Hi there!!!
I've managed to pick up the extremely annoying Netsearchsoft homepage hijacker from somewhere.....serves me right for no keeping up to date with my version of spyware blaster! :(
Here's my hijackthis log which is full of nasty stuff and I'd really appreciate your help analysing this....Thanks!!!
Logfile of HijackThis v1.97.7
Scan saved at 20:47:14, on 19/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Inside Ping\Funk Eggs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Window Active\winactive.exe
C:\WINDOWS\explorer.exe
E:\Utilities\Anti Spyware\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E9565628-67EB-5A60-2936-8D3F74A983B7} - C:\PROGRA~1\STOREN~1\Book user.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: 01 ante audio - {7C09EB3F-AA2E-B76C-9183-21192BBAAB27} - C:\PROGRA~1\STOREN~1\Book user.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [chinnoun] C:\PROGRA~1\Inside Ping\Funk Eggs.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38053.519537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B239C73-CAFB-4236-B6AE-C79ABC9063D0}: NameServer = 192.168.0.1,10.0.0.1
Full Version: Arrrgggghhh - Netsearchsoft Browser Hijack
Before we do anything, please move HiJackThis to a permanent folder. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine. This will allow us to use backups to restore entries if necessary
Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
O2 - BHO: (no name) - {E9565628-67EB-5A60-2936-8D3F74A983B7} - C:\PROGRA~1\STOREN~1\Book user.dll
O3 - Toolbar: 01 ante audio - {7C09EB3F-AA2E-B76C-9183-21192BBAAB27} - C:\PROGRA~1\STOREN~1\Book user.dll
O4 - HKLM\..\Run: [chinnoun] C:\PROGRA~1\Inside Ping\Funk Eggs.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
Close all windows except HijackThis and click Fix checked:
Reboot in Safe Mode* and delete the following: (you may need to show hidden files**)
C:\PROGRA~1\Inside Ping\Funk Eggs.exe
C:\Program Files\Window Active\winactive.exe
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot. (not necessary, but recommended)
Post another HiJackThis log in this thread for review.
Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
O2 - BHO: (no name) - {E9565628-67EB-5A60-2936-8D3F74A983B7} - C:\PROGRA~1\STOREN~1\Book user.dll
O3 - Toolbar: 01 ante audio - {7C09EB3F-AA2E-B76C-9183-21192BBAAB27} - C:\PROGRA~1\STOREN~1\Book user.dll
O4 - HKLM\..\Run: [chinnoun] C:\PROGRA~1\Inside Ping\Funk Eggs.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
Close all windows except HijackThis and click Fix checked:
Reboot in Safe Mode* and delete the following: (you may need to show hidden files**)
C:\PROGRA~1\Inside Ping\Funk Eggs.exe
C:\Program Files\Window Active\winactive.exe
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot. (not necessary, but recommended)
Post another HiJackThis log in this thread for review.
That seems to have done the trick!!! 
How does the log look now....any more nasty surprises lurking in there??
Logfile of HijackThis v1.97.7
Scan saved at 20:20:57, on 20/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
E:\Utilities\Anti Spyware\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38053.519537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B239C73-CAFB-4236-B6AE-C79ABC9063D0}: NameServer = 192.168.0.1,10.0.0.1
How does the log look now....any more nasty surprises lurking in there??
Logfile of HijackThis v1.97.7
Scan saved at 20:20:57, on 20/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
E:\Utilities\Anti Spyware\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38053.519537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B239C73-CAFB-4236-B6AE-C79ABC9063D0}: NameServer = 192.168.0.1,10.0.0.1
Great news, your system is clean at last.
To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.
SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.
More info and download is available at:
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.
More info and download is available at:
IE/Spyad:
http://www.staff.uiuc.edu/~ehowes/resource.htm
Good luck, and thanks for coming to Gladiator Security Forums.
NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.
SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.
More info and download is available at:
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.
More info and download is available at:
IE/Spyad:
http://www.staff.uiuc.edu/~ehowes/resource.htm
Good luck, and thanks for coming to Gladiator Security Forums.
NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.