new Hijack? It wasnt found by CWShredder

Discussion in 'adware, spyware & hijack cleaning' started by marC16, May 29, 2004.

Thread Status:
Not open for further replies.
  1. marC16

    marC16 Registered Member

    Joined:
    May 29, 2004
    Posts:
    3
    Hi all!
    First I have to say, that my english isnt that good, because i'm not from England or any other english speaking coutry :rolleyes:

    Ok, I've got a very big problem. There is a program, which sets the Ie-Startpage to "CoolWebSearch,com"(or something like that) the whole time. So i looked for a solution in different Boards! They all talked about "CWShredder" and "HijackThis". So i downloaded this programs and used them.

    CWShredder DIDNT FIND any infected file. Yeah...And HijackThis .. I post the log.
    I can add, that I fixed the R0 Lines with that Ip from CWS. But it comes back... Please help me! Sorry for my english again...

    Hijack Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 13:43:55, on 29.05.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\programme\powerstrip\pstrip.exe
    C:\Programme\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Winamp\winamp.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    O4 - HKLM\..\Run: [PowerStrip] c:\programme\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [Firewall] C:\\Programme\\Gemeinsame Dateien\\Symantec Shared\\ccApp.exe
    O4 - HKCU\..\Run: [Maus] C:\\Programme\\Microsoft Hardware\\Mouse\\point32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.de/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8135.4625115741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D4C586A-7093-49ED-A4EF-EB8F9E3A80E1}: NameServer = 195.50.140.250 145.253.2.203

    I already fixed the R0 Lines, but it doesnt work. Maybe i do it in the wrong way.

    Greets, marc... Hope, i didnt forget something.

    P.S. Ad-Aware and Spybot, I already used... They found something, and they removed it. But it comes back... :'(
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi marC16,

    To stand a fighting chance you will have to update Windows and IE.

    In HijackThis click Config > Misc Tools > Generate StartUplist
    This will produce a text file. Please post the content.

    Regards,

    Pieter
     
  3. marC16

    marC16 Registered Member

    Joined:
    May 29, 2004
    Posts:
    3
    my Windows is already updated. But i have to add, my "Hosts" file is full of unknown Pages(CWS Pages, I'm sure) But if i delete them, they also come back. :(

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\Programme\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\programme\powerstrip\pstrip.exe
    C:\Programme\Norton AntiVirus\NAVAPSVC.EXE
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Programme\Microsoft Hardware\Mouse\point32.exe
    C:\Programme\Norton Internet Security\ccPxySvc.exe
    C:\Programme\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\Programme\Winamp\winamp.exe
    C:\Dokumente und Einstellungen\marcEL\Desktop\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    PowerStrip = c:\programme\powerstrip\pstrip.exe
    Firewall = C:\\Programme\\Gemeinsame Dateien\\Symantec Shared\\ccApp.exe
    MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NVIEW = rundll32.exe nview.dll,nViewLoadHook
    Maus = C:\\Programme\\Microsoft Hardware\\Mouse\\point32.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Meinen Computer prüfen.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [AvxScanOnline Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
    CODEBASE = http://www.bitdefender.de/scan/Msie/bitdefender.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38135.4625115741

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    System: C:\WINDOWS\system32\system32.dll

    --------------------------------------------------

    Does it help you? :)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Who am I to argue about your Windows version?
    But HijackThis says you have not even installed SP 1 for either XP or IE6

    Download this file and save it as cws18.reg
    Doubleclick the file and confirm you want to merge it with the registry.

    Then reboot and delete.
    System: C:\WINDOWS\system32\system32.dll

    That will also enable you to permanently reorganize your hosts file.

    Regards,

    Pieter
     
  5. marC16

    marC16 Registered Member

    Joined:
    May 29, 2004
    Posts:
    3
    Now it works... Gott segne dich! (german) :)

    But can you tell me, why I could easily delete the system32.dll ? Isn't this an important file? Which tasks had it...

    And i really wonder, why the AntiVirus-Programs dont detect Hijacks :(

    Hope my system is secured now.

    Greets Marc, thanks again to Pieter :cool:

    P.S. What did the Reg-File? :D
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.