One messed up 'puter (merged)

Discussion in 'adware, spyware & hijack cleaning' started by meikko, Jun 11, 2004.

Thread Status:
Not open for further replies.
  1. meikko

    meikko Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    One messed up 'puter

    I have run ad-aware, which keeps finding the same things over and over again. I've also run f-prot, thinking there's something more malicous going on. Now, everytime I attempt to run hijack this, the program closes on its own. Same thing with spybot. I can't even reinstall these programs, because the web brower closes every time I attempt to go to their sites?

    I also keep getting a new browser window with casinoplaz... something or other...

    Any suggestions on what I might do to get a hijack this logo_O

    Thanks in advance for your assistance
    -Anne
     
    meikko, Jun 11, 2004
    #1
  2. meikko

    meikko Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    messed up part two

    I managed to get hijack this running. I had to send serveral processes that I did not recognize.

    Windows in IE keep opening to *****.outhost.info, where **** could be any string of letters. Then its redirected to Casino Palazzo...

    Attached is my log, and the list of processes currently running at startup.

    Cheers for your assistance...
    -Anne

    Processes:
    Explorer, F-Sched, Loadqm, Rundll32, Lxsupmon, Printray, Systray, Motmon, Bttnserv, Rundll32, F-Stopw, Svchost, Msnmsgr, Stms, Browserblast, Ebrr.


    Hijack This Log:
    Logfile of HijackThis v1.97.2
    Scan saved at 12:27:58 PM, on 6/11/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\COMPAQ\INTERNET\ISDBDC.EXE
    C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnzyfs.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnzyfs.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nnzyfs.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nnzyfs.outhost.info/sp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnzyfs.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnzyfs.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nnzyfs.outhost.info/sp.php
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O1 - Hosts: 213.159.118.228 collections.inhost.info
    O1 - Hosts: 213.159.118.228 collections.inhost2.info
    O1 - Hosts: 213.159.118.228 1-se.com
    O1 - Hosts: 213.159.118.228 58q.com
    O1 - Hosts: 213.159.118.228 aifind.cc
    O1 - Hosts: 213.159.118.228 aifind.info
    O1 - Hosts: 213.159.118.228 allneedsearch.com
    O1 - Hosts: 213.159.118.228 approvedlinks.com
    O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
    O1 - Hosts: 213.159.118.228 awebfind.biz
    O1 - Hosts: 213.159.118.228 best.royalsearch.net
    O1 - Hosts: 213.159.118.228 cracks.am
    O1 - Hosts: 213.159.118.228 default-homepage-network.com
    O1 - Hosts: 213.159.118.228 find.microgirls.com
    O1 - Hosts: 213.159.118.228 find4u.net
    O1 - Hosts: 213.159.118.228 freshvideogals.com
    O1 - Hosts: 213.159.118.228 i-lookup.com
    O1 - Hosts: 213.159.118.228 ie-search.com
    O1 - Hosts: 213.159.118.228 in.webcounter.cc
    O1 - Hosts: 213.159.118.228 itseasy.us
    O1 - Hosts: 213.159.118.228 just.find-itnow.com
    O1 - Hosts: 213.159.118.228 link.startmake.com
    O1 - Hosts: 213.159.118.228 mysearchnow.com
    O1 - Hosts: 213.159.118.228 nativehardcore.com
    O1 - Hosts: 213.159.118.228 qwertysearch123.biz
    O1 - Hosts: 213.159.118.228 search.ieplugin.com
    O1 - Hosts: 213.159.118.228 search.psn.cn
    O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
    O1 - Hosts: 213.159.118.228 searchcentrix.com
    O1 - Hosts: 213.159.118.228 searchmyrequest.com
    O1 - Hosts: 213.159.118.228 super-spider.com
    O1 - Hosts: 213.159.118.228 t.rack.cc
    O1 - Hosts: 213.159.118.228 teen-biz.com
    O1 - Hosts: 213.159.118.228 teenhqpics.com
    O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
    O1 - Hosts: 213.159.118.228 webcoolsearch.com
    O1 - Hosts: 213.159.118.228 wmmse.com
    O1 - Hosts: 213.159.118.228 www.008i.com
    O1 - Hosts: 213.159.118.228 www.2fastsearch.net
    O1 - Hosts: 213.159.118.228 www.8095.com
    O1 - Hosts: 213.159.118.228 www.alfa-search.com
    O1 - Hosts: 213.159.118.228 www.boredlife.com
    O1 - Hosts: 213.159.118.228 www.couldnotfind.com
    O1 - Hosts: 213.159.118.228 www.cracks.am
    O1 - Hosts: 213.159.118.228 www.daum.net
    O1 - Hosts: 213.159.118.228 www.dreamwiz.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find4u.net
    O1 - Hosts: 213.159.118.228 www.firstbookmark.com
    O1 - Hosts: 213.159.118.228 www.gajai.com
    O1 - Hosts: 213.159.118.228 www.hand-book.com
    O1 - Hosts: 213.159.118.228 www.hao123.com
    O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
    O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
    O1 - Hosts: 213.159.118.228 www.hugesearch.net
    O1 - Hosts: 213.159.118.228 www.iquicksearch.com
    O1 - Hosts: 213.159.118.228 www.lookfor.cc
    O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
    O1 - Hosts: 213.159.118.228 www.naver.com
    O1 - Hosts: 213.159.118.228 www.nkvd.us
    O1 - Hosts: 213.159.118.228 www.nova****.com
    O1 - Hosts: 213.159.118.228 www.ohcorea.com
    O1 - Hosts: 213.159.118.228 www.omega-search.com
    O1 - Hosts: 213.159.118.228 www.onet.pl
    O1 - Hosts: 213.159.118.228 www.power-search.info
    O1 - Hosts: 213.159.118.228 www.rightfinder.net
    O1 - Hosts: 213.159.118.228 www.search-1.net
    O1 - Hosts: 213.159.118.228 www.search-and-go.com
    O1 - Hosts: 213.159.118.228 www.search-dot.com
    O1 - Hosts: 213.159.118.228 www.search-space.com
    O1 - Hosts: 213.159.118.228 www.searchforge.com
    O1 - Hosts: 213.159.118.228 www.searching-the-net.com
    O1 - Hosts: 213.159.118.228 www.searchv.com
    O1 - Hosts: 213.159.118.228 www.searchxl.com
    O1 - Hosts: 213.159.118.228 www.seznam.cz
    O1 - Hosts: 213.159.118.228 www.slotch.com
    O1 - Hosts: 213.159.118.228 www.spidersearch.com
    O1 - Hosts: 213.159.118.228 www.startium.com
    O1 - Hosts: 213.159.118.228 www.therealsearch.com
    O1 - Hosts: 213.159.118.228 www.ttjj.com
    O1 - Hosts: 213.159.118.228 www.viewpornkey.com
    O1 - Hosts: 213.159.118.228 www.wazzupnet.com
    O1 - Hosts: 213.159.118.228 www.websearch.com
    O1 - Hosts: 213.159.118.228 www.windowws.cc
    O1 - Hosts: 213.159.118.228 www.xgmm.com
    O1 - Hosts: 213.159.118.228 xwebsearch.biz
    O1 - Hosts: 213.159.118.228 yourbookmarks.ws
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [TaskMonitor] C:\windows\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\windows\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [mmsys] C:\RECOVER.EXE
    O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\SVCHOST.EXE -sr -1
    O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [koxis] C:\WINDOWS\zbmufydf.exe
    O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\FSI\F-Prot\F-STOPW.EXE"
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe
    O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\SVCHOST.EXE -sr -1
    O4 - HKCU\..\Run: [User Stylesheet] C:\WINDOWS\system\jsvrog.015
    O4 - HKCU\..\Run: [Use My Stylesheet] 
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\RunServices: [Network Service] C:\WINDOWS\SVCHOST.EXE -sr -1
    O4 - HKCU\..\RunServices: [User Stylesheet] C:\WINDOWS\system\jsvrog.015
    O4 - HKCU\..\RunServices: [Use My Stylesheet] 
    O4 - HKCU\..\RunServices: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    meikko, Jun 11, 2004
    #2
  3. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re: One messed up 'puter

    Hello meikko,

    Please follow the instructions given here and do as said. It will be easy for us to help you if we get the hijackthis log.

    Regards
     
    subratam, Jun 11, 2004
    #3
  4. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi meikko, I've merged your two threads together. Subratam's reply was to your first post but the time differences in posts make it come after your post with the hijthis log in it.

    Please keep to one thread (this one) until your problem is fixed. :)

    Thank you,

    snap
     
    snapdragin, Jun 12, 2004
    #4
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnzyfs.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnzyfs.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nnzyfs.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nnzyfs.outhost.info/sp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnzyfs.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnzyfs.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nnzyfs.outhost.info/sp.php
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O1 - Hosts: 213.159.118.228 collections.inhost.info
    O1 - Hosts: 213.159.118.228 collections.inhost2.info
    O1 - Hosts: 213.159.118.228 1-se.com
    O1 - Hosts: 213.159.118.228 58q.com
    O1 - Hosts: 213.159.118.228 aifind.cc
    O1 - Hosts: 213.159.118.228 aifind.info
    O1 - Hosts: 213.159.118.228 allneedsearch.com
    O1 - Hosts: 213.159.118.228 approvedlinks.com
    O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
    O1 - Hosts: 213.159.118.228 awebfind.biz
    O1 - Hosts: 213.159.118.228 best.royalsearch.net
    O1 - Hosts: 213.159.118.228 cracks.am
    O1 - Hosts: 213.159.118.228 default-homepage-network.com
    O1 - Hosts: 213.159.118.228 find.microgirls.com
    O1 - Hosts: 213.159.118.228 find4u.net
    O1 - Hosts: 213.159.118.228 freshvideogals.com
    O1 - Hosts: 213.159.118.228 i-lookup.com
    O1 - Hosts: 213.159.118.228 ie-search.com
    O1 - Hosts: 213.159.118.228 in.webcounter.cc
    O1 - Hosts: 213.159.118.228 itseasy.us
    O1 - Hosts: 213.159.118.228 just.find-itnow.com
    O1 - Hosts: 213.159.118.228 link.startmake.com
    O1 - Hosts: 213.159.118.228 mysearchnow.com
    O1 - Hosts: 213.159.118.228 nativehardcore.com
    O1 - Hosts: 213.159.118.228 qwertysearch123.biz
    O1 - Hosts: 213.159.118.228 search.ieplugin.com
    O1 - Hosts: 213.159.118.228 search.psn.cn
    O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
    O1 - Hosts: 213.159.118.228 searchcentrix.com
    O1 - Hosts: 213.159.118.228 searchmyrequest.com
    O1 - Hosts: 213.159.118.228 super-spider.com
    O1 - Hosts: 213.159.118.228 t.rack.cc
    O1 - Hosts: 213.159.118.228 teen-biz.com
    O1 - Hosts: 213.159.118.228 teenhqpics.com
    O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
    O1 - Hosts: 213.159.118.228 webcoolsearch.com
    O1 - Hosts: 213.159.118.228 wmmse.com
    O1 - Hosts: 213.159.118.228 www.008i.com
    O1 - Hosts: 213.159.118.228 www.2fastsearch.net
    O1 - Hosts: 213.159.118.228 www.8095.com
    O1 - Hosts: 213.159.118.228 www.alfa-search.com
    O1 - Hosts: 213.159.118.228 www.boredlife.com
    O1 - Hosts: 213.159.118.228 www.couldnotfind.com
    O1 - Hosts: 213.159.118.228 www.cracks.am
    O1 - Hosts: 213.159.118.228 www.daum.net
    O1 - Hosts: 213.159.118.228 www.dreamwiz.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find4u.net
    O1 - Hosts: 213.159.118.228 www.firstbookmark.com
    O1 - Hosts: 213.159.118.228 www.gajai.com
    O1 - Hosts: 213.159.118.228 www.hand-book.com
    O1 - Hosts: 213.159.118.228 www.hao123.com
    O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
    O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
    O1 - Hosts: 213.159.118.228 www.hugesearch.net
    O1 - Hosts: 213.159.118.228 www.iquicksearch.com
    O1 - Hosts: 213.159.118.228 www.lookfor.cc
    O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
    O1 - Hosts: 213.159.118.228 www.naver.com
    O1 - Hosts: 213.159.118.228 www.nkvd.us
    O1 - Hosts: 213.159.118.228 www.nova****.com
    O1 - Hosts: 213.159.118.228 www.ohcorea.com
    O1 - Hosts: 213.159.118.228 www.omega-search.com
    O1 - Hosts: 213.159.118.228 www.onet.pl
    O1 - Hosts: 213.159.118.228 www.power-search.info
    O1 - Hosts: 213.159.118.228 www.rightfinder.net
    O1 - Hosts: 213.159.118.228 www.search-1.net
    O1 - Hosts: 213.159.118.228 www.search-and-go.com
    O1 - Hosts: 213.159.118.228 www.search-dot.com
    O1 - Hosts: 213.159.118.228 www.search-space.com
    O1 - Hosts: 213.159.118.228 www.searchforge.com
    O1 - Hosts: 213.159.118.228 www.searching-the-net.com
    O1 - Hosts: 213.159.118.228 www.searchv.com
    O1 - Hosts: 213.159.118.228 www.searchxl.com
    O1 - Hosts: 213.159.118.228 www.seznam.cz
    O1 - Hosts: 213.159.118.228 www.slotch.com
    O1 - Hosts: 213.159.118.228 www.spidersearch.com
    O1 - Hosts: 213.159.118.228 www.startium.com
    O1 - Hosts: 213.159.118.228 www.therealsearch.com
    O1 - Hosts: 213.159.118.228 www.ttjj.com
    O1 - Hosts: 213.159.118.228 www.viewpornkey.com
    O1 - Hosts: 213.159.118.228 www.wazzupnet.com
    O1 - Hosts: 213.159.118.228 www.websearch.com
    O1 - Hosts: 213.159.118.228 www.windowws.cc
    O1 - Hosts: 213.159.118.228 www.xgmm.com
    O1 - Hosts: 213.159.118.228 xwebsearch.biz
    O1 - Hosts: 213.159.118.228 yourbookmarks.ws
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

    O4 - HKLM\..\Run: [mmsys] C:\RECOVER.EXE
    O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\SVCHOST.EXE -sr -1
    O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [koxis] C:\WINDOWS\zbmufydf.exe
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\SVCHOST.EXE -sr -1
    O4 - HKCU\..\Run: [User Stylesheet] C:\WINDOWS\system\jsvrog.015
    O4 - HKCU\..\Run: [Use My Stylesheet] 
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\RunServices: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\RunServices: [Network Service] C:\WINDOWS\SVCHOST.EXE -sr -1
    O4 - HKCU\..\RunServices: [User Stylesheet] C:\WINDOWS\system\jsvrog.015
    O4 - HKCU\..\RunServices: [Use My Stylesheet] 
    O4 - HKCU\..\RunServices: [uninstal] regsvr32 /u /s image.dll

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O15 - Trusted Zone: *.greg-search.com


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\SVCHOST.EXE -sr -1
    C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
    C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    C:\WINDOWS\zbmufydf.exe
    C:\WINDOWS\system\jsvrog.015


    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &


    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    download CWshredder from http://www.thespykiller.co.uk then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R317 12.06.2004 or a higher number/later date
    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
    dvk01, Jun 12, 2004
    #5
  6. meikko

    meikko Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    Thanks for all your help. I think we've got this under control. Here's the updated hijack this log:

    Logfile of HijackThis v1.97.2
    Scan saved at 7:18:46 AM, on 6/17/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\COMPAQ\INTERNET\ISDBDC.EXE
    C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\FSI\F-PROT\F-STOPW.EXE
    C:\PROGRAM FILES\FSI\F-PROT\F-SCHED.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\BROWSEBLAST WEB ACCELERATOR\BROWSEBLAST.EXE
    C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\windows\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\FSI\F-Prot\F-STOPW.EXE"
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\browseblast web accelerator\sliplsp.dll
    O15 - Trusted Zone: http://Download.Windowsupdate.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    After completing all steps, I installed Microsoft IE Updates and the Google popup blocker toolbar.

    I have one final question... are users of other web browsers having these problems, or are most of the attacks directed at IEo_O Would using another web browser help cut down on attackso_O

    Thanks again
    -Anne
     
    meikko, Jun 17, 2004
    #6
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That looks OK now

    Most attacks are against IE but we are starting to notice attacks on Opera & mozila as well as they become more popular and it's worthwhile for the scum to look for vulnerabilities in those browsers

    Read here https://www.wilderssecurity.com/showthread.php?t=27971 for info on how to tighten your security settings and how to help prevent future attacks.

    & go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
     
    dvk01, Jun 22, 2004
    #7
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...