Jump to content


Photo

Hijacked (duh) Help me please


  • Please log in to reply
5 replies to this topic

#1 turrin

turrin

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 June 2004 - 10:25 AM

I've been infected by Coolwebseach. Spybot doesn't take care of it so I downloaded CWshredder - that didn't do it either. Yesterday I worked up the balls to go into the registry and delete the changes that spybot said had been made as well as running Norton 2004 and having it delete any files it said were at risk. That worked until today...it's back.

The startup page is changed to solongas.com/hp.htm?id=9

premptive thanks to anyone who can help me,



PS - yes I've read the FAQ

Edited by turrin, 04 June 2004 - 10:33 AM.


#2 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 05 June 2004 - 07:04 AM

Turrin

Did you click the Fix-button in CWShredder?

Please post a Hijack This log here.

Also download Find All, and unzip it to a permanent folder. Run Find_All.cmd by doubleclicking on it. It will output a text file. Post that here.
_______
Wiskonst

#3 turrin

turrin

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 June 2004 - 03:02 PM

I did try the fix feature on spy bot

I am listing my Hackthis in this post and placing find all in the next to make it easier to read

Logfile of HijackThis v1.97.7
Scan saved at 3:02:05 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Owner\Desktop\Tom\Anti-spyware\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jgn3vi23.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jgn3vi23.slt\prefs.js)
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\wrk9seulw1xxnp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

#4 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 05 June 2004 - 04:02 PM

Turrin

Could you please redownload CWShredder, unzip it to a permanent folder.
Run it in Windows Safe Mode (reboot, at the beginning of Windows startup hit F8 and choose 'Start in Safe Mode'). Have no other programs running, in CWShredder click the Fix-button and let it finish.

CWShredder was updated especially for the variant of Coolwebsearch you have.

Back in normal mode run Hijack This and fix the following lines if they are still there:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\wrk9seulw1xxnp.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe <-- 2x

Do this by closing all browser windows, placing a checkmark in front of the above items and clicking the Fix-button.Reboot and post a fresh log here again (same topic).

Delete the following file if you find it:
C:\WINDOWS\System32\wrk9seulw1xxnp.dll

You may still post the result of Find_All.cmd, be careful to copy and paste the full text (Your HJT log was possibly not complete, select all of the text with Ctrl-A).
_______
Wiskonst

#5 turrin

turrin

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 June 2004 - 04:27 PM

That seems to have done it.... I guess all I had to do (essentally) is wait a couple of days for the new Cwshredder to come out. (haha) Thank you very much for your help. I am changing my hompage on IE and am going to open it a few times to make sure.

Once again, thank you

#6 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 05 June 2004 - 05:18 PM

Turrin

OK Glad we could help.

Also delete the file C:\WINDOWS\System32\sysstartup.exe if you find it.

Clean out the temporary folders:
- C:\Windows\Temp
- C:\Windows\Downloaded Program Files
- C:\Documents and Settings\<name>\Local Settings\Temp

As a general prevention measure we recommend Spywareguard and Spywareblaster (both free). And a good firewall (Kerio Personal Firewall is free).
_______
Wiskonst

Donate to Merijn Org (Merijn is the writer of Hijack This and CWShredder)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button