Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT LOG HEPL!


  • Please log in to reply
1 reply to this topic

#1 drgonzo

drgonzo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 04 January 2005 - 09:12 AM

hi new to the forum. im using windows 2000. and my internet explorer has been hijacked by win-eto.com which then redirects to here4search.com. ive tried adaware aboutbuster spydoctor search and destroy. spywareblaster. stinger. cwshredder. yet i cant get rid of this. could some one please help me bfore i loose my mind.

here is a latest hijack this file.

Logfile of HijackThis v1.97.7
Scan saved at 22:55:31, on 03/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atlfe.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSDTC32.exe
C:\WINNT\system32\x0g1x6w4iuhwfthd.exe
C:\WINNT\system32\netwv.exe
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows AdTools\WinRatchet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.eircom.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer& #092;Search,SearchAssista
nt = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer& #092;Search,CustomizeSear
ch = www.eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer& #092;Search,SearchAssista
nt = www.eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://66.103.153.158/cool
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\5626K1~2.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Video Device Loader] MSDTC32.exe
O4 - HKLM\..\Run: [aoxjezao] C:\WINNT\system32\mavbde.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\x0g1x6w4iuhwfthd.exe
O4 - HKLM\..\Run: [netwv.exe] C:\WINNT\system32\netwv.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\RunServices: [Video Device Loader] MSDTC32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wmpfaqef] C:\WINNT\system32\zgbclu.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Spyware Doctor (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...fe3bba631960d34
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://213.201.69.103/data/dialercab/premi...ternacional.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8088.6555555556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17

cheers

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:45 AM

Posted 05 January 2005 - 07:19 AM

You have a CoolWebSearch infection, among a few other things.

Please download and install CWShredder.
http://cwshredder.net/bin/CWSInstall.exe


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://66.103.153.158/cool
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\5626K1~2.DLL
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Video Device Loader] MSDTC32.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\x0g1x6w4iuhwfthd.exe
O4 - HKLM\..\Run: [netwv.exe] C:\WINNT\system32\netwv.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\RunServices: [Video Device Loader] MSDTC32.exe
O4 - HKCU\..\Run: [Wmpfaqef] C:\WINNT\system32\zgbclu.exe
O4 - Global Startup: winlogin.exe
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...fe3bba631960d34
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://213.201.69.103/data/dialercab/premi...ternacional.cab

Reboot your computer into Safe Mode



Open CWShredder and click "Fix".



Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\system32\5626K1~2.DLL
mslaugh.exe
MSDTC32.exe
C:\WINNT\system32\x0g1x6w4iuhwfthd.exe
C:\WINNT\system32\netwv.exe
C:\Program Files\Windows AdTools <- this folder
C:\WINNT\system32\zgbclu.exe
winlogin.exe <- be very careful not to delete winlogon.exe


Empty your recycle bin.


Reboot your computer to go back to normal mode.



Please run these two online scans.
Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/co...n_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.


Please download the most current version of Hijackthis and post a new hijackthis log.

http://downloads.subratam.org/hijackthis.zip

Edited by Buckeye_Sam, 05 January 2005 - 07:21 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users