1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Can't get rid of directwebsearch!!

Discussion in 'Security and Privacy' started by Maco88, 2004/07/11.

Thread Status:
Not open for further replies.
  1. 2004/07/11
    Maco88

    Maco88 Inactive Thread Starter

    Joined:
    2002/12/11
    Messages:
    99
    Likes Received:
    0
    Can't get rid of this!!

    This site is trying to set itself as my homepage.. but Spy Sweeper always warns me beforehand.. I get the following message:

    Spy Sweeper has detected that your home page has been changed

    Click YES to set your protected home page to
    http://woar.directwebsearch.net/index.php

    Click NO to change your home page back to
    http://ninemsn.com.au

    I tried deleting History, ran Spy Sweeper and got rid of any Spyware, but this this pest keeps coming up..

    Anyone able to help me delete this from my system???

    Many Thanks
     
    Maco88,
    #1
  2. 2004/07/11
    Steve R Jones

    Steve R Jones SuperGeek Staff

    Joined:
    2001/12/30
    Messages:
    12,315
    Likes Received:
    252
    Might try Adware and or SpyBot to help remove the little sucker.
     
    Steve R Jones,
    #2


  3. to hide this advert.

  4. 2004/07/11
    Maco88

    Maco88 Inactive Thread Starter

    Joined:
    2002/12/11
    Messages:
    99
    Likes Received:
    0
    I would have thought Spy Sweeper would have done this as well. I just have a feelin it's something more...
     
    Maco88,
    #3
  5. 2004/07/11
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I would say to first follow up on Steve's suggestion and when done, reboot and post a HijackThis log.
     
    noahdfear,
    #4
  6. 2004/07/14
    Maco88

    Maco88 Inactive Thread Starter

    Joined:
    2002/12/11
    Messages:
    99
    Likes Received:
    0
    Thanks guys, i'll look into it and post back results
     
    Maco88,
    #5
  7. 2004/08/29
    Maco88

    Maco88 Inactive Thread Starter

    Joined:
    2002/12/11
    Messages:
    99
    Likes Received:
    0
    Finally got around to running HijackThis and this is the log it produced. From what I can see, if I get rid of all the "woar.directwebsearch" entries I should be okay ???
    Can anyone else see anything suspicious in the log ??

    Much appreciated.

    Logfile of HijackThis v1.98.2
    Scan saved at 8:41:16 AM, on 8/30/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    E:\XP&98S~1\AVG6\avgserv.exe
    D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    D:\WINDOWS\System32\nvsvc32.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    E:\XP & 98 Shared Programs\AVG6\avgcc32.exe
    D:\WINDOWS\system32\dla\tfswctrl.exe
    D:\Program Files\TaskPlus\taskplus0.exe
    E:\XP & 98 Shared Programs\Ashampoo Uninstaller\UIWatcher.exe
    D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    D:\WINDOWS\System32\devldr32.exe
    D:\Program Files\RecordNow MAX\MyCDPro.exe
    D:\Program Files\RecordNow MAX\Wizard\MyCD.exe
    E:\#Software - New\System Security\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
    O1 - Hosts: 69.31.79.189 auto.search.msn.com
    O1 - Hosts: 69.31.79.189 auto.search.msn.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\xp & 98 shared programs\acrobat 5\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - E:\XP&98S~1\POPUPCOP\PopUpCop.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] E:\XP & 98 Shared Programs\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [dla] D:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TaskPlus] D:\Program Files\TaskPlus\taskplus0.exe
    O4 - HKLM\..\Run: [StorageGuard] "D:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [VOBRegCheck] D:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [winupd] D:\WINDOWS\System32\winupd.exe
    O4 - HKCU\..\Run: [UIWatcher] E:\XP & 98 Shared Programs\Ashampoo Uninstaller\UIWatcher.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: taskplus0.exe.lnk = D:\Program Files\TaskPlus\taskplus0.exe
    O8 - Extra context menu item: Download with GetRight - E:\XP & 98 Shared Programs\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open Image in New Window - res://E:\XP & 98 Shared Programs\PopUpCop\popupcop.dll/imagenew
    O8 - Extra context menu item: Open with GetRight Browser - E:\XP & 98 Shared Programs\GetRight\GRbrowse.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.bigpond.com/java/cr.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.252/bonus.chm::/winpromo.exe
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
    Maco88,
    #6
  8. 2004/08/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Fix all R0, and R1, except for:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au
    I assume this is your IE home page.

    O1 - Hosts: 69.31.79.189 auto.search.msn.com
    O1 - Hosts: 69.31.79.189 auto.search.msn.com
    Fix both. "auto.search.msn.com" doesn't match numeric address to the left of it.

    O4 - HKLM\..\Run: [TaskPlus] D:\Program Files\TaskPlus\taskplus0.exe
    O4 - Global Startup: taskplus0.exe.lnk = D:\Program Files\TaskPlus\taskplus0.exe
    Task and calendar management software available as freeware or as a "Professional" version for sharing over a LAN. Not needed at startup.

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
    Intializes the clock and memory settings on nVidia based graphics cards. Enable only, if you overclock your card

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    Associated with the newer versions of nVidia graphics cards drivers. Allows you to immensely improve desktop layouts by setting preferences and optimizations. However, this isn't necessary for the operation of your system

    O4 - HKLM\..\Run: [winupd] D:\WINDOWS\System32\winupd.exe
    This is a part of Beagle virus. More HERE

    O4 - HKCU\..\Run: [UIWatcher] E:\XP & 98 Shared Programs\Ashampoo Uninstaller\UIWatcher.exe
    Ashampoo Uninstaller Suite - installation watcher. Not needed at startup. Available via Start -> Programs

    O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    Not needed at startup. Available via Start -> Programs

    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it.

    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    Resource hog that launches common MS Office components. It isn't required anyway.

    O8 - Extra context menu item: Download with GetRight - E:\XP & 98 Shared Programs\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - E:\XP & 98 Shared Programs\GetRight\GRbrowse.htm
    Unregistered version of GetRight installs Aureate spyware, registered version adds Aureate registry keys every time it is started. In either way, get rid of it. Uninstall.

    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.252/bonus.chm::/winpromo.exe
    Fix it.
     
    broni,
    #7
  9. 2004/08/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I see broni posted while I was preparing a reply, so much of this is a repeat of his recommendations.

    Download CWShredder from here. Save it to the desktop.

    Open Ad-aware and check for updates.

    Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

    All R1's and R0's
    O1 - Hosts: 69.31.79.189 auto.search.msn.com
    O1 - Hosts: 69.31.79.189 auto.search.msn.com
    O4 - HKLM\..\Run: [winupd] D:\WINDOWS\System32\winupd.exe
    O4 - HKCU\..\Run: [UIWatcher] E:\XP & 98 Shared Programs\Ashampoo Uninstaller\UIWatcher.exe
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.252/bonus.chm::/winpromo.exe


    Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

    Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to the Administrator account.

    Now in safe mode, you will need to show hidden files and folders, as well as system files.

    Open CWShredder and click fix.

    Open D:\WINDOWS\System32 and delete the file winupd.exe.

    Do a search for and delete the following files if present. Agent Ransack is a search tool far superior to XP's that will speed up the search.

    WINUPD.EXE (a copy of itself)
    WINUPD.EXEOPEN (a copy of itself)
    WINUPD.EXEOPENOPEN (a copy of itself compressed in ZIP or RAR)
    WINUPD.EXEOPENOPENOPEN (a picture file that shows the password of the .ZIP or .RAR file)

    Go to start>run and type regedit, then hit enter. Expand HKEY_CURRENT_USER and delete the key winupd.

    Open D:\Temp if present, select all and delete.
    Open D:\Windows\Temp, select all and delete.
    Open D:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
    Open D:\Windows\Prefetch, select all and delete.

    Run Ad-aware in full scan mode. Delete all it finds.

    Open My Computer, right click Local disk D: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
    Uncheck the /safeboot box in msconfig and ok to reboot.

    Back in Windows, you can re-enable system restore. Then visit Windows Update. Accept all critical updates.
    Reboot and go back to Windows Update until there are no more criticals offered.
    Run another HijackThis scan and post the log.
     
    noahdfear,
    #8
  10. 2004/08/29
    Maco88

    Maco88 Inactive Thread Starter

    Joined:
    2002/12/11
    Messages:
    99
    Likes Received:
    0
    Thank you Guys.. I will go thru it as per your recommendations and see how I go.

    Cheers
     
    Maco88,
    #9
  11. 2004/08/29
    Maco88

    Maco88 Inactive Thread Starter

    Joined:
    2002/12/11
    Messages:
    99
    Likes Received:
    0
    Broni,

    All the "O4" above you mentioned, do I manually fix those or fix them through "HijackThis "??

    Thanks
     
    Maco88,
    #10
  12. 2004/08/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    All O4 entries are startup programs, so in most cases, you go Start>Run, type: MSCONFIG, go to "Startup" tab, and uncheck them. They still will be on your computer, but they won't start along with your computer starting.
    Except two instances:
    - when it's said "uninstall ", then uninstall
    - that Beagle virus entry has to be fixed by an AV program, or check a link, I provided for manual removal.
     
    broni,
    #11
  13. 2004/08/29
    Maco88

    Maco88 Inactive Thread Starter

    Joined:
    2002/12/11
    Messages:
    99
    Likes Received:
    0
    Thanks for clearing that up.
     
    Maco88,
    #12
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...