New to HJT, help please

Discussion in 'adware, spyware & hijack cleaning' started by lazlow, May 2, 2004.

Thread Status:
Not open for further replies.
  1. lazlow

    lazlow Registered Member

    Joined:
    May 2, 2004
    Posts:
    2
    I've scanned with both the latest of Ad-Aware and Spybot S&D. The latest thing Ad-Aware found was a browser hijack called "coolsearch.biz." I'm guessing CWS is the problem...Thanks in advance.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:28:52 PM, on 5/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\services\wmplayer.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\EarthLink 5.0\ConMgr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Mack\Application Data\ttuh.exe
    C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mack\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.mindspring.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O1 - Hosts: 65.77.83.222 madthumbs.com
    O1 - Hosts: 65.77.83.222 worldsex.com
    O1 - Hosts: 65.77.83.222 teeniefiles.com
    O1 - Hosts: 65.77.83.222 al4a.com
    O1 - Hosts: 65.77.83.222 sublimedirectory.com
    O1 - Hosts: 65.77.83.222 thumbzilla.com
    O1 - Hosts: 65.77.83.222 sexocean.com
    O1 - Hosts: 65.77.83.222 easypic.com
    O1 - Hosts: 65.77.83.222 absolut-series.com
    O1 - Hosts: 65.77.83.222 jpeg4free.com
    O1 - Hosts: 65.77.83.222 thumbnailpost.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Mack\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37821.5182291667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2E796-5F8D-4280-8BA9-EEA19B8D3625}: NameServer = 207.217.77.82 207.217.120.83
     
  2. lazlow

    lazlow Registered Member

    Joined:
    May 2, 2004
    Posts:
    2
    Anyone?
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi lazlow :)

    Welcome to Wilders.

    Just be patient, as one of the experts should be with u shortly.

    It's been a busy day. ;)


    snowbound
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi lazlow,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmnfcda.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O1 - Hosts: 65.77.83.222 madthumbs.com
    O1 - Hosts: 65.77.83.222 worldsex.com
    O1 - Hosts: 65.77.83.222 teeniefiles.com
    O1 - Hosts: 65.77.83.222 al4a.com
    O1 - Hosts: 65.77.83.222 sublimedirectory.com
    O1 - Hosts: 65.77.83.222 thumbzilla.com
    O1 - Hosts: 65.77.83.222 sexocean.com
    O1 - Hosts: 65.77.83.222 easypic.com
    O1 - Hosts: 65.77.83.222 absolut-series.com
    O1 - Hosts: 65.77.83.222 jpeg4free.com
    O1 - Hosts: 65.77.83.222 thumbnailpost.com

    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe

    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Mack\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\System32\mmnfcda.dll
    C:\WINDOWS\System32\services\ <-- entire folder
    C:\Documents and Settings\Mack\Application Data\ttuh.exe
    C:\WINDOWS\System32\wnscpsv.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.