Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Corrupt Search Results

  1. #1

    Corrupt Search Results

    I Used Spybot, Lavasoft ,webroot on my computer to search for Spyware, Adware.

    I have noticed over the last two days that when i search on Google and Yahoo the first 4-5 results are all porn type sites , and they are the same sites coming up no matter what i search for or whether i search on Google/yahoo.

    I even removed IE explorer and installed Firefox and the problem still happens.

    Has anybody experience this problems ? if so can anyone help .

    thanks

  2. #2
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    Here is an example of something like what you describe :

    http://www.webpronews.com/insiderrep...leResults.html

    I would suggest a thorough scan in safe mode. Carefully follow the directions in this tutorial :

    http://www.antionline.com/showthread...hreadid=265440

    Good luck, and let us know.
    .

  3. #3
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Update all your programs to their latest versions (Spybot has version 1.4 out now and Lavasoft has version 1.06 out now). Boot into Safemode (F8 when your computer is starting up and then choose Safe Mode) and run all your scans from there.

    This prevents (99.9 percent of the time) the malware/spyware/crapware from starting up and interfering with the program scans.

    Download and install HiJackThis (http://www.spywareinfo.com/~merijn/downloads.html). Run a scan and post the scan log here and let us have a look at it.

    - X
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  4. #4
    Ok , Ran Hijackthis in Safemode and below is the result. Also Any tips on avoiding this kind of browser hijacking software from infecting my computer ?



    Logfile of HijackThis v1.99.1
    Scan saved at 19:06:53, on 10/09/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\esi\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://renjo.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [messageshield] C:\Program Files\Messageshield\messageshield.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
    O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
    O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
    O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
    O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    Just click on the net-nucleus link

    And WTF ?
    O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

    O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    These jump out right away.

    O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll
    This is fishy, but I am not sure what it is, so take care. It didn't show up on google.

    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
    O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
    O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    Suspicious. A quick search shows the last one is trojan related.

    I would start looking at these.

    Take care when playing with the registry like this. You can do damage. I have just had a quick look at this. The first group I would go ahead with, and I would do away with the "eied_s7.cab". The rest call for some more digging.

    Good luck.

    /beat me Jinx
    .

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Logfile of HijackThis v1.99.1
    Scan saved at 19:06:53, on 10/09/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\esi\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://renjo.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [messageshield] C:\Program Files\Messageshield\messageshield.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\cool.cab
    O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
    O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll

    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    I highlighed what I would remove....

    You can always restore...

    Not sure what that awbeta is???

    Personally...if I dont know what it is...and cant find anything on goole other then other hijackthis logs...I delete.

    You can always restore.

    You may need to do this in safe mode

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Originally posted here by mooret
    O21 - SSODL: sTEtAzr - {C8368FDD-629C-2577-FA5F-BD4AADB14AC0} - C:\WINDOWS\System32\pyxnj.dll
    This really caught my eye. Most of the problems with wrong content stem from bad dlls. This one is what I think is causing those issues.

  9. #9
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    Also Any tips on avoiding this kind of browser hijacking software from infecting my computer ?
    Switch to Firefox.

    Get a registry protector like RegProt.

    Make antivirus/spyware scanning (in safemode) a regular habit.

    Use a firewall.

    Don't visit shady sites.
    .

  10. #10

    well here's one suggestion

    why don't u run a good pop up blocker to filter out java scripts when u surf the net ? 9 times outta 10 java scripts are the culprit for malware and the other small percent is from active x scripts. so there ya go. i use ad subtract pro whenever i surf unknown territory. changing ur browser is a tad extreme in any case because ur still gonna get java scripts if they r not filtered no matter what browser u use.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •