• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
heartston

Blocked CoolWebSearch Smart Killer

2 posts in this topic

Hi!! I have been hacked hijacked and multiple viruses and trojans and someone is monitoring my computer since June 27th, I think someone has dropped a packed of a nasty cocktail of stuff. Today I think I lost Outlook Express my only email that was still working

 

I have a book on watercoloring, which I do have a hard copy of, and my family's only genealogy of over 3000 people...neither are backed up, this computer came with no floppy nor CDwriter. And are too big to just but on a floppy. I am desperarate....

 

I have found, and I think, eliminated Mimail, NewLove, Keylogger, and DSSAGENT, but it is hidding things so I cannot be sure. The BACK DOOR was labeled LoadPowerProfile.

 

It is now blocking any web sites that can help me. It is now also adding letters and things to the end of some of these programs. I have ran Skybot S&D, Adaware, SpySweeper, AluriaSpyware Eliminator as asked

Along with Spy Nuker, which had a keylogger trojan, Registry Mechanic, NoAdware, Spyhunter, FireLite, Spyware Doctor, System Mechanic is now corrupted, About Buster, The Cleaner, fixsasser but it would not work, Panda Active Scann, Panda Active Scanner said nothing BUT is now blocked, regclean, spyareblaster...I have made the corrections with system restore on, THEN redid them with it off.

 

 

All the big scanners McAfee, Norton Panda, find nothing, AntiVir Personal Edition 6, is finding things. and I believe eliminating maybe.

 

 

All scanners work, but only some of the removals work. CWShredder says I have CWS.Smartsearch.2, These are the ones that keep coming back in CWShredder:

 

No Host

C:\WINDOWS\win.in 664 bytes

C:\WINDOWS\system.ini 2181bytes

System.ini Shell=Explorer.exe

 

I have fixed them and they return, I have manually deleted them and they return

I have removed the Hueristic Trojan Download by a flux, but all the Archive and Archive Temp are gone or hidden now I have found 3 Heuistic Trojan Downloaders now. And something ISS reloading them...

 

It began with a Help/Support, Control Panel and System Restore going all white.

And it disabled the buttons on the Yahoo Mail, Hotmail will not open at all

It is automatically updating, corrupting my Search and Find, browser now brings up only white screens or nothing, printer is off line, Favorites are blocked. I have deleted all Yahoo, and anyother non necessary program. Some will not delete.

 

In the Registry I now have a ton of white icons with blue letters reading OH NO...and many have obvious instructions for doing thing not nice.

 

Hidden Microsoft Program which I can see has vbs files when it is scanned, Application File is hidden and there is a application -AUMagic which keeps trying to send stuff out on to the internet.

 

I was I think still able to get into MyComputer thru a toolbar icon, and the other unhidden things thru browsers in search and run.

 

I am accessing the internet today thru my History. When I do get into a blocked web site it is thru another website sometimes. But all AnitVirus sites are blocked.

 

Here is my HijackThis from this morning.....

 

Logfile of HijackThis v1.97.7

Scan saved at 12:07:53 PM, on 7/26/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LTSMMSG.EXE

C:\WINDOWS\LOADQM.EXE

C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE

C:\PROGRAM FILES\THE CLEANER\TCA.EXE

C:\PROGRAM FILES\THE CLEANER\TCM.EXE

C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.EXE

C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE

C:\WINDOWS\SYSTEM\HIDSERV.EXE

C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE

C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE

C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/gw/home.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.IowaTelecom.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe

O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /S

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0

O4 - HKCU\..\Run: [spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NoAdware] "C:\PROGRAM FILES\NOADWARE\NOADWARE.EXE" /s

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTracePro\NTXcontext.htm

O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll

O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com

O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37925.673287037

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = iowatelecom.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = iowatelecom.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.248.64.20,216.248.64.21

 

I had a 21, with a AUHook on the last one and it is not here now...

 

Thank you so much, I am sorry I am so inexperienced in all this, but I am willing to follow instructions to do things thanks again

Heartston

Share this post


Link to post
Share on other sites

do everything in safe mode if possible, I find bitdefender.com is good for FINDING virus's just doesnt remove them very well, but you can manually go hunt em down and destroy them, antivirus.com seems to be good at removing things.

 

Might want to try installing AVG if your current antivirus has been corrupted, install it in safe mode, it wont work properlly but after rebooting and then going back into safe mod it should work.

 

Noticed you have WINME, not sure if that has safemode w/ networking, still shouldnt pose a problem, just do online virus scans in normal bootup

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0