0

I keep running Adaware/Spybot S&D/a squared2 and they keep detecting and removing malware/trojans/spyware. I rescan and it comes up with nothing. Once a time period (30 minutes) goes by pop-ups and Norton come up saying that I have new Trojans. Can anyone give me a hand and tell me how to really get rid of all this???

Logfile of HijackThis v1.97.7
Scan saved at 10:05:19 AM, on 6/8/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\flvcbdps.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Autodesk\MDT 2004\acad.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Autodesk\MDT 2004\acad.exe
C:\Program Files\a2\a2start.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\WinZip\winzip32.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://devilsfuck.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\x3oolz2g.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\x3oolz2g.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [boxiscwt] C:\WINNT\flvcbdps.exe
O4 - HKLM\..\Run: [guwyrrkiac] C:\WINNT\system32\qrtssdo.exe
O4 - HKLM\..\Run: [sdart32m] C:\WINNT\system32\sdart32m.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [k2aq.exe] C:\winnt\temp\k2aq.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [WCPI] C:\WINNT\system32\wintsvit.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37852.2191782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17F51254-A945-4EBA-BD34-16C49C3DF200}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = npc.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{17F51254-A945-4EBA-BD34-16C49C3DF200}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = npc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{17F51254-A945-4EBA-BD34-16C49C3DF200}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = npc.com

Would really appreciate it! Thanks!

3
Contributors
5
Replies
6
Views
13 Years
Discussion Span
Last Post by crunchie
0

Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://devilsfuck.com

O4 - HKLM\..\Run: [boxiscwt] C:\WINNT\flvcbdps.exe
O4 - HKLM\..\Run: [guwyrrkiac] C:\WINNT\system32\qrtssdo.exe
O4 - HKLM\..\Run: [sdart32m] C:\WINNT\system32\sdart32m.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [k2aq.exe] C:\winnt\temp\k2aq.exe
O4 - HKCU\..\Run: [WCPI] C:\WINNT\system32\wintsvit.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINNT\flvcbdps.exe<<<<
C:\WINNT\system32\qrtssdo.exe<<<<
C:\WINNT\system32\sdart32m.exe<<<<
C:\winnt\temp\k2aq.exe<<<<
C:\WINNT\system32\wintsvit.exe<<<<

C:\Program Files\TV Media<<<<
C:\Program Files\Windows Media Player\wmplayer.exe<<<< You will have to check the properties of the file B4 deleting to be only the baddy gets shot :)

Reboot normally after doing this & post another log please.

You need SP4 for W2K & SP1 for IE6. Without them you leave yourself open to invasion, as you have found.

0

Thanks Crunchie, I followed all of your instructions and this is now what I have as my log file.

Logfile of HijackThis v1.97.7
Scan saved at 10:40:55 AM, on 6/9/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Matt\My Documents\Hijack This\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\x3oolz2g.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\x3oolz2g.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37852.2191782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17F51254-A945-4EBA-BD34-16C49C3DF200}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = npc.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{17F51254-A945-4EBA-BD34-16C49C3DF200}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = npc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{17F51254-A945-4EBA-BD34-16C49C3DF200}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = npc.com


See anything to still worry about? Thanks alot! :cheesy:

0

I tried to delete the last line in the HiJackthis log:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B82865EE-5C19-41F9-A13A-1D79ADDD03EC}: NameServer = 207.229.64.3,199.254.229.65

Because I discovered that those IP addresses go to the devils****.com site. But when I did "fix checked" in HiJackthis and rebooted, My internet connection didn't work so had to restore it back.

Any Ideas? Can that line be edited to get rid of those IP addresses or what?

thanks - SteveB

0

I tried to delete the last line in the HiJackthis log:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B82865EE-5C19-41F9-A13A-1D79ADDD03EC}: NameServer = 207.229.64.3,199.254.229.65

Because I discovered that those IP addresses go to the devils****.com site. But when I did "fix checked" in HiJackthis and rebooted, My internet connection didn't work so had to restore it back.

Any Ideas? Can that line be edited to get rid of those IP addresses or what?

thanks - SteveB

Have split your post out to it's own thread. Please do not tag on to the end of another user's thread as it becomes too confusing for all concerned. Thanx for understanding :) .

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.