Log-file / CSW.smartsearch.2 variant

Discussion in 'adware, spyware & hijack cleaning' started by mavic, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    Hi,

    I'm having problems with explorer/windows.
    I could run taskmanagers 'run' but I could not open explorer nor the start program from toolbar or icons.
    My CPU is alwas high, and I see only my wallpaper.

    I've got secure.html securea.html and reg32 deleted but it didn't help.

    And other question: I have Sherlok1.exe in my c:\windows\
    Is there anyone who knows what that means and if it is a trojan?
    May I delete it?

    Adaware, SpyBot, Swat-it haven't find a thing.
    CWShredder is closed after a while and mentioned that it is a CSW.smartsearcg.2 variant.

    My HJT log file is:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:03:51, on 29/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\KMaestro\Key_e.EXE
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINDOWS\System\update.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\system32\cmd.exe
    C:\temp\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;http://localhost
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.standaard.be"); (C:\Program Files\Netscape\Users\v_m\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\update.exe
    O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: login.html
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://rds-srv-01.med.kuleuven.ac.be/msrdp.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37231.1019560185
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Please could you help me?
    This is no kind of working.

    thx

    Mavic
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi mavic,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;http://localhost
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)

    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\update.exe

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    Then reboot in Safe Mode and delete the following:

    C:\WINDOWS\System\update.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    this is my HJT log

    Sherlok1 has been deleted in c:\windows

    what else could it be: devldr32.exe?
    or RUNDLL32.EXE NvQTwk,NvCplDaemon
    GSicon.exe?

    What's the difference between System32 and system32?


    Logfile of HijackThis v1.97.7
    Scan saved at 8:12:15, on 31/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\KMaestro\Key_e.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ludit.be/
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.standaard.be"); (C:\Program Files\Netscape\Users\v_m\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: login.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://rds-srv-01.med.kuleuven.ac.be/msrdp.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37231.1019560185
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    Maybe a clean log!

    However, still having problems with Windows XP
    I can't see my desktop, can't open icons when they appear for a minute, can't open IE, can"t open explorer. I can only open programs with Task Manager "Run"

    Start\ tools I cannnot use...

    maybe something other than trojan/spyware?

    mavic
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Mavic,

    Can you try and start explorer.exe through TaskManager?
    Full path should be C:\WINDOWS\Explorer.EXE
    Let us know if it works or if you get an error. If so which one?

    Regards,

    Pieter
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    what is this one here
    O4 - Global Startup: login.html

    I would try this

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - Global Startup: login.html

    reboot & see if you access then
     
  7. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    Hi! thx for the replies....

    first of all: I've done explorer.exe through Task Managr but if it starts, suddenly I only see again my wallpaper and it was closed.

    second: login.html is a file that creates a automatic login when I start my pc. Self written.

    McAfee last updated in Safe Mode hasn't find a thing.

    CWShredder gave in the beginning CWS.smartsearch.2 variant and it closes.
    I deleted reg32, secure.html and securea.html in regedit. Also
    Sherlok1.exe and newload.exe in windows.
    Nothing helped.

    When I downloaded the supderdat extra.dat against Netspree it gave a good response for 5 minutes but then it was again misery.
    Altough i checked against Netspree in regedit and and i didn't find the addings....

    suggestions?
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mavic,

    Start regedit.exe and under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    change:
    Shell = Explorer.exe
    to:
    Shell = progman.exe

    Then reboot and let us know how that goes.

    Regards,

    Pieter
     
  9. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    also when I'm running Windows XP home edition?

    or only changing in currentversion/windows/ ?

    Mavic
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    No, just the NT key should do.

    Regards,

    Pieter
     
  11. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    This worked!

    I could open Iexplore and explorer without any problems!!

    In the beginning I see only my wallpaper and the program:
    program maker.

    I don't see icons and the startbar.

    What does that say? And next step?

    Mavic
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That probably means your explorer.exe is damaged, infected or AWOL.

    Can you do a Find Files for explorer.exe
    Give us a version number and filesize for each one.

    Regards,

    Pieter
     
  13. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    Hi pieter,

    I found 3 explorer.exe files (tested yesterday via ms-dos path)
    2 were the same (c:windows\ and c:\windows\...\i386\ ) [done by a comparison of the two files in ms-dos 1.000.000 bytes]

    another one was c:\windows\$ServicePackUninstall$\ : other date and size.

    That is what I can remember of my search yesterday evening.

    So, You suggest a format c: and new installation or recovery DVD?
    Or only rebooting with windows XP in the cd-rom drive and doing an update (Risk of not get rid of the infected file?

    Or is it still possible to repair it (having a copy of new uninfected explorer.exe file?

    I'm at the end of my knowledge to solve the problem....

    thx

    Mavic
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    If you have a normal XP CD I would try this first:

    Start > Run > type or copy&paste sfc /scannow > OK

    Windows will start checking all the system files and replace any outdated, corrupted or missing ones.

    Keep us posted,

    Pieter
     
  15. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    hi pieter,

    thc for the advice!

    Unfortunately I'm in the office...

    I will test it tonight. I have the Windows XP Pro cds.
    So I put it in the cd-rom when the PC is still in (no rebooting?), and via Task Manager\Run: sfc/scannow. Will it look to the Cd-rom then, or do i have to write the station as prompt before it?

    Can I contact you in 6 hours? Are you still online?

    Mavic
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mavic,

    Just insert the CD when the sfc command prompts you for it.
    No need to insert it earlier.

    I will try to be here in 6 hours. ;)
    The space between "sfc" and "/scannow" is important.

    Regards,

    Pieter
     
  17. mavic

    mavic Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    9
    hi Pieter,

    It found no corrupted files...

    So, I've done a reboot with my Symantec Ghost Recovery DVD. GReat tool by the way...

    SO, a clean system now, but some work to get all the new updates, and programs I used to run...

    thx for the help

    mavic
     
Thread Status:
Not open for further replies.