hijacked??? help..

Discussion in 'adware, spyware & hijack cleaning' started by Chris Thygesen, Jan 14, 2004.

Thread Status:
Not open for further replies.
  1. problem.

    i am redirected to gonnasearch.com, when i use my browser. it keeps changing explorer values back to f.x.
    http://www.gonnasearch.com/(iesearch.php?ref=sb)

    please help

    i tried:

    cws-shredder
    ad-aware
    spywareguard
    spywareblaster
    spybot S&D



    Logfile of HijackThis v1.97.7
    Scan saved at 11:00:34 PM, on 1/14/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\Programmer\Sygate\SPF\Smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmer\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SYSTEM32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Programmer\Motherboard Monitor 5\MBM5.EXE
    C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
    C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
    C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
    C:\WINNT\system32\sstray.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\Programmer\D-Tools\daemon.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Programmer\MSN Messenger\MsnMsgr.Exe
    C:\Programmer\eMule\emule.exe
    C:\Programmer\SpywareGuard\sgmain.exe
    C:\Programmer\SpywareGuard\sgbhp.exe
    C:\Programmer\Fælles filer\Real\Update_OB\realevent.exe
    C:\Documents and Settings\Chris\Skrivebord\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/Default.asp?Ath=f
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 0
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.dk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb
    R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programmer\DAP\DAPIEBar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
    O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
    O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [KAZAA] "C:\Programmer\KaZaA Lite\kpp.exe" "C:\Programmer\KaZaA Lite\kazaa.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hpppta] C:\Programmer\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [ServiceLayer] C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
    O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSPInstall0703.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.4822685185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
    O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{140540FB-F560-4843-96E5-280600EA45E6}: NameServer = 193.162.153.164 194.239.134.83
     
  2. spybot s&d tries to block advertising.com. but still i end up at (http://www.gonnasearch.com/?ref=dns)

    it no fun to sit in a cold country without any internet



    regards chris, from the colds of denmark
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Chris Thygesen :)

    Welcome to Wilders.


    Please download and run CWShredder at this link,

    http://www.merijn.org/files/CWShredder.exe


    then post a fresh HJT log.


    Thanks


    snowbound
     
  4. have tried it, ran it again.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:53:40 PM, on 1/14/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\Programmer\Sygate\SPF\Smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmer\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SYSTEM32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Programmer\Motherboard Monitor 5\MBM5.EXE
    C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
    C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
    C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
    C:\WINNT\system32\sstray.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\Programmer\D-Tools\daemon.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Programmer\MSN Messenger\MsnMsgr.Exe
    C:\Programmer\eMule\emule.exe
    C:\Programmer\SpywareGuard\sgmain.exe
    C:\Programmer\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Chris\Skrivebord\i spy\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/Default.asp?Ath=f
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 0
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.dk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programmer\DAP\DAPIEBar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
    O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
    O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [KAZAA] "C:\Programmer\KaZaA Lite\kpp.exe" "C:\Programmer\KaZaA Lite\kazaa.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hpppta] C:\Programmer\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [ServiceLayer] C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
    O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSPInstall0703.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.4822685185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
    O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{140540FB-F560-4843-96E5-280600EA45E6}: NameServer = 193.162.153.164 194.239.134.83


    hope it helps
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    It looks like CWShredder took care of

    http://www.gonnasearch.com/(iesearch.php?ref=sb)

    It is a variant of " coolwebsearch" hijacker.

    I'm sorry but i don't have enough experience to help u with the rest of your log.

    One of the experts will give recommendations on what else to fix in your HJT log.

    Please be patient as most of them live in different time zones.


    Thanks :)


    snowbound
     
  6. when a window in ie is closed(even a pop-up i think) it looks like this again..


    Logfile of HijackThis v1.97.7
    Scan saved at 12:14:51 AM, on 1/15/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\Programmer\Sygate\SPF\Smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmer\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SYSTEM32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Programmer\Motherboard Monitor 5\MBM5.EXE
    C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
    C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
    C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
    C:\WINNT\system32\sstray.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\Programmer\D-Tools\daemon.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Programmer\MSN Messenger\MsnMsgr.Exe
    C:\Programmer\eMule\emule.exe
    C:\Programmer\SpywareGuard\sgmain.exe
    C:\Programmer\SpywareGuard\sgbhp.exe
    C:\Programmer\Internet Explorer\IEXPLORE.EXE
    C:\Games\Crazy Taxi 3\CT3.exe
    C:\Documents and Settings\Chris\Skrivebord\i spy\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/Default.asp?Ath=f
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.dk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb
    R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programmer\DAP\DAPIEBar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
    O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
    O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [KAZAA] "C:\Programmer\KaZaA Lite\kpp.exe" "C:\Programmer\KaZaA Lite\kazaa.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hpppta] C:\Programmer\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [ServiceLayer] C:\Programmer\Fælles filer\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmer\Fælles filer\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: eMule.lnk = C:\Programmer\eMule\emule.exe
    O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSPInstall0703.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.4822685185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
    O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{140540FB-F560-4843-96E5-280600EA45E6}: NameServer = 193.162.153.164 194.239.134.83
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Sorry for the delay.

    I'm a little confused as to why it now appears the Hijack has come back.

    I've not run into this before.

    It is probably because there are more entries related to this that also need to be fixed.

    As i said iam just learning how to read these logs so it is best u wait for the experts to advise u now.

    Sorry i couldn't have been more help.




    snowbound
     
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Chris,

    Can you send the following files to me please? :

    C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
    C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
    C:\WINNT\system32\mgs_32.dll

    [ unzy @ wilders.org ] thanks!

    Cheers,
     
  9. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi there,

    Thanks for the files! I'm affraid more bad CWS news :(

    O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab

    This activeX drive-by installs the gonnasearch toolbar onto your system.

    Upon execution it launches the following BHO :

    C:\WINNT\system32\mgs_32.dll

    This is done by an executable called GSTB.exe (which in no doubt means : gonnasearch toolbar)

    Once installed in the system32 folder it then tries to launch the actual dll's which are responsable for the toolbar :

    C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
    C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll

    Needless to say gonbnasearch.com is a CWS domain

    Have only HijackThis running and fix the following :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb

    R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL

    O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mgs_32.dll
    O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
    O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
    O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - http://www.gonnasearch.com/tb/install.cab

    Restart the PC after doing so and remove :

    C:\PROGRA~1\INTERN~1\Toolbar <- this folder

    Here is what it looks like :
     

    Attached Files:

    • GSTB.jpg
      GSTB.jpg
      File size:
      13.3 KB
      Views:
      555
  10. thanks to both of you. it is always nice to find people who can and spend the time to help.

    it has removed the problem, and all is well


    many thanks chris
     
  11. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    That's great to hear Chris! :)

    Glad we were able to help and good job cleaning up

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.