Jump to content


Photo

infected by spyware..search 180


  • Please log in to reply
12 replies to this topic

#1 prydie

prydie

    Member

  • New Member
  • Pip
  • 4 posts

Posted 07 July 2004 - 01:31 PM

hi i think ive been infected by search 180, after running spybot it still seems to be there...

ive posted my hijack this log

thanks for any help
Logfile of HijackThis v1.97.7
Scan saved at 19:24:37, on 07/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\scott pryde\My Documents\downloaded applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazefind.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind...account_id=3004
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WIACA5~1\WinSB1.DLL
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WIACA5~1\WinSB1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WIACA5~1\WinSB1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...417002f5b97a1db
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38008.3734375
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{566D61DF-2AF0-450A-8FD8-4CFD8E3415DF}: NameServer = 195.92.195.94 195.92.195.95

#2 jeffgson

jeffgson

    Member

  • New Member
  • Pip
  • 1 posts

Posted 19 July 2004 - 07:35 AM

You are infected. Winupdt.exe is malware. Some other people have reported the problem, and it is resistant to destruction, even in safe mode. :thumbsup:

<b>To destroy WindUpdate:</b>

I got the infection, and found a way to get rid of it. Thanks to your info, I didn't have to run through all the steps you did for nothing.

Follow these steps:

1) Call up your task manager and identify the WinKA.exe and WinUpdt.exe processes. Be prepared to terminate them, but don't bother to do it yet.

2) Open the folder WindUpdate containing the three files, WinKA.exe, WinUpdt.exe, and Comm.dll.

3) Rename WinKA.exe and WinUpdt.exe to WinKA.txt and WinUpdt.txt

4) Using a text editor such as notepad, open WinKA.exe
Totally corrupt the file by typing random characters throughout the file. Just have fun with your keyboard. You can't save the file though yet, because its running.

5) Now you can terminate WinKA.exe in the Task Manager. Then click on the save button on Notepad so that WinKA.txt is corrupted.

6) And now you can delete or erase the file. Follow the same steps to rid yourself of WinUpdt.exe. And then Comm.dll can be erased without any trouble, as can the folder WindUpdate.

Glad to help.

#3 Moon18

Moon18

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 July 2004 - 05:48 PM

Hey JeffG. I went into the folder where those 2 programs were, and I right clicked on them and hit Rename and typed in WinKA.txt . I opened it then in textpad and tried to type all throughout it but it said it was Read Only and wouldnt let me type. Any suggestions on how to get around the Read Only?
Thanks
Moon18

#4 Moon18

Moon18

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 July 2004 - 05:59 PM

I think it might have been the textpad. I opened with Word and am able to type stuff in it.
Moon18

#5 mythreebs

mythreebs

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 July 2004 - 07:14 PM

My friend had the same malware.

To remove it, go to the folder C:\Program Files\WindUpdates. There's a text file with instructions on how to remove it.

Basically, you use the Add/Remove Software to remove it.

#6 krisinluck

krisinluck

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 July 2004 - 11:23 PM

Not on my system there isn't! Argh!

#7 yumin

yumin

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 July 2004 - 09:36 AM

Thank you, jeffgson
I have deleted them.^^

#8 bharath75

bharath75

    Member

  • New Member
  • Pip
  • 2 posts

Posted 31 July 2004 - 03:11 AM

Thanks friends for the info.

Bharath.

#9 bharath75

bharath75

    Member

  • New Member
  • Pip
  • 2 posts

Posted 31 July 2004 - 03:12 AM

Thanks friends for the info.

Bharath.

#10 kdot1st

kdot1st

    Member

  • New Member
  • Pip
  • 1 posts

Posted 31 July 2004 - 07:14 PM

Hello,
I have had the same problem with WinKA and WinUpdate so I thought I would try this solution.
1st, under C:\Program Files\WindUpdates the only thing in that file is the comm.dll
2nd, I did find WinKA and WinUpdates in my documents and settings folder in my user name. Is it ok to rename them from thereor should I try moving them?
3rd, I tried looking for this in my Add/Remove Programs. As I was scrolling down, I found something that I didn't remember adding, Instant Access. I decided to remove that while I was there. I clicked and it opened a browser and DAP and told me to download some cleaner. I did and it said successfully uninstalled. Now I can't get Add/Remove to scroll down any farther than that Instant Access. Geeeeeeezz, what did I do?
Anyway, If I can remove the WinKA by renaming and corrupting, I will go ahead and do that. Then I may have to reboot.
Thanks in advance.

kdot1st

#11 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 13 August 2004 - 02:37 PM

If you still need help, please start your own thread in the Malware Removal forum and include an updated HijackThis log.

Edited by Bugbatter, 13 August 2004 - 02:38 PM.

Microsoft MVP - Consumer Security

#12 neospec

neospec

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 August 2004 - 02:47 PM

1) Call up your task manager and identify the WinKA.exe and WinUpdt.exe processes. Be prepared to terminate them, but don't bother to do it yet.

2) Open the folder WindUpdate containing the three files, WinKA.exe, WinUpdt.exe, and Comm.dll.

3) Rename WinKA.exe and WinUpdt.exe to WinKA.txt and WinUpdt.txt

4) Using a text editor such as notepad, open WinKA.exe
Totally corrupt the file by typing random characters throughout the file. Just have fun with your keyboard. You can't save the file though yet, because its running.

5) Now you can terminate WinKA.exe in the Task Manager. Then click on the save button on Notepad so that WinKA.txt is corrupted.

6) And now you can delete or erase the file. Follow the same steps to rid yourself of WinUpdt.exe. And then Comm.dll can be erased without any trouble, as can the folder WindUpdate.

Surley step 3) or 4) is not needed. Soon as the file is terminated hit the delete key on the said file.

#13 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 14 August 2004 - 09:34 AM

neospec,
If you are not a staff member here, please do not offer advice.
If you feel that you have enough knowledge to be able to effectively solve problems without causing any damage, or if you would like to have some training and volunteer your time as a staff member, then please register for the Bootcamp on this site.
Microsoft MVP - Consumer Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button