Jump to content


Photo

Blocked CoolWebSearch Smart Killer


  • Please log in to reply
1 reply to this topic

#1 heartston

heartston

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 July 2004 - 01:14 PM

Hi!! I have been hacked hijacked and multiple viruses and trojans and someone is monitoring my computer since June 27th, I think someone has dropped a packed of a nasty cocktail of stuff. Today I think I lost Outlook Express my only email that was still working

I have a book on watercoloring, which I do have a hard copy of, and my family's only genealogy of over 3000 people...neither are backed up, this computer came with no floppy nor CDwriter. And are too big to just but on a floppy. I am desperarate....

I have found, and I think, eliminated Mimail, NewLove, Keylogger, and DSSAGENT, but it is hidding things so I cannot be sure. The BACK DOOR was labeled LoadPowerProfile.

It is now blocking any web sites that can help me. It is now also adding letters and things to the end of some of these programs. I have ran Skybot S&D, Adaware, SpySweeper, AluriaSpyware Eliminator as asked
Along with Spy Nuker, which had a keylogger trojan, Registry Mechanic, NoAdware, Spyhunter, FireLite, Spyware Doctor, System Mechanic is now corrupted, About Buster, The Cleaner, fixsasser but it would not work, Panda Active Scann, Panda Active Scanner said nothing BUT is now blocked, regclean, spyareblaster...I have made the corrections with system restore on, THEN redid them with it off.


All the big scanners McAfee, Norton Panda, find nothing, AntiVir Personal Edition 6, is finding things. and I believe eliminating maybe.


All scanners work, but only some of the removals work. CWShredder says I have CWS.Smartsearch.2, These are the ones that keep coming back in CWShredder:

No Host
C:\WINDOWS\win.in 664 bytes
C:\WINDOWS\system.ini 2181bytes
System.ini Shell=Explorer.exe

I have fixed them and they return, I have manually deleted them and they return
I have removed the Hueristic Trojan Download by a flux, but all the Archive and Archive Temp are gone or hidden now I have found 3 Heuistic Trojan Downloaders now. And something ISS reloading them...

It began with a Help/Support, Control Panel and System Restore going all white.
And it disabled the buttons on the Yahoo Mail, Hotmail will not open at all
It is automatically updating, corrupting my Search and Find, browser now brings up only white screens or nothing, printer is off line, Favorites are blocked. I have deleted all Yahoo, and anyother non necessary program. Some will not delete.

In the Registry I now have a ton of white icons with blue letters reading OH NO...and many have obvious instructions for doing thing not nice.

Hidden Microsoft Program which I can see has vbs files when it is scanned, Application File is hidden and there is a application -AUMagic which keeps trying to send stuff out on to the internet.

I was I think still able to get into MyComputer thru a toolbar icon, and the other unhidden things thru browsers in search and run.

I am accessing the internet today thru my History. When I do get into a blocked web site it is thru another website sometimes. But all AnitVirus sites are blocked.

Here is my HijackThis from this morning.....

Logfile of HijackThis v1.97.7
Scan saved at 12:07:53 PM, on 7/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\LOADQM.EXE
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\THE CLEANER\TCA.EXE
C:\PROGRAM FILES\THE CLEANER\TCM.EXE
C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/gw/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.IowaTelecom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /S
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NoAdware] "C:\PROGRAM FILES\NOADWARE\NOADWARE.EXE" /s
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTracePro\NTXcontext.htm
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37925.673287037
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = iowatelecom.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = iowatelecom.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.248.64.20,216.248.64.21

I had a 21, with a AUHook on the last one and it is not here now...

Thank you so much, I am sorry I am so inexperienced in all this, but I am willing to follow instructions to do things thanks again
Heartston

#2 Komodo

Komodo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 July 2004 - 01:22 PM

do everything in safe mode if possible, I find bitdefender.com is good for FINDING virus's just doesnt remove them very well, but you can manually go hunt em down and destroy them, antivirus.com seems to be good at removing things.

Might want to try installing AVG if your current antivirus has been corrupted, install it in safe mode, it wont work properlly but after rebooting and then going back into safe mod it should work.

Noticed you have WINME, not sure if that has safemode w/ networking, still shouldnt pose a problem, just do online virus scans in normal bootup




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button