Jump to content


Photo

IE Hijacked, tried everything... what to do?


  • Please log in to reply
8 replies to this topic

#1 patrickdz

patrickdz

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 26 June 2004 - 09:54 AM

Hi Everyone,

Here's another person with litte computer knowledge in need of help on removing the coolwebsearch hijack-spyware-thing. No idea how I got it in the first place but I'll descrebe here what I've done to clean the infection.

I use a probably terribly old computer, AMD Pentium 2 at 300Mhz. Since I'm a student I have no money for any improvement on that side... I have a LAN connction through my University. Last night for some reason (I suspect a mis-click in a spam message on hotmail) all this weird stuff started happening. After using Ad-Aware (fully up to date reference file) three times I understood that this whas something bigger. I use Norman Virus Control (registered and fully up to date version). I use Windows 98, but IE version 6. The symptoms are as follows:

- IE startpage set to coolsearch.biz
- IE jumps to that same page at the weirdest of times (like when I tried starting my topic)
- A link named "XXX" keeps popping up on my desktop
- out of nothing my computer starts IE to the web page casinopalazzo.com
- even with the LAN disconnected the computer starts using my backup dial-in connection without warning
- Norman Virus Control has alerted me about various incoming Trojans about 3 times (one of them i wrote down: W32/DLoader.AH) and quarantined them

there is probably more damage done than I can see or have noticed.

Here's waht I've done so far:
- 3 times Ad-Aware led to a total of over 300 objects needed removal (probably because the trojan keeps popping up after being removed).
- at startup, the whole thing starts again
- Norman Virus Control reported no other Trojans exept the ones it quarantined at arrival
- A full system virusscan reports nothing
- I downloaded CWShredder. It removed CWS.Yexe. I noticed that the Yexe version has different symptoms reported than I have which puzzles me.
- After removing it, it just pops up again after 10 minutes. So every ten minutes I can run CWShredder again and it will remove it again and so on and so on
- After the first run of CWShredder I decided to run all available security patches for my IE that were available from microsoft. According to CWShredder that should cover the hole... well, the whole thing came back again
- Then I decided to remove the MS Java thing (sorry, don't remember the name) that isn't supported anymore and should also cover op from reinfection... that also didn't work...

So what next?
I hope someone here can help me get rid of this nasty thing! Many many thanks in advance!

I will post the HJT log in the next post!

Patrick from The Netherlands

#2 patrickdz

patrickdz

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 26 June 2004 - 09:55 AM

Logfile of HijackThis v1.97.7
Scan saved at 16:26:54, on 26-6-2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\CCLAW.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NJEEVES.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NIP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE
C:\PROGRAM FILES\SITECOM\C2SLOAD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NYMSE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SITECOM\IFR_SHARE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\Twunk_16.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SERVICES\DALE.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCOD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.linksummary.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hetnet.nl:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CFGWIZ31] C:\WINDOWS\SYSTEM\CFGWIZ31.EXE
O4 - HKLM\..\Run: [MOBSYNB] C:\WINDOWS\SYSTEM\MOBSYNB.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bat: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pif: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .exe: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - file://D:\scripts\vbscript\marquee.ocx
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - file://D:\scripts\vbscript\ietimer.ocx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Leidenuniv.nl
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 132.229.8.6,132.229.22.2

#3 Metallica

Metallica

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 849 posts

Posted 29 June 2004 - 06:16 AM

Hoi Patrick,

First download and run:
http://securityrespo...moval.tool.html

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.linksummary.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [CFGWIZ31] C:\WINDOWS\SYSTEM\CFGWIZ31.EXE
O4 - HKLM\..\Run: [MOBSYNB] C:\WINDOWS\SYSTEM\MOBSYNB.EXE

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

Download and run: CWShredder
Use the Fix button and follow the instructions you will receive.

Then reboot into safe mode and delete:
C:\WINDOWS\SYSTEM\wnsapicc.exe
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

Also see if you have files called:
jsconsole.dll
notepad.COM

Let me know if and where you found them.

Regards,

Pieter

MVP Windows Security 2003-2015 mvp2.gif

Remove and prevent spyware


#4 patrickdz

patrickdz

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 01:45 PM

Hoi Pieter,

Dank je wel or many thanks for posting this... here's what happend since the lst time I posted:
I needed internet for my study and while using it my computer had a sort of nervous breakdown and started to load godknowswhat from the net. It ended up in having to reset the thing after which it was trying to install hardware that I don't even have (don't remember what it was, a PCI "..."board connection or something...) Ad-Aware removed another load of stuff (over a hundred objects...) Since then I didn't dare to switch my computer on or anything... But here are the results of your instructions:

The w32magistr removal tool yielded nothing (so no infection there).

I couldn't find a few of the items in the new HJT scan which were:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
and
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe

Then I ran CWShredder. I couldn't use the updater in the program for some reason but my version is the one from last weekend. At startup CWS gave a message stating that my computer is infected with the CWS.Smartsearch.2 trojan that had tried to close CWShredder. The scan though was totally negative. CWShredder found no version of CWS on my computer. After the scan I tried to find the newest version through the interne but IE wouldn't work anymore.

I rebooted in safe mode as instructed. I could not find the file c:\windows\system\wnsapicc.exe but I did find c:\windows\system\services\msxmidi.exe in that same folder I found losve.exe which had the same icon as the xxx-link on my desktop, I removed that file. Also I found a file named dale.exe which I believe was one of the trojans picked up by Norman Virus Control so I deleted that as well.

I could not find the files called jsconsole.exe or notepad.COM.

I rebooted back in normal mode to write this... Also I downloaded the latest version of CWShredder (if it was changed since last weekend) which led to the same results and still that infection with CWS.Smartsearch.2.

I have the feeling that this doesn't mean I'm rid of the problems... Any ideas what to do now... the whole thing is getting on my nerves... :wtf:

I will post my new HJT log in the next post!

Many thanks en groeten!
Patrick

#5 patrickdz

patrickdz

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 01:49 PM

Logfile of HijackThis v1.97.7
Scan saved at 20:52:29, on 29-6-2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE
C:\PROGRAM FILES\SITECOM\C2SLOAD.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\MSBB.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\NDRV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\SITECOM\IFR_SHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\Twunk_16.exe
C:\PROGRAM FILES\NORMAN\NVC\BIN\CCLAW.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NYMSE.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NJEEVES.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NIP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hetnet.nl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\SYSTEM\NDRV.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [ibqh] C:\WINDOWS\ibqh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKLM\..\RunServices: [AVSynMgr] C:\Program Files\McAfee\VirusScan TC\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .bat: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pif: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .exe: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - file://D:\scripts\vbscript\marquee.ocx
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - file://D:\scripts\vbscript\ietimer.ocx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Leidenuniv.nl
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 132.229.8.6,132.229.22.2

#6 Metallica

Metallica

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 849 posts

Posted 29 June 2004 - 01:58 PM

Hi Patrick,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\SYSTEM\NDRV.DLL

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [ibqh] C:\WINDOWS\ibqh.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe

Then reboot into safe mode and delete:
C:\Program Files\Internet Optimizer <= entire folder
c:\windows\msbb.exe
C:\WINDOWS\ibqh.exe
C:\WINDOWS\SYSTEM\NDrv.exe

Regards,

Pieter

MVP Windows Security 2003-2015 mvp2.gif

Remove and prevent spyware


#7 patrickdz

patrickdz

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2004 - 03:55 AM

Hi Pieter,

Many thanks again for the quick reply!!! :)
I followed all the steps you mentioned in your last post. I could find all the files/folders you mentioned and deleted them. I noticed that msbb.exe and ibqh.exe were hidden files...
Before removing all this IE wouldn't run properly on certain pages and closed all the time. Now it runs properly although my entire computer seems a bit slower than usual (put that could be my impatience ;) ).

I ran CWShredder again to see if it would give the message of CWS.Smartsearch.2 being present would come again and although it took unusually long to start up the CWShredder, the message didn't appear now.

Does this mean that we've gotten rid of the problem you think? I'll post the current HJT log underneath...

Best regards,
Patrick


Logfile of HijackThis v1.97.7
Scan saved at 10:50:23, on 30-6-2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\CCLAW.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NJEEVES.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NIP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE
C:\PROGRAM FILES\SITECOM\C2SLOAD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\NORMAN\NVC\BIN\NYMSE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\SITECOM\IFR_SHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\Twunk_16.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hetnet.nl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKLM\..\RunServices: [AVSynMgr] C:\Program Files\McAfee\VirusScan TC\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .bat: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pif: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .exe: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - file://D:\scripts\vbscript\marquee.ocx
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - file://D:\scripts\vbscript\ietimer.ocx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Leidenuniv.nl
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 132.229.8.6,132.229.22.2

#8 Metallica

Metallica

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 849 posts

Posted 30 June 2004 - 04:25 AM

Hi Patrick,

Looks like you have it under control now. :bounce:

To speed things up a bit Fix or uncheck in msconfig:
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

For a Dutch version of my spywaresite: http://home.planet.n...wareinfonl.html

Regards,

Pieter

MVP Windows Security 2003-2015 mvp2.gif

Remove and prevent spyware


#9 patrickdz

patrickdz

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2004 - 11:12 AM

Hi Pieter,

WOW, that sounds great :bounce:

Everything seems to be working ok now... pfew, I thought that I'd have to sweep the entire system...

Thanks a million for helping me out :thumbsup: !!!!!

I will certainly have a look at your anti spyware page to prevent another infection of course!

Again, thanks a lot! :wave:

Groeten!
Patrick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button