hijacked??? help..

problem.

i am redirected to gonnasearch.com, when i use my browser. it keeps changing explorer values back to f.x.
http://www.gonnasearch.com/(iesearch.php?ref=sb)

please help

i tried:

cws-shredder
ad-aware
spywareguard
spywareblaster
spybot S&D



Logfile of HijackThis v1.97.7
Scan saved at 11:00:34 PM, on 1/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Programmer\Sygate\SPF\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Programmer\Motherboard Monitor 5\MBM5.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
C:\WINNT\system32\sstray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINNT\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\eMule\emule.exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\Programmer\Fælles filer\Real\Update_OB\realevent.exe
C:\Documents and Settings\Chris\Skrivebord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/Default.asp?Ath=f
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb
R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programmer\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KAZAA] "C:\Programmer\KaZaA Lite\kpp.exe" "C:\Programmer\KaZaA Lite\kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpppta] C:\Programmer\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [ServiceLayer] C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSPInstall0703.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.4822685185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{140540FB-F560-4843-96E5-280600EA45E6}: NameServer = 193.162.153.164 194.239.134.83

 

spybot s&d tries to block advertising.com. but still i end up at (http://www.gonnasearch.com/?ref=dns)

it no fun to sit in a cold country without any internet



regards chris, from the colds of denmark

 

Hi Chris Thygesen

Welcome to Wilders.


Please download and run CWShredder at this link,

http://www.merijn.org/files/CWShredder.exe


then post a fresh HJT log.


Thanks


snowbound

 

have tried it, ran it again.

Logfile of HijackThis v1.97.7
Scan saved at 11:53:40 PM, on 1/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Programmer\Sygate\SPF\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Programmer\Motherboard Monitor 5\MBM5.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
C:\WINNT\system32\sstray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINNT\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\eMule\emule.exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Chris\Skrivebord\i spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/Default.asp?Ath=f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programmer\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KAZAA] "C:\Programmer\KaZaA Lite\kpp.exe" "C:\Programmer\KaZaA Lite\kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpppta] C:\Programmer\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [ServiceLayer] C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSPInstall0703.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.4822685185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{140540FB-F560-4843-96E5-280600EA45E6}: NameServer = 193.162.153.164 194.239.134.83


hope it helps

 

It looks like CWShredder took care of

http://www.gonnasearch.com/(iesearch.php?ref=sb)

It is a variant of " coolwebsearch" hijacker.

I'm sorry but i don't have enough experience to help u with the rest of your log.

One of the experts will give recommendations on what else to fix in your HJT log.

Please be patient as most of them live in different time zones.


Thanks


snowbound

 

when a window in ie is closed(even a pop-up i think) it looks like this again..


Logfile of HijackThis v1.97.7
Scan saved at 12:14:51 AM, on 1/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Programmer\Sygate\SPF\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Programmer\Motherboard Monitor 5\MBM5.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
C:\WINNT\system32\sstray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINNT\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\eMule\emule.exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Games\Crazy Taxi 3\CT3.exe
C:\Documents and Settings\Chris\Skrivebord\i spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/Default.asp?Ath=f
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb
R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programmer\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KAZAA] "C:\Programmer\KaZaA Lite\kpp.exe" "C:\Programmer\KaZaA Lite\kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpppta] C:\Programmer\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [ServiceLayer] C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSPInstall0703.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.4822685185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{140540FB-F560-4843-96E5-280600EA45E6}: NameServer = 193.162.153.164 194.239.134.83

 

Sorry for the delay.

I'm a little confused as to why it now appears the Hijack has come back.

I've not run into this before.

It is probably because there are more entries related to this that also need to be fixed.

As i said iam just learning how to read these logs so it is best u wait for the experts to advise u now.

Sorry i couldn't have been more help.




snowbound

 

Hi Chris,

Can you send the following files to me please? :

C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
C:\WINNT\system32\mgs_32.dll

[ unzy @ wilders.org ] thanks!

Cheers,

 

Hi there,

Thanks for the files! I'm affraid more bad CWS news

O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab

This activeX drive-by installs the gonnasearch toolbar onto your system.

Upon execution it launches the following BHO :

C:\WINNT\system32\mgs_32.dll

This is done by an executable called GSTB.exe (which in no doubt means : gonnasearch toolbar)

Once installed in the system32 folder it then tries to launch the actual dll's which are responsable for the toolbar :

C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll

Needless to say gonbnasearch.com is a CWS domain

Have only HijackThis running and fix the following :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb

R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL

O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab

Restart the PC after doing so and remove :

C:\PROGRA~1\INTERN~1\Toolbar <- this folder

Here is what it looks like :

 

thanks to both of you. it is always nice to find people who can and spend the time to help.

it has removed the problem, and all is well


many thanks chris

 

That's great to hear Chris!

Glad we were able to help and good job cleaning up

Take care

Cheers,