• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
patrickdz

IE Hijacked, tried everything... what to do?

9 posts in this topic

Hi Everyone,

 

Here's another person with litte computer knowledge in need of help on removing the coolwebsearch hijack-spyware-thing. No idea how I got it in the first place but I'll descrebe here what I've done to clean the infection.

 

I use a probably terribly old computer, AMD Pentium 2 at 300Mhz. Since I'm a student I have no money for any improvement on that side... I have a LAN connction through my University. Last night for some reason (I suspect a mis-click in a spam message on hotmail) all this weird stuff started happening. After using Ad-Aware (fully up to date reference file) three times I understood that this whas something bigger. I use Norman Virus Control (registered and fully up to date version). I use Windows 98, but IE version 6. The symptoms are as follows:

 

- IE startpage set to coolsearch.biz

- IE jumps to that same page at the weirdest of times (like when I tried starting my topic)

- A link named "XXX" keeps popping up on my desktop

- out of nothing my computer starts IE to the web page casinopalazzo.com

- even with the LAN disconnected the computer starts using my backup dial-in connection without warning

- Norman Virus Control has alerted me about various incoming Trojans about 3 times (one of them i wrote down: W32/DLoader.AH) and quarantined them

 

there is probably more damage done than I can see or have noticed.

 

Here's waht I've done so far:

- 3 times Ad-Aware led to a total of over 300 objects needed removal (probably because the trojan keeps popping up after being removed).

- at startup, the whole thing starts again

- Norman Virus Control reported no other Trojans exept the ones it quarantined at arrival

- A full system virusscan reports nothing

- I downloaded CWShredder. It removed CWS.Yexe. I noticed that the Yexe version has different symptoms reported than I have which puzzles me.

- After removing it, it just pops up again after 10 minutes. So every ten minutes I can run CWShredder again and it will remove it again and so on and so on

- After the first run of CWShredder I decided to run all available security patches for my IE that were available from microsoft. According to CWShredder that should cover the hole... well, the whole thing came back again

- Then I decided to remove the MS Java thing (sorry, don't remember the name) that isn't supported anymore and should also cover op from reinfection... that also didn't work...

 

So what next?

I hope someone here can help me get rid of this nasty thing! Many many thanks in advance!

 

I will post the HJT log in the next post!

 

Patrick from The Netherlands

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 16:26:54, on 26-6-2004

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\CCLAW.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCSCHED.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NJEEVES.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NIP.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE

C:\PROGRAM FILES\SITECOM\C2SLOAD.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NYMSE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\SITECOM\IFR_SHARE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\Twunk_16.exe

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SERVICES\DALE.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCOD.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\HJT\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.linksummary.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hetnet.nl:8080

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CFGWIZ31] C:\WINDOWS\SYSTEM\CFGWIZ31.EXE

O4 - HKLM\..\Run: [MOBSYNB] C:\WINDOWS\SYSTEM\MOBSYNB.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE

O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE /LOAD

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .bat: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pif: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .exe: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - file://D:\scripts\vbscript\marquee.ocx

O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - file://D:\scripts\vbscript\ietimer.ocx

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Leidenuniv.nl

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 132.229.8.6,132.229.22.2

Share this post


Link to post
Share on other sites

Hoi Patrick,

 

First download and run:

http://securityresponse.symantec.com/avcen...moval.tool.html

 

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.linksummary.com/

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

 

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

 

O4 - HKLM\..\Run: [CFGWIZ31] C:\WINDOWS\SYSTEM\CFGWIZ31.EXE

O4 - HKLM\..\Run: [MOBSYNB] C:\WINDOWS\SYSTEM\MOBSYNB.EXE

 

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

 

O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

 

Download and run: CWShredder

Use the Fix button and follow the instructions you will receive.

 

Then reboot into safe mode and delete:

C:\WINDOWS\SYSTEM\wnsapicc.exe

C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

 

Also see if you have files called:

jsconsole.dll

notepad.COM

 

Let me know if and where you found them.

 

Regards,

 

Pieter

Share this post


Link to post
Share on other sites

Hoi Pieter,

 

Dank je wel or many thanks for posting this... here's what happend since the lst time I posted:

I needed internet for my study and while using it my computer had a sort of nervous breakdown and started to load godknowswhat from the net. It ended up in having to reset the thing after which it was trying to install hardware that I don't even have (don't remember what it was, a PCI "..."board connection or something...) Ad-Aware removed another load of stuff (over a hundred objects...) Since then I didn't dare to switch my computer on or anything... But here are the results of your instructions:

 

The w32magistr removal tool yielded nothing (so no infection there).

 

I couldn't find a few of the items in the new HJT scan which were:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/

and

O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe

 

Then I ran CWShredder. I couldn't use the updater in the program for some reason but my version is the one from last weekend. At startup CWS gave a message stating that my computer is infected with the CWS.Smartsearch.2 trojan that had tried to close CWShredder. The scan though was totally negative. CWShredder found no version of CWS on my computer. After the scan I tried to find the newest version through the interne but IE wouldn't work anymore.

 

I rebooted in safe mode as instructed. I could not find the file c:\windows\system\wnsapicc.exe but I did find c:\windows\system\services\msxmidi.exe in that same folder I found losve.exe which had the same icon as the xxx-link on my desktop, I removed that file. Also I found a file named dale.exe which I believe was one of the trojans picked up by Norman Virus Control so I deleted that as well.

 

I could not find the files called jsconsole.exe or notepad.COM.

 

I rebooted back in normal mode to write this... Also I downloaded the latest version of CWShredder (if it was changed since last weekend) which led to the same results and still that infection with CWS.Smartsearch.2.

 

I have the feeling that this doesn't mean I'm rid of the problems... Any ideas what to do now... the whole thing is getting on my nerves... :wtf:

 

I will post my new HJT log in the next post!

 

Many thanks en groeten!

Patrick

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 20:52:29, on 29-6-2004

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE

C:\PROGRAM FILES\SITECOM\C2SLOAD.EXE

C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE

C:\WINDOWS\MSBB.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\REALPLAYER\REALPLAY.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\NDRV.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\SITECOM\IFR_SHARE.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\Twunk_16.exe

C:\PROGRAM FILES\NORMAN\NVC\BIN\CCLAW.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCSCHED.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NYMSE.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NJEEVES.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NIP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\HJT\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hetnet.nl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\SYSTEM\NDRV.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE

O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe

O4 - HKLM\..\Run: [ibqh] C:\WINDOWS\ibqh.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE /LOAD

O4 - HKLM\..\RunServices: [AVSynMgr] C:\Program Files\McAfee\VirusScan TC\AVSYNMGR.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O12 - Plugin for .bat: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pif: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .exe: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - file://D:\scripts\vbscript\marquee.ocx

O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - file://D:\scripts\vbscript\ietimer.ocx

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Leidenuniv.nl

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 132.229.8.6,132.229.22.2

Share this post


Link to post
Share on other sites

Hi Patrick,

 

Check the following items in HijackThis.

Close all windows except HijackThis and click Fix checked:

 

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\SYSTEM\NDRV.DLL

 

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe

O4 - HKLM\..\Run: [ibqh] C:\WINDOWS\ibqh.exe

 

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe

 

Then reboot into safe mode and delete:

C:\Program Files\Internet Optimizer <= entire folder

c:\windows\msbb.exe

C:\WINDOWS\ibqh.exe

C:\WINDOWS\SYSTEM\NDrv.exe

 

Regards,

 

Pieter

Share this post


Link to post
Share on other sites

Hi Pieter,

 

Many thanks again for the quick reply!!! :)

I followed all the steps you mentioned in your last post. I could find all the files/folders you mentioned and deleted them. I noticed that msbb.exe and ibqh.exe were hidden files...

Before removing all this IE wouldn't run properly on certain pages and closed all the time. Now it runs properly although my entire computer seems a bit slower than usual (put that could be my impatience ;) ).

 

I ran CWShredder again to see if it would give the message of CWS.Smartsearch.2 being present would come again and although it took unusually long to start up the CWShredder, the message didn't appear now.

 

Does this mean that we've gotten rid of the problem you think? I'll post the current HJT log underneath...

 

Best regards,

Patrick

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:50:23, on 30-6-2004

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\CCLAW.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCSCHED.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NJEEVES.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NIP.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE

C:\PROGRAM FILES\SITECOM\C2SLOAD.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\REALPLAYER\REALPLAY.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\NORMAN\NVC\BIN\NYMSE.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\SITECOM\IFR_SHARE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\Twunk_16.exe

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\HJT\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hetnet.nl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE

O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE /LOAD

O4 - HKLM\..\RunServices: [AVSynMgr] C:\Program Files\McAfee\VirusScan TC\AVSYNMGR.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O12 - Plugin for .bat: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pif: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .exe: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - file://D:\scripts\vbscript\marquee.ocx

O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - file://D:\scripts\vbscript\ietimer.ocx

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Leidenuniv.nl

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 132.229.8.6,132.229.22.2

Share this post


Link to post
Share on other sites

Hi Patrick,

 

Looks like you have it under control now. :bounce:

 

To speed things up a bit Fix or uncheck in msconfig:

O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

 

For a Dutch version of my spywaresite: http://home.planet.nl/~kleyn080/Spywareinfonl.html

 

Regards,

 

Pieter

Share this post


Link to post
Share on other sites

Hi Pieter,

 

WOW, that sounds great :bounce:

 

Everything seems to be working ok now... pfew, I thought that I'd have to sweep the entire system...

 

Thanks a million for helping me out :thumbsup: !!!!!

 

I will certainly have a look at your anti spyware page to prevent another infection of course!

 

Again, thanks a lot! :wave:

 

Groeten!

Patrick

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0