my IE being hijacked

**NoChuAi** · 11-08-2004

Hi
I have a big problem ...after trying using many softwares such as Ad-aware, Hijackthis, NoAds, Norton Antivirus....etc.. I can't get rid off the trojan from Looking-for.cc ...Please help!

Here is my log file from HiJackThis:

Logfile of HijackThis v1.98.2
Scan saved at 2:58:37 PM, on 11/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ipix32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\winsm32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\scansvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NoAds\NoAds.exe
C:\PROGRA~1\MICROS~2\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Softwares\Hijack-v1.98\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\hwcsb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\hwcsb.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\hwcsb.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINNT\hwcsb.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\hwcsb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\hwcsb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\hwcsb.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\hwcsb.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\hwcsb.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {09374324-78B1-5F4D-D61D-8D11A4529CCE} - C:\WINNT\crsh32.dll
O2 - BHO: (no name) - {E89F1EEA-9DA4-9A8F-BA92-801C2CC368DE} - C:\WINNT\system32\crqi.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winsm32.exe] C:\WINNT\system32\winsm32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members28.clubphoto.com/_img/...l_uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D413283D-33D7-4E5E-A1DD-C668C387135E}: NameServer = 192.168.42.5,192.168.42.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = local

Thanks heaps

NoChuAi

**DJNafey** · 11-08-2004

I'm going to move this thread to the Security section of D-A-L.com, where the guys there will be able to give you better advice.

It looks like you've got the CoolWebSearch trojan (I had the same thing). The Security guys will probably advise you to run CoolwebShredder but they might want you to do some other stuff first.

**owen** · 12-08-2004

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

O2 - BHO: (no name) - {09374324-78B1-5F4D-D61D-8D11A4529CCE} - C:\WINNT\crsh32.dll
O2 - BHO: (no name) - {E89F1EEA-9DA4-9A8F-BA92-801C2CC368DE} - C:\WINNT\system32\crqi.dll

Click Fix Checked

Then Download Ad-aware SE from: http://www.lavasoft.de/support/download/

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

Scan Within Archives
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file
Under Click here to select drives + folders, choose:
All of your hard drives

Click on the Advanced button on the left and select:

Include additional process information
Include additional file information
Include environment information

Click the Tweak button and select:

Under the Scanning Engine:
- Unload recognized processes & modules during scan
- Include additional Ad-aware settings in logfile
Under the Cleaning Engine:
- Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Then please download About:Buster and unzip it to your desktop. Then boot into safe mode (Instructions here). Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

my IE being hijacked

my IE being hijacked

Similar Threads

hijacked?

I've Been Hijacked

IE has been Hijacked, Help!!

Been Hijacked

hijacked !!!