User Name Password Register
DaniWeb IT Discussion Community
Home
Forums
Tutorials
Blogs
Link Directory
All
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 427,684 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 4,284 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Join our community!
Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums
Views: 2009 | Replies: 1
Reply
Join Date: Jun 2004
Posts: 1
Reputation: rad-1966 is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
rad-1966 rad-1966 is offline Offline
Newbie Poster

"mypoiskovik" home page hijacked!

  #1  
Jun 4th, 2004
I have run SpyBot, AdAware, and various virus scanners, as well as CW shredder. It appears to go away for a few minutes after CW shredder is run, but then it comes right back and hijacks my home page again!

Not sure if they are related, but I'm also having an "End Program - Win Min" issue when I shut down...it trys to shut down this program for a minute or so, then says "not responding" with an "End Now" button.

Here's my Hijack This Log:

Logfile of HijackThis v1.97.7
Scan saved at 9:08:58 AM, on 6/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\huzwdux.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\PKWARE\PKZIPM\8.00.0018\PKTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\WINNT\system32\scnmnm.exe
C:\WINNT\system32\HPBJDSNT.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\Program Files\Aladdin Systems\Internet Cleanup\ic3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [sSaU] C:\documents and settings\drinella\local settings\temp\sSaU.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT\emsw.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wnhbiizsfmyk] C:\WINNT\system32\huzwdux.exe
O4 - HKLM\..\Run: [scnmnm] C:\WINNT\system32\scnmnm.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\8.00.0018\PKTray.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IC 3.0 (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/317739fd64ec9b9...p/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/1...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...916.5036921296
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mnticelo-home-inc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mnticelo-home-inc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mnticelo-home-inc.com
AddThis Social Bookmark Button
Reply With Quote  
Join Date: Feb 2004
Location: Oztralya
Posts: 7,825
Reputation: crunchie is a jewel in the rough crunchie is a jewel in the rough crunchie is a jewel in the rough 
Rep Power: 22
Solved Threads: 431
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: "mypoiskovik" home page hijacked!

  #2  
Jun 5th, 2004
You definitely have a coolwebsearch infection. Make sure you have the latest version of CWShredder (1.58 I believe) & make sure that ALL windows are closed (browser & folders) So>>>>update CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O4 - HKLM\..\Run: [sSaU] C:\documents and settings\drinella\local settings\temp\sSaU.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT\emsw.exe
O4 - HKLM\..\Run: [wnhbiizsfmyk] C:\WINNT\system32\huzwdux.exe
O4 - HKLM\..\Run: [scnmnm] C:\WINNT\system32\scnmnm.exe
O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/317739fd64ec9b...ip/RdxIE601.cab

C:\Program Files\couponsandoffers< folder
C:\documents and settings\drinella\local settings\temp< folder contents
C:\WINNT\system32\dp-him.exe< file
C:\WINNT\emsw.exe< file
C:\WINNT\system32\huzwdux.exe< file
C:\WINNT\system32\scnmnm.exe< file
winlogin.exe< file from the startup folder

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing this & post another log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster

Please do not PM me for help. Instead, post in the public forum where others may benefit.
Reply With Quote  
Reply

Only community members can participate in forum threads. You must register or log in to contribute.

Register
DaniWeb Viruses, Spyware and other Nasties Marketplace
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 

Thread Tools Display Modes
Linear Mode Linear Mode

adware ajax complete information defender home im internet legal malware mcafee microsoft new folder new viruses news nhatquanglan reliability search security site software spyware survey svchost teleworking virus viruses vista web windows work
Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum

Advertising Opportunities on DaniWeb
Contact Us - Newsletter Archive - Sitemap - Privacy Statement
All times are GMT -4. The time now is 11:19 am.
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC