blonde in need of help with DIRECTWEBSEARCH.NET

ShineEyeGal

:banghead:

PLEASE I am so desperate. I have tried EVERY search site on directwebsearch.net to find a way to remove this nasty BUG from my PC. My homepage has been changed to weba.directwebsearch.net, I am getting CASINO pop up ads, and I have alot of PORN in my favourites folder. I downloaded HIJACK this and here is my LOG. I will greatfully share my beer and chips with anyone willing to assist me.

Logfile of HijackThis v1.97.7
Scan saved at 18:28:11, on 05/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\ICSUPP95.EXE
D:\MY DOCUMENTS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dl...ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customi....yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
F1 - win.ini: run=.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_19_0.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_19_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE"
-minimised
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe
-quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/...1/chat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper)
- http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.c...040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/C...3666898148
O16 - DPF: {11010101-1001-1111-1000-110112345678} -
ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: Yahoo! Dominoes -
http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: ConferenceRoom Java Client -

GHoosdum

Reboot in Safe mode, re-run Hijack This and remove these:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dl...ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html

Also, please download, run and update, then scan with both AdAware 6.181 and SpyBot S&D 1.3.

primesuspect

Welcome to short-media. Please read this first:

http://www.short-media.com/forum/showthread.php?t=14915

edcentric

Be careful SEG, you don't know what some of these guys will do for beer and chips. (beer and fish and chips for some of them)

Read prime's link, and just take things a step at a time.

Tex

Lady did you ever come to the right place..... Is the beer really cold? We do better work when the beer is REALlY cold. (grin)

Tex

ShineEyeGal

GHOOSDUM - im sending you a case of BOTH right now! Thank you so much. Problem solved!! I did run AD-AWARE, SPY BOT, TROJAN SCAN, and anything else i could think of. For what ever reason this DIRECTWEBSEARCH thingy wouldnt LEAVE my PC. I am naming my first born after you!!! :celebrate

primesuspect

Hahahahaha a baby named "Guy Hoosdum"

Stick around, welcome to short-media. Have you ever thought of using your computer for a good cause?

Dexter

blonde in need of help with DIRECTWEBSEARCH.NET

Hmmm, you apparently are also a blonde with a good sense of how to get the attention of techno-geeks on the internet

Dexter...

GHoosdum

ShineEyeGal wrote:

GHOOSDUM - I am naming my first born after you!!!

I'm glad I helped, but I'm very sure your kid would resent being named GHoosdum.



And prime,

http://www.short-media.com/forum/showthread.php?t=14915

is a great thread! I hadn't seen it yet, but I'll be sure to refer people to it in the future.

Kareta

I'm having the exact same problem as SEG, and, even though I followed exactly what GHoosdum said to do, it keeps coming back. I'm pretty much at a loss, and extremely frustrated. :bawling:

Here's my log:

Logfile of HijackThis v1.97.7
Scan saved at 4:06:08 PM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WkDetect.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\MEDIA\AIM\aim.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Elizabeth\Desktop\My Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D4818B2E-4FBC-4AEA-5DDA-73EF1CCD3EF5} - C:\WINNT\system32\MSGIEA.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupd] C:\WINNT\system32\winupd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [AIM] C:\MEDIA\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Media\Music\La la la\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09447e9465f2d4f22001/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.5496875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

GHoosdum

Did you follow primesuspect's primer as well? If not, it's a really great guide.

Reboot in 'safe mode' and remove these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html

O2 - BHO: (no name) - {D4818B2E-4FBC-4AEA-5DDA-73EF1CCD3EF5} - C:\WINNT\system32\MSGIEA.dll (I couldn't find any reference to this, so it's not normal)

O4 - HKLM\..\Run: [winupd] C:\WINNT\system32\winupd.exe (this might even be a virus, so run a scan too)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09447e9...ip/RdxIE601.cab (The only references I see to this are in other people's hijack this logs, so I don't think it's on the up-and-up)

Kareta

Thanks, but I got a little impatient and started another thread yesterday and managed to fix it.

GHoosdum

Great!