Jump to content


Photo

A hostile takeover.


  • Please log in to reply
5 replies to this topic

#1 StriderRyan

StriderRyan

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 03:59 PM

I seem to be under hostile takeover! Here's what seems to be happening:

When I try to open internet explorer I sometimes get redirected to the msn page, of all things, when previously I've set my start page as blank. If I run spybot and adaware I notice that I've acquired various things that need removing.

A worse kicker is when I try to open up windows media player! Instead of opening at all, four things load up:

Power Scan
IST Bar
Slotchbar
180search Assistant

Media player refuses to open because of it all.
All this started happening after a brief look for bit torrent sites.

I've gone through this website's STEP 2 - Start Cleaning process.
Here's what I've done in attempt to correct it all:

* I've downloaded CWShredder (even tried it from different sources to see if my download was corrupted or something), and there seems to be a problem. It claims that CWS.Smartsearch.2 is interfering with it when I start it up, and it moves to circumvent it. It seemingly succeeds, but once it starts to go through its motions, it crashed halfway and says CWShredder has generated errors and will be closed by WIndows. An error log has been created, it says, but I can't say I know where this log is! The basic 'scan only' function works, and doesn't find anything.

* I ran TrendMicro and found a trojan called Alchem and got rid of that.

* I ran Norton Antivirus and found nothing.

* I ran Spyware and Adaware, and cleared what I could, though things seem to keep coming back once I start up explorer or media player.

* I've installed and updated trojan hunter and removed what I could there.

* I've used hijackthis and regcleaner to get a list of stuff. Here's what hijackthis is telling me, after I've done all of the above:

Logfile of HijackThis v1.97.7
Scan saved at 4:59:14 PM, on 28/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
C:\WINNT\system32\ojuwdj.exe
C:\Program Files\ICQ\Icq.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\Spyware Stuff\HijackThis.exe

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [acrbxrpscbmi] C:\WINNT\system32\ojuwdj.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Any help would be very much appreciated! Thanks in advance for reading this.

#2 StriderRyan

StriderRyan

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 02:39 PM

The searchhook R3 file returns immediately after I fix it with hijackthis.

Logfile of HijackThis v1.97.7
Scan saved at 3:41:20 PM, on 01/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\Spyware Stuff\HijackThis.exe

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#3 StriderRyan

StriderRyan

    Member

  • New Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 02:14 AM

BUMP

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 July 2004 - 05:58 AM

Hi,
Your log looks clean right now ...

I sometimes get redirected to the msn page, of all things, when previously I've set my start page as blank.

Ad-Aware will do that when it (falsely) detects "About:Blank" as a hijack attempt, it then resets About:Blank to "MSN". See Posted Image here

A worse kicker is when I try to open up windows media player!

Is this still happening?
Posted Image Start > Search (enter) wmplayer.exe
(default location) C:\Program Files\Windows Media Player
Right-click and select: Properties (is it a MS file?)
If not delete it, then reinstall via Posted Image here

The searchhook R3 file returns immediately after I fix it with hijackthis.

Start | Run (type) regedit
Nevigate to the following location:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

In the right pane highlight the following:

_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

Right-click and select: Delete, Ok the prompt. Leave Regedit open

(With all browsers closed)
Control Panel | Internet Options | Programs
Click: "Reset web settings" button, click Apply\Ok

Go back to Regedit, click View > Refresh, that entry should now be reset to:

{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | REG_SZ

Edited by WinHelp2002, 08 July 2004 - 06:17 AM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 StriderRyan

StriderRyan

    Member

  • New Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 04:40 PM

It looks like everything's back to normal now! Thanks very very much!
You're my new hero. :)

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 July 2004 - 06:54 PM

Hi,
You're welcome ... glad to see you were able to resolve your problem. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button