2
Contributors
7
Replies
8
Views
13 Years
Discussion Span
Last Post by crunchie
0

Hi. If you have run updated Adaware & spybot, please do the following;

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Crunchie...thanks for replying so fast..

as requested the output from HighjackThis...

Logfile of HijackThis v1.98.1
Scan saved at 15:27:40, on 4-8-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WIN2K\System32\smss.exe
D:\WIN2K\system32\winlogon.exe
D:\WIN2K\system32\services.exe
D:\WIN2K\system32\lsass.exe
D:\WIN2K\system32\svchost.exe
D:\WIN2K\system32\LEXBCES.EXE
D:\WIN2K\system32\spoolsv.exe
D:\WIN2K\system32\LEXPPS.EXE
D:\WIN2K\system32\drivers\CDAC11BA.EXE
D:\WIN2K\System32\svchost.exe
D:\WIN2K\system32\regsvc.exe
D:\WIN2K\system32\MSTask.exe
D:\WIN2K\system32\slserv.exe
D:\WIN2K\system32\stisvc.exe
D:\WIN2K\System32\WBEM\WinMgmt.exe
D:\WIN2K\system32\svchost.exe
D:\WIN2K\Explorer.EXE
D:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
D:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\WIN2K\system32\internat.exe
E:\Utils\GetRight\getright.exe
D:\Program Files\Preventon\Personal Firewall\PFwall.exe
D:\DOCUME~1\dave\LOCALS~1\Temp\~ef7194.tmp
D:\Utils\System\WinZip\winzip32.exe
D:\Program Files\hijjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WIN2K\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Lexmark X5100 Series] "D:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [sws.exe] d:\program files\GlobalDialer\wordi00047\2528315.exe -remove
O4 - HKCU\..\Run: [li-tzone00028] d:\program files\Webdialer\li-tzone00028.exe -m
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Updater] D:\Program Files\Carpe Diem\msx\CDUpdater.exe CD_UPDATER
O4 - Global Startup: GetRight - Tray Icon.lnk = E:\Utils\GetRight\getright.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Preventon Personal Firewall.lnk = D:\Program Files\Preventon\Personal Firewall\PFwall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WIN2K\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WIN2K\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6) - http://download.globaldialer.net/GlobalDialer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08259953-5E46-4ABC-A809-FDCFB7810E2E}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E56D320-367E-4575-9ED6-5C4E22EAB722}: NameServer = 195.121.1.34 195.121.1.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{08259953-5E46-4ABC-A809-FDCFB7810E2E}: NameServer = 192.168.10.1
O19 - User stylesheet: (file missing)
O21 - SSODL: System - {F31FA968-5C7E-4C78-8D39-1C4195CB02E0} - D:\WIN2K\system32\system32.dll

0

Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Iinternet Explorer, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6) - http://download.globaldialer.net/GlobalDialer.cab

O19 - User stylesheet: (file missing)
O21 - SSODL: System - {F31FA968-5C7E-4C78-8D39-1C4195CB02E0} - D:\WIN2K\system32\system32.dll

Reboot & delete this file; D:\WIN2K\system32\system32.dll

Post another log please.

0

the log..

Logfile of HijackThis v1.98.1
Scan saved at 15:53:28, on 5-8-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WIN2K\System32\smss.exe
D:\WIN2K\system32\winlogon.exe
D:\WIN2K\system32\services.exe
D:\WIN2K\system32\lsass.exe
D:\WIN2K\system32\svchost.exe
D:\WIN2K\system32\LEXBCES.EXE
D:\WIN2K\system32\spoolsv.exe
D:\WIN2K\system32\LEXPPS.EXE
D:\WIN2K\system32\drivers\CDAC11BA.EXE
D:\WIN2K\System32\svchost.exe
D:\WIN2K\system32\regsvc.exe
D:\WIN2K\system32\MSTask.exe
D:\WIN2K\system32\slserv.exe
D:\WIN2K\system32\stisvc.exe
D:\WIN2K\System32\WBEM\WinMgmt.exe
D:\WIN2K\system32\svchost.exe
D:\WIN2K\Explorer.EXE
D:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\WIN2K\system32\internat.exe
E:\Utils\GetRight\getright.exe
D:\Program Files\Preventon\Personal Firewall\PFwall.exe
D:\DOCUME~1\dave\LOCALS~1\Temp\~ef7194.tmp
D:\Program Files\hijjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WIN2K\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Lexmark X5100 Series] "D:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [sws.exe] d:\program files\GlobalDialer\wordi00047\2528315.exe -remove
O4 - HKCU\..\Run: [li-tzone00028] d:\program files\Webdialer\li-tzone00028.exe -m
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Updater] D:\Program Files\Carpe Diem\msx\CDUpdater.exe CD_UPDATER
O4 - Global Startup: GetRight - Tray Icon.lnk = E:\Utils\GetRight\getright.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Preventon Personal Firewall.lnk = D:\Program Files\Preventon\Personal Firewall\PFwall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WIN2K\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WIN2K\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08259953-5E46-4ABC-A809-FDCFB7810E2E}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{08259953-5E46-4ABC-A809-FDCFB7810E2E}: NameServer = 192.168.10.1

I also recieved the following error message after running the fixed checked
in HijackThis for the 3 items you mentioned..

"An unexpected error has occurred at procedure: modBackup=MakeBackup(sItem=O21 - SSODL: System - {F31FA968-5C7E-4C78-8D39-1C4195CB02E0} - D:\WIN2K\system32\system32.dll)
Error #62 - Input past end of file

Please email me at Merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version 6.0.2800.1106
HijackThis version: 1.98.1"

I have not yet contacted Merijn. I thought it best to check with you first.
Also I renamed the system32.dll instead of deleting....just in case.

Dave

0

Regarding the error, it is best to contact Merijn about that as it is his creation & he would best know what created the error. system32.dll is a baddy though.
Did you have all windows closed (folders too) when running the shredder? The fix will not work if you do not. Try running CWShredder in safe mode to clean up the related entries.

Clear out the contents of this foolder whilst in safe mode;

D:\DOCUME~1\dave\LOCALS~1\Temp

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Still in safe mode close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O4 - HKCU\..\Run: [sws.exe] d:\program files\GlobalDialer\wordi00047\2528315.exe -remove
O4 - HKCU\..\Run: [li-tzone00028] d:\program files\Webdialer\li-tzone00028.exe -m
O4 - HKCU\..\Run: [Updater] D:\Program Files\Carpe Diem\msx\CDUpdater.exe CD_UPDATER

Delete the following manually;

d:\program files\GlobalDialer-folder
d:\program files\Webdialer
D:\Program Files\Carpe Diem

Reboot normally after doing the above then post a fresh log please.

0

the new log..

Logfile of HijackThis v1.98.1
Scan saved at 21:15:43, on 8-8-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WIN2K\System32\smss.exe
D:\WIN2K\system32\winlogon.exe
D:\WIN2K\system32\services.exe
D:\WIN2K\system32\lsass.exe
D:\WIN2K\system32\svchost.exe
D:\WIN2K\system32\LEXBCES.EXE
D:\WIN2K\system32\spoolsv.exe
D:\WIN2K\system32\LEXPPS.EXE
D:\WIN2K\system32\drivers\CDAC11BA.EXE
D:\WIN2K\System32\svchost.exe
D:\WIN2K\system32\regsvc.exe
D:\WIN2K\system32\MSTask.exe
D:\WIN2K\system32\slserv.exe
D:\WIN2K\system32\stisvc.exe
D:\WIN2K\System32\WBEM\WinMgmt.exe
D:\WIN2K\system32\svchost.exe
D:\WIN2K\Explorer.EXE
D:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
D:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\WIN2K\system32\internat.exe
E:\Utils\GetRight\getright.exe
D:\Program Files\Preventon\Personal Firewall\PFwall.exe
D:\DOCUME~1\dave\LOCALS~1\Temp\~ef7194.tmp
D:\Program Files\hijjackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WIN2K\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Lexmark X5100 Series] "D:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = E:\Utils\GetRight\getright.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Preventon Personal Firewall.lnk = D:\Program Files\Preventon\Personal Firewall\PFwall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WIN2K\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WIN2K\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08259953-5E46-4ABC-A809-FDCFB7810E2E}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{08259953-5E46-4ABC-A809-FDCFB7810E2E}: NameServer = 192.168.10.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{08259953-5E46-4ABC-A809-FDCFB7810E2E}: NameServer = 192.168.10.1

btw..I can reset my homepage again....phew !!!!

Thanks Crunchie for your help...

Kind Regards

Dave

PS. I will contact Merijn about the error..

0

Except for the following, your log looks good :) .

D:\DOCUME~1\dave\LOCALS~1\Temp-clear out the contents in safe mode.

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Clear out your temp files on a regular basis, especially that one. Because it has the hidden attribute, many viruses are deposited there.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.