help me before I go nuts, please thank you:)

Discussion in 'adware, spyware & hijack cleaning' started by illes, Jan 12, 2004.

Thread Status:
Not open for further replies.
  1. illes

    illes Guest

    I've followed ur steps.
    os - win 2000

    ad-aware log.

    Lavasoft Ad-aware Personal Build 160
    Logfile created on :12. januar 2011 17:24:27
    Created with Ad-aware Personal, free for private use.
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 12.01.2011 16:23:28
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:37
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:38
    BasePriority : Normal
    FileSize : 86 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:4 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:38
    BasePriority : Normal
    FileSize : 32 KB
    FileVersion : 5.00.2184.1
    ProductVersion : 5.00.2184.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : LSA Executable and Server DLL (Export Version)
    InternalName : lsasrv.dll and lsass.exe
    OriginalFilename : lsasrv.dll and lsass.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:5 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 12.01.2011 16:23:40
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:6 [winmgmt.exe]
    FilePath : C:\WINNT\System32\WBEM\
    ThreadCreationTime : 12.01.2011 16:23:40
    BasePriority : Normal
    FileSize : 188 KB
    FileVersion : 1.50.1085.0001
    ProductVersion : 1.50.1085.0001
    Copyright : Copyright (C) Microsoft Corp. 1995-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Management Instrumentation
    InternalName : WINMGMT
    ProductName : Windows Management Instrumentation
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:7 [explorer.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 12.01.2011 16:24:00
    BasePriority : Normal
    FileSize : 232 KB
    FileVersion : 5.00.2920.0000
    ProductVersion : 5.00.2920.0000
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 07.12.1999 11:00:00
    Last accessed : 11.01.2011 23:00:00
    Last modified : 07.12.1999 11:00:00

    #:8 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 12.01.2011 16:24:20
    BasePriority : Normal
    FileSize : 635 KB
    FileVersion : 6.0.1.161
    ProductVersion : 6.0.0.0
    Copyright : Copyright Lavasoft Sweden
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 11.01.2011 22:54:32
    Last accessed : 11.01.2011 23:00:00
    Last modified : 04.02.2003 21:36:12

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Alexa Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for C:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1

    17:24:57 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:00:29:890
    Objects scanned :24938
    Objects identified :1
    Objects ignored :0
    New objects :1



    hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:15:38, on 12.01.2011
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\NVATray.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\loadqm.exe
    C:\Program Files\directx\directx.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Documents and Settings\illes\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [UserSystem] C:\Program Files\directx\directx.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [UserSystem] C:\Program Files\directx\directx.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=




    is it possible to help me,.
    ad-aware would only run in safety mode.
    but i was quick enough to save a log in hijack this before it got shut down..
     
  2. illes

    illes Guest

    is it possible to mail the soulution?

    can u mail me whatever I'm supposed to do next?
    it's hard to visit this url.
    it get closed down all the time..

    done, and addy removed - Pieter
     
  3. illes

    illes Guest

    my problems are: www.smartsearch.com
    cant get out of the url.
    only if i write the hole thing http:// so on...
    cant get it out of the userdefault url..
    it closes down websites that seems to be a thret..
    msn messanger seems not to be bothered.

    cant do nothin on the web without endin up at www.smartsearch.com..
    i'm so f frustrated..
    pleasse help me..
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi illes,

    I'm going to mail you a copy of my answer and then I will remove your email-address. You've got enough problems without the spammers finding it. ;)

    First bring up taskmanager and kill this process:

    O4 - HKLM\..\Run: [UserSystem] C:\Program Files\directx\directx.exe

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=

    O4 - HKLM\..\Run: [UserSystem] C:\Program Files\directx\directx.exe

    O4 - HKCU\..\Run: [UserSystem] C:\Program Files\directx\directx.exe

    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=

    Then reboot, preferably into safe mode and delete:
    C:\Program Files\directx\directx.exe

    Also, do me a favor and do a Find/Files for *network.sys

    Let me know if and where it is found.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.