.
Don't visit shady sites.
-
September 18th, 2005, 08:21 AM
#10
well here's one suggestion
why don't u run a good pop up blocker to filter out java scripts when u surf the net ? 9 times outta 10 java scripts are the culprit for malware and the other small percent is from active x scripts. so there ya go. i use ad subtract pro whenever i surf unknown territory. changing ur browser is a tad extreme in any case because ur still gonna get java scripts if they r not filtered no matter what browser u use.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|