help me before I go nuts, please thank you:)

Discussion in 'adware, spyware & hijack cleaning' started by illes, Jan 12, 2004.

Thread Status:
Not open for further replies.
  1. illes

    illes Guest

    I've followed ur steps.
    os - win 2000

    ad-aware log.

    Lavasoft Ad-aware Personal Build 160
    Logfile created on :12. januar 2011 17:24:27
    Created with Ad-aware Personal, free for private use.
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 12.01.2011 16:23:28
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:37
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:38
    BasePriority : Normal
    FileSize : 86 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:4 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:38
    BasePriority : Normal
    FileSize : 32 KB
    FileVersion : 5.00.2184.1
    ProductVersion : 5.00.2184.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : LSA Executable and Server DLL (Export Version)
    InternalName : lsasrv.dll and lsass.exe
    OriginalFilename : lsasrv.dll and lsass.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:5 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:40
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:6 [winmgmt.exe]
    FilePath : C:\WINNT\System32\WBEM\
    ThreadCreationTime : 12.01.2011 16:23:40
    BasePriority : Normal
    FileSize : 188 KB
    FileVersion : 1.50.1085.0001
    ProductVersion : 1.50.1085.0001
    Copyright : Copyright (C) Microsoft Corp. 1995-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Management Instrumentation
    InternalName : WINMGMT
    ProductName : Windows Management Instrumentation
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:7 [explorer.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 12.01.2011 16:24:00
    BasePriority : Normal
    FileSize : 232 KB
    FileVersion : 5.00.2920.0000
    ProductVersion : 5.00.2920.0000
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:8 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 12.01.2011 16:24:20
    BasePriority : Normal
    FileSize : 635 KB
    FileVersion : 6.0.1.161
    ProductVersion : 6.0.0.0
    Copyright : Copyright Lavasoft Sweden
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 11.01.2011 22:54:32
    Last accessed : 11.01.2011 23:00:00
    Last modified : 04.02.2003 21:36:12

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Alexa Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for C:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1

    17:24:57 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:00:29:890
    Objects scanned :24938
    Objects identified :1
    Objects ignored :0
    New objects :1



    hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:15:38, on 12.01.2011
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\NVATray.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\loadqm.exe
    C:\Program Files\directx\directx.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Documents and Settings\illes\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [UserSystem] C:\Program Files\directx\directx.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [UserSystem] C:\Program Files\directx\directx.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=




    is it possible to help me,.
    ad-aware would only run in safety mode.
    but i was quick enough to save a log in hijack this before it got shut down..
     
  2. illes

    illes Guest

    is it possible to mail the soulution?

    can u mail me whatever I'm supposed to do next?
    it's hard to visit this url.
    it get closed down all the time..

    done, and addy removed - Pieter
     
  3. illes

    illes Guest

    my problems are: www.smartsearch.com
    cant get out of the url.
    only if i write the hole thing http:// so on...
    cant get it out of the userdefault url..
    it closes down websites that seems to be a thret..
    msn messanger seems not to be bothered.

    cant do nothin on the web without endin up at www.smartsearch.com..
    i'm so f frustrated..
    pleasse help me..
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi illes,

    I'm going to mail you a copy of my answer and then I will remove your email-address. You've got enough problems without the spammers finding it. ;)

    First bring up taskmanager and kill this process:

    O4 - HKLM\..\Run: [UserSystem] C:\Program Files\directx\directx.exe

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=

    O4 - HKLM\..\Run: [UserSystem] C:\Program Files\directx\directx.exe

    O4 - HKCU\..\Run: [UserSystem] C:\Program Files\directx\directx.exe

    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=

    Then reboot, preferably into safe mode and delete:
    C:\Program Files\directx\directx.exe

    Also, do me a favor and do a Find/Files for *network.sys

    Let me know if and where it is found.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.