Please help - hijack this log

Discussion in 'adware, spyware & hijack cleaning' started by manolo13, Apr 1, 2004.

Thread Status:
Not open for further replies.
  1. manolo13

    manolo13 Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    4
    Location:
    Frankfurt, Germany
    Heeeelp heeeeelp please, can't remove webcounter.cc.it comes over and over again after i have fix it with Hijack this.It comes at next day again, not after rebooto_O?What should i doo_O

    Logfile of HijackThis v1.97.7
    Scan saved at 09:30:50, on 01.04.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\program files\Kerio\personal firewall\persfw.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\0190WA~1\WARN0190.EXE
    C:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
    C:\Programme\Kill Window 2.0\Kill Window 2.0.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Programme\QuickTime\qttask.exe
    C:\Programme\ScanSoft\OmniPageSE\opware32.exe
    C:\Programme\SETI@home\SETI@home.exe
    C:\Programme\DeTeWe\TA 33 USB\Capictrl.exe
    C:\Programme\TraXEx\TraXEx.exe
    C:\Programme\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?toaqy (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?toaqy about:blank (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?toaqy (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?toaqy (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?toaqy about:blank (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?toaqy (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?toaqy (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?toaqy (obfuscated)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [LVCOMS] C:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [routcnf] C:\Programme\DeTeWe\TA 33 USB\routcnf.exe
    O4 - HKLM\..\Run: [Kill Window] "C:\Programme\Kill Window 2.0\Kill Window 2.0.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [seticlient] C:\Programme\SETI@home\SETI@home.exe -min
    O4 - HKCU\..\Run: [Adaware Bootup] C:\Programme\Lavasoft Ad- Aware\Ad-aware.exe /Auto /Log "C:\Programme\Lavasoft Ad- Aware\"
    O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: CAPIControl.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Recherche-Assistent (HKLM)
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09a334f573c3a933e706/netzip/RdxIE601_de.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37562.4077430556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)


    edited to post the log for clarity
     

    Attached Files:

  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Ok this is a cws hijack so
    First download CWshredder from http://www.thespykiller.co.uk then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    and make sure you follow the advice about the security updates listed on the last page, in order to prevent re-infection, otherwise you will be continually reinfected
    the patches are :
    http://support.microsoft.com/default.aspx?kbid=828026
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
    *Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"

    then reboot & post a new log
     
  3. manolo13

    manolo13 Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    4
    Location:
    Frankfurt, Germany
    Hi dvk 01 and all others

    I hink it works so i THANK YOU very very much
    Here is my new log


    Logfile of HijackThis v1.97.7
    Scan saved at 18:06:12, on 02.04.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\program files\Kerio\personal firewall\persfw.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\0190WA~1\WARN0190.EXE
    C:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
    C:\Programme\Kill Window 2.0\Kill Window 2.0.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Programme\QuickTime\qttask.exe
    C:\Programme\ScanSoft\OmniPageSE\opware32.exe
    C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Programme\SETI@home\SETI@home.exe
    C:\Programme\DeTeWe\TA 33 USB\Capictrl.exe
    C:\Programme\TraXEx\TraXEx.exe
    C:\Programme\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de/content/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [LVCOMS] C:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [routcnf] C:\Programme\DeTeWe\TA 33 USB\routcnf.exe
    O4 - HKLM\..\Run: [Kill Window] "C:\Programme\Kill Window 2.0\Kill Window 2.0.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [seticlient] C:\Programme\SETI@home\SETI@home.exe -min
    O4 - HKCU\..\Run: [Adaware Bootup] C:\Programme\Lavasoft Ad- Aware\Ad-aware.exe /Auto /Log "C:\Programme\Lavasoft Ad- Aware\"
    O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: CAPIControl.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
    O9 - Extra button: Recherche-Assistent (HKLM)
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09a334f573c3a933e706/netzip/RdxIE601_de.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37562.4077430556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab



    edited by dvk01 to paste log for clarity
     

    Attached Files:

  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I am not sure what this is,
    O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE

    all references to it I can find are in german, so I will ask someone who I hope speaks German to have a look at it first
     
  5. manolo13

    manolo13 Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    4
    Location:
    Frankfurt, Germany
    Hi dvk 01
    Thanks for your reply.

    About your question:Don't worry - it's only Dial Warning program for germany, This program cutts all connections to 0190 numbers (behind this 0190 numbers are usually phonesex and other expensive calls-about 3,90 € or $ p.min. etc.)My english or american language is little bad so i hope that i could exlpaine what this program is for.Thanks again,regards
    manolo
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Your English is much better than my German

    The rest of the log looks clear now
     
Thread Status:
Not open for further replies.