Jump to content


PLEASE HELP! Trojan Hijacked Computer ($15 REWARD)

  • Please log in to reply
1 reply to this topic

#1 rickslate



  • New Member
  • Pip
  • 4 posts

Posted 27 June 2004 - 08:30 AM

$15.00 (through Amazon or PayPal) to the first person who offers a solution that works. I really need my computer to work this week.


I have a trojan on my system that I can't remove (I think it's cws.smartsearch.2)…

Here's as much as I can offer on what's happening: It automatically closes CWShredder. I can't even open Norton. It shuts down the Spybot installation process. It has been changing the IE6 home page to random sites. A number of sites now just display "Free Search Online" (http://hhrkss.outhost.info/) - the URL is hidden. And Internet Explorer automatically shuts down when I go to sites that offer downloads of spyware removal programs and online help forums. When I actually get off a download of these programs, it will fail at 99% with the error: "Cannot read from source file or disk."

I successfully got a few programs by emailing them to myself from another computer and then running them through "Run…" in the Start menu because the trojan makes these programs invisible through Windows. I successfully ran Ad-Aware 6, Spy Sweeper, and CoolWWWSearch.SmartKiller. None of the programs removed the trojan so I still can't open CWShredder or Norton and it's still playing tricks with IE6.

SmartKiller gave me this message: "CoolWWWSearch.SmartKiller (v1/v2) has not been found on your system." CWShredder offers the message: "You have a varient of Coolwebsearch trojan (CWS.Smartsearch.2) that has attempted to close CWShredder… CWShredder is still functioning fine…" It successfully changed the program title but it keeps shutting down. To keep the program open, I have to keep clicking through the OK boxes as fast as I can (otherwise it closes) but when the program gets to its multi-stage scan, it shuts down.

If this helps at all, here's my startup log...

StartupList report, 06/26/2004, 1:08:46 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\gottli1_rick\Desktop\StartupList.EXE
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options

Running processes:

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTE.EXE
C:\Program Files\Google\ggviewer67-23.exe
C:\Documents and Settings\gottli1_rick\Desktop\StartupList.exe


Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\gottli1_rick\Start Menu\Programs\Startup]
PowerReg Scheduler V3.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,


Autorun entries from Registry:

TrackPointSrv = tp4serv.exe
ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
Synchronization Manager = mobsync.exe /logon
PRPCMonitor = PRPCUI.exe
TP4EX = tp4ex.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
POINTER = C:\Program Files\Microsoft Hardware\Mouse\point32.exe
HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
QD FastAndSafe =
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
Network Service = C:\WINNT\svhost.exe -sr -0


Autorun entries from Registry:

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe


Autorun entries from Registry:

ctfmon.exe = ctfmon.exe
SightSpeed = "C:\Program Files\SightSpeed\SightSpeed.exe -minimized"
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0


Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {rickslate: EDITED OUT FOR SECURITY}


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job


Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

CODEBASE = http://download.ebay.../US/install.cab

CODEBASE = http://a1540.g.akama...meInstaller.exe

[MSN Money Charting]
InProcServer32 = C:\WINNT\Downloaded Program Files\inv13.ocx
CODEBASE = http://fdl.msn.com/p...13/invinstl.exe


CODEBASE = http://toolbar.googl...g/GoogleNav.cab

CODEBASE = http://toolbar.googl...gleActivate.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7752.8500694444

CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab


Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

End of report, 7,779 bytes
Report generated in 4.637 seconds

Command line options:
  /verbose  - to add additional info on each section
  /complete - to include empty sections and unsuspicious data
  /full    - to include several rarely-important sections
  /force9x  - to include Win9x-only startups even if running on WinNT
  /forcent  - to include WinNT-only startups even if running on Win9x
  /forceall - to include all Win9x and WinNT startups, regardless of platform
  /history  - to list version history only

Any suggestions? Please help me.


#2 cnm


    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 June 2004 - 09:59 AM

Please post a HijackThis log (that's a StartupList).

Download 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

We do not work for or accept money for our help, but a donation to the forum is very welcome.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!