www.smart-finder.biz/1525 has stopped me being able to download anything

Discussion in 'adware, spyware & hijack cleaning' started by streathamp, Apr 7, 2004.

Thread Status:
Not open for further replies.
  1. streathamp

    streathamp Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    7
    This is really weird (hence the long message - sorry):
    This morning, I wiped off the www.your-search.info/search.html hijack using hijackThis. I then ran CWShredder which detected a file called sys.exe and deleted it. Nothing else seemed wrong with my computer, so I carried on surfing.
    However, when I rebooted and tried to download something, I got the webpage: http://www.smart-finder.biz/1525.
    MY HOMEPAGE WAS NOT CHANGED.
    At the same time, mtwcnl.dll appeared in the recycle bin (source was folder system32, but I didn’t put it there).
    When I rebooted and tried to download something again, whether from tucows.com, download.com or snapfiles.com, my computer wouldn't allow me to, and the webpage became blank saying 'this page cannot be displayed' with a URL of http:///

    Even more strange is the fact that I can download attachments from my hotmail account with no problem!

    Also, after the reboot, the file: mtwcnl.dll has disappeared from my recycle bin! I therefore looked at C:Windows/System32 to see if anything had been added. These files appeared at the same time that my computer’s internet download function changed:

    cidft.dll
    cidpoq32.dll
    gupd.dll
    icnfe.dll
    icqrt.dll
    icvbr.dll
    mshelper.dll ***see below***
    mtwirl.dll
    nthst32.dll
    sdfup.dll
    wecxg32.dll
    xcwer32.dll
    zxmsn.dll

    I hope that CWShredder didn't delete something necessary for downloading. However, the www.smart-finder.biz (that appeared only ONCE) makes me think that I have another trojan / bot, despite my homepage remaining unchanged. Is this inability to download a known problem? I am very concerned, but am too scared to delete any of the new files that appeared in my windows/system32 folder. Here is my

    Logfile of HijackThis v1.97.7
    Scan saved at 15:41:01, on 07/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Sony\Sony Style Imaging\UploadTools\ZingSpooler.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: Domain = anat.ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: NameServer = 144.82.100.41,144.82.100.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk


    ucl is my university; InCD and Nero are my CD software; Panicware is my pop-up stopper; blueyonder is my ISP. BUT, I don't recognise the OsbornTech Popup Blocker (which I note refers to one of the new files created this morning in my system32 folder, see above ***).

    I have rerun CWShredder and AdAware 6 (with the latest webupdate), but the problem is still there.
    Please can you help?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  3. streathamp

    streathamp Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    7
    Dear Pieter,
    I have emailed you the mshelper.dll file. I have never knowingly visited the osbornetech website though!
    I have also done a McAfee virus scan and used a Rapid blaster killer 1.6.0.1 - both of which came up clear. I don't know what to do (I am a complete computer novice).

    Streathamp
     
  4. streathamp

    streathamp Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    7
    Thanks Pieter!
    (In case anyone else is reading this, Pieter suggested that I get rid of the osborntech popup stopper because using two popup blockers that operate as a BHO could lead to conflicts, especially when visiting sites that produce popups. This is exactly what was happening to me, though I have no idea how I got the osborntech popup stopper!). I can now download again!!! :)

    I think www.smart-finder.biz was a red herring - especially as the webpage only appeared once. I think it may have been related to the mtwcnl.dll file that somehow got deleted and thereby stopped the webpage appearing again. I note that on one of the other forums at Wilderssecurity, mtwcnl.dll and mtwirl.dll are the cause of a different hijack. Should I delete mtwirl.dll from my system32 folder as well?
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi streathamp,

    Yes, mtwirl.dll is related to this hijack. I just found that out.

    Send the suspect file to submit@diamondcs.com.au and include a link to this thread (http://www.wilderssecurity.com/showthread.php?t=27344), so they will have an idea what to look for.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.