View Full Version : Hijacker.easywww
I am having problems with the above and other malware
My HiJackThis log is as below
Logfile of HijackThis v1.98.2
Scan saved at 11:50:26, on 12/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TESCOI~1\backweb\9655419\Program\SERVIC~1.EXE
C:\Program Files\Tesco Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\Tesco Internet Security\backweb\9655419\program\fsbwsys.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Tesco Internet Security\Common\FSMA32.EXE
C:\Program Files\Tesco Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Tesco Internet Security\Common\FCH32.EXE
C:\Program Files\Tesco Internet Security\Common\FAMEH32.EXE
C:\Program Files\Tesco Internet Security\FSPC\fspc.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Tesco Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Tesco Internet Security\Common\FSM32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tesco Internet Security\backweb\9655419\Program\fspex.exe
C:\Program Files\Tesco Internet Security\FSGUI\fsguiexe.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\KGW\My Documents\HiJackThis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Visioneer OneTouch\OneTouchMon.exe"
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Tesco Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Tesco Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: NTLSignup - https://register.tesco.net/tesco/NTLSignup.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136111518159
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
Any help in removing these items would be appreciated.
pskelley
2006-02-12, 18:16
Hello and welcome to the forum. You have several infections and we need to start like this.
1) Download CWShredder from here: http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml Update it if available then choose FIX not scan. Allow the program to run and remove what it finds, post that information for me to see.
2) Your version of HJT is very outdated and I need to view a log created with version 1.99.1 which you can download here: http://www.merijn.org/files/HijackThis.exe Post a new log with version 1.99.1 and I will continue with instructions as soon as possible after you post. Stay in this same thread.
Thanks...pskelley
Safer Networking Forums
pskelley
Thanks for the reponse. I will not be able to do what you ask until Tuesday evening due to my own and the neighbours commitments whos computer is having the problem.
I will do whatyou ask then and post the log requested that evening.
Many thanks for you time.
pskelley
2006-02-13, 12:03
Hello, and I have no problem with that. You may want to let your neighbor know that CoolWebSearch is just the first infection you will be removing and there are others. These infections weaken the security of the system and also attract others. My advice would be to keep this computer offline until this repair is complete, they can check their email but surfing the web is inviting more trouble.:(
Thanks...Phil
Phil
I ran CWShredder and it came up with "CoolWebSaerch was not found on your system.
The log from the latest version of HiJackThis is below.
It is 6.55pm here in the UK so I will keep an eye out for your reply but it is likely I will have to deal with it tomorrow evening.
The log is: -
Logfile of HijackThis v1.99.1
Scan saved at 18:46:22, on 14/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TESCOI~1\backweb\9655419\Program\SERVIC~1.EXE
C:\Program Files\Tesco Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\Tesco Internet Security\backweb\9655419\program\fsbwsys.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Tesco Internet Security\Common\FSMA32.EXE
C:\Program Files\Tesco Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Tesco Internet Security\Common\FCH32.EXE
C:\Program Files\Tesco Internet Security\Common\FAMEH32.EXE
C:\Program Files\Tesco Internet Security\FSPC\fspc.exe
C:\Program Files\Tesco Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Tesco Internet Security\Common\FSM32.EXE
C:\Program Files\Tesco Internet Security\backweb\9655419\Program\fspex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tesco Internet Security\FSGUI\fsguiexe.exe
C:\Documents and Settings\KGW\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Visioneer OneTouch\OneTouchMon.exe"
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Tesco Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Tesco Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: NTLSignup - https://register.tesco.net/tesco/NTLSignup.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136111518159
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\e002lado1d0c.dll
O23 - Service: Tesco Internet Security (BackWeb Plug-in - 9655419) - Unknown owner - C:\PROGRA~1\TESCOI~1\backweb\9655419\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Tesco Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Tesco Internet Security\backweb\9655419\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Tesco Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Tesco Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Tesco Internet Security\Common\FSMA32.EXE
Many thanks for your help.
Graham
pskelley
2006-02-14, 20:41
Hi Graham, Thanks for that information, this: http://searchbar.findthewebsiteyouneed.com scanned as CWS so unless you removed those R1 lines, the shredder did.
You have moved HJT, please do this: Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
This updated version of HJT has exposed a nasty:
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\e002lado1d0c.dll
Winlogon Notify ShellServiceObjectDelayLoad, SideBySide, StillImage,
Syncmgr, Telephony, ThemeManager, Themes, Unimodem X random named dll in the System32 folder Variant of Adware.Look2Me
I find a free tool by Spysweeper does the easiest job of this but the instructions must be followed exactly. You must download and use the Spy Sweeper 4.5 - Free Trial which you will find at the bottom of this page:
http://www.webroot.com/consumer/products/spysweeper/latestv.html No other SS tool will work. Use these directions:
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.
Restart your computer <<< very important.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\e002lado1d0c.dll
(this one may be gone)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
c:\\drsmartloadb.exe >>> file
C:\windows\winsysupd.exe >>> file
C:\windows\winsysban.exe >>> file
C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Restart the computer and post the log from the Spysweeper sweep, a new HJT log and any comments you think I should have. How is the computer running now. We will have some more to do.
Thanks...Phil
Phil
Thanks again for the reposnse.
I am on my own PC now with this response and I will not be able to attend to this until tomorrow Wedensday approx. 18.30 GMT. My neighbour will be out during the day until then.
I will do what you have suggested and respond.
Thanks.
Graham
Phil
I have followed your list of instructions.
My first mistake was to download Webroot on my neighbours dial up connection as it took over 30 minutes. I should have done it on my broadband connection.
Webroot did its job and the log is appended below.
Webroot log: -
********
19:28: | Start of Session, 15 February 2006 |
19:28: Spy Sweeper started
19:28: Sweep initiated using definitions version 615
19:28: Starting Memory Sweep
19:34: Memory Sweep Complete, Elapsed Time: 00:06:20
19:34: Starting Registry Sweep
19:35: Found Adware: instant access
19:35: HKCR\clsid\{093f9cf8-0de1-491c-95d5-5ec257bd4ca3}\ (3 subtraces) (ID = 128671)
19:35: HKLM\software\classes\clsid\{093f9cf8-0de1-491c-95d5-5ec257bd4ca3}\ (3 subtraces) (ID = 128723)
19:35: HKLM\software\classes\clsid\{eeeca057-ad0f-44a7-8be5-8634cedbdbd1}\ (3 subtraces) (ID = 128749)
19:35: Found Adware: dollarrevenue
19:35: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
19:35: HKLM\software\microsoft\windows\currentversion\run\ || drsmartloadb (ID = 1108482)
19:35: HKLM\software\microsoft\windows\currentversion\run\ || drsmartloadb (ID = 1113658)
19:35: Found Adware: findthewebsiteyouneed hijacker
19:35: HKLM\software\microsoft\windows\currentversion\run\ || winsysupd (ID = 1121711)
19:35: HKLM\software\microsoft\windows\currentversion\run\ || winsysban (ID = 1121712)
19:35: HKU\S-1-5-21-3854899237-2244755008-1844185986-1006\software\egdhtml\ (1 subtraces) (ID = 128787)
19:35: HKU\S-1-5-21-3854899237-2244755008-1844185986-1006\software\microsoft\windows\currentversion\wintrust\trust providers\software publishing\trust database\0\ || goicfboogidikkejccmclpieicihhlpo bgdjdn (ID = 128845)
19:35: Found Adware: findthewebsiteyouneed hijack
19:35: HKU\S-1-5-21-3854899237-2244755008-1844185986-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
19:35: Registry Sweep Complete, Elapsed Time:00:01:06
19:35: Starting Cookie Sweep
19:36: Found Spy Cookie: 2o7.net cookie
19:36: kgw@112.2o7[2].txt (ID = 1958)
19:36: Found Spy Cookie: yieldmanager cookie
19:36: kgw@ad.yieldmanager[1].txt (ID = 3751)
19:36: Found Spy Cookie: addynamix cookie
19:36: kgw@addynamix[1].txt (ID = 2061)
19:36: Found Spy Cookie: hbmediapro cookie
19:36: kgw@adopt.hbmediapro[2].txt (ID = 2768)
19:36: Found Spy Cookie: hotbar cookie
19:36: kgw@adopt.hotbar[2].txt (ID = 4207)
19:36: Found Spy Cookie: adtech cookie
19:36: kgw@adtech[1].txt (ID = 2155)
19:36: Found Spy Cookie: advertising cookie
19:36: kgw@advertising[2].txt (ID = 2175)
19:36: Found Spy Cookie: adviva cookie
19:36: kgw@adviva[1].txt (ID = 2177)
19:36: Found Spy Cookie: falkag cookie
19:36: kgw@as1.falkag[1].txt (ID = 2650)
19:36: Found Spy Cookie: atlas dmt cookie
19:36: kgw@atdmt[2].txt (ID = 2253)
19:36: Found Spy Cookie: belnk cookie
19:36: kgw@belnk[1].txt (ID = 2292)
19:36: Found Spy Cookie: bluestreak cookie
19:36: kgw@bluestreak[1].txt (ID = 2314)
19:36: Found Spy Cookie: bs.serving-sys cookie
19:36: kgw@bs.serving-sys[1].txt (ID = 2330)
19:36: Found Spy Cookie: touchclarity cookie
19:36: kgw@btow.touchclarity[1].txt (ID = 3566)
19:36: Found Spy Cookie: hitslink cookie
19:36: kgw@counter.hitslink[2].txt (ID = 2790)
19:36: kgw@dist.belnk[2].txt (ID = 2293)
19:36: Found Spy Cookie: ru4 cookie
19:36: kgw@edge.ru4[1].txt (ID = 3269)
19:36: Found Spy Cookie: exitexchange cookie
19:36: kgw@exitexchange[2].txt (ID = 2633)
19:36: Found Spy Cookie: screensavers.com cookie
19:36: kgw@i.screensavers[2].txt (ID = 3298)
19:36: Found Spy Cookie: mediaplex cookie
19:36: kgw@mediaplex[2].txt (ID = 6442)
19:36: kgw@microsofteup.112.2o7[1].txt (ID = 1958)
19:36: Found Spy Cookie: realtracker cookie
19:36: kgw@project2.realtracker[1].txt (ID = 3242)
19:36: Found Spy Cookie: qksrv cookie
19:36: kgw@qksrv[1].txt (ID = 3213)
19:36: Found Spy Cookie: rn11 cookie
19:36: kgw@rn11[2].txt (ID = 3261)
19:36: Found Spy Cookie: findthewebsiteyouneed cookie
19:36: kgw@searchbar.findthewebsiteyouneed[1].txt (ID = 2673)
19:36: Found Spy Cookie: serving-sys cookie
19:36: kgw@serving-sys[2].txt (ID = 3343)
19:36: Found Spy Cookie: starware.com cookie
19:36: kgw@starware[2].txt (ID = 3441)
19:36: Found Spy Cookie: dealtime cookie
19:36: kgw@stat.dealtime[2].txt (ID = 2506)
19:36: Found Spy Cookie: tmpad cookie
19:36: kgw@tmpad[2].txt (ID = 3545)
19:36: Found Spy Cookie: tradedoubler cookie
19:36: kgw@tradedoubler[1].txt (ID = 3575)
19:36: Found Spy Cookie: trafficmp cookie
19:36: kgw@trafficmp[1].txt (ID = 3581)
19:36: kgw@web2.realtracker[1].txt (ID = 3242)
19:36: kgw@www.findthewebsiteyouneed[1].txt (ID = 2673)
19:36: user 1@advertising[1].txt (ID = 2175)
19:36: Cookie Sweep Complete, Elapsed Time: 00:00:05
19:36: Starting File Sweep
19:37: Found Adware: command
19:37: mte3ndi6odoxng[1].0xe (ID = 185985)
19:37: Found Adware: look2me
19:37: installer[1].exe (ID = 168558)
19:37: winsysupd[1].0xe (ID = 233482)
19:37: winsysban[1].0xe (ID = 233481)
19:37: winsysupd.0xe (ID = 233482)
19:37: Found Adware: easywww
19:37: easywww2[1].0xe (ID = 59442)
19:38: mte3ndi6odoxng.0xe (ID = 185985)
19:38: dtc32.0ll (ID = 63676)
19:38: timessquare[1].0xe (ID = 194150)
19:40: Found Adware: carima dialer
19:40: 1014672[1].0xe (ID = 52126)
19:40: tmlpcert2005 (ID = 63918)
19:42: 1014672.0xe (ID = 52126)
19:42: isrtrmgr.dll (ID = 159)
19:43: Found Adware: adtech
19:43: adtech2006a[1].0xe (ID = 209133)
19:43: easywww2.0xe (ID = 59442)
19:44: winsysban.0xe (ID = 233481)
19:44: mgxml3.dll (ID = 163672)
19:45: lvru0999e.dll (ID = 159)
19:46: netpe32.0ll (ID = 63885)
19:46: lvr4099qe.dll (ID = 159)
19:48: mhxml3r.dll (ID = 159)
19:49: h2n00c5mef.dll (ID = 159)
19:49: drsmartloadb[1].0xe (ID = 216717)
19:51: mcisam11.dll (ID = 159)
19:51: timessquare.0xe (ID = 194150)
19:51: adtech2006a.0xe (ID = 209133)
19:51: drsmartloadb.0xe (ID = 216717)
19:52: installer.exe (ID = 168558)
19:53: dtc32.inf (ID = 63678)
19:53: netpe32.inf (ID = 63886)
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: Warning: Invalid file - not a PKZip file
19:53: File Sweep Complete, Elapsed Time: 00:17:42
19:53: Full Sweep has completed. Elapsed time 00:25:33
19:53: Traces Found: 86
21:13: Removal process initiated
21:13: Quarantining All Traces: look2me
21:14: look2me is in use. It will be removed on reboot.
21:14: lvru0999e.dll is in use. It will be removed on reboot.
21:14: mhxml3r.dll is in use. It will be removed on reboot.
21:14: h2n00c5mef.dll is in use. It will be removed on reboot.
21:14: Quarantining All Traces: dollarrevenue
21:14: Quarantining All Traces: adtech
21:14: Quarantining All Traces: carima dialer
21:14: Quarantining All Traces: command
21:14: Quarantining All Traces: easywww
21:14: Quarantining All Traces: findthewebsiteyouneed hijacker
21:14: Quarantining All Traces: findthewebsiteyouneed hijack
21:14: Quarantining All Traces: instant access
21:14: Quarantining All Traces: 2o7.net cookie
21:14: Quarantining All Traces: addynamix cookie
21:14: Quarantining All Traces: adtech cookie
21:14: Quarantining All Traces: advertising cookie
21:14: Quarantining All Traces: adviva cookie
21:14: Quarantining All Traces: atlas dmt cookie
21:14: Quarantining All Traces: belnk cookie
21:14: Quarantining All Traces: bluestreak cookie
21:14: Quarantining All Traces: bs.serving-sys cookie
21:14: Quarantining All Traces: dealtime cookie
21:14: Quarantining All Traces: exitexchange cookie
21:14: Quarantining All Traces: falkag cookie
21:14: Quarantining All Traces: findthewebsiteyouneed cookie
21:14: Quarantining All Traces: hbmediapro cookie
21:14: Quarantining All Traces: hitslink cookie
21:14: Quarantining All Traces: hotbar cookie
21:14: Quarantining All Traces: mediaplex cookie
21:14: Quarantining All Traces: qksrv cookie
21:14: Quarantining All Traces: realtracker cookie
21:14: Quarantining All Traces: rn11 cookie
21:14: Quarantining All Traces: ru4 cookie
21:14: Quarantining All Traces: screensavers.com cookie
21:14: Quarantining All Traces: serving-sys cookie
21:14: Quarantining All Traces: starware.com cookie
21:14: Quarantining All Traces: tmpad cookie
21:14: Quarantining All Traces: touchclarity cookie
21:14: Quarantining All Traces: tradedoubler cookie
21:14: Quarantining All Traces: trafficmp cookie
21:14: Quarantining All Traces: yieldmanager cookie
21:17: Removal process completed. Elapsed time 00:03:41
********
19:15: | Start of Session, 15 February 2006 |
19:15: Spy Sweeper started
19:17: IE Security Shield: found: C:\PROGRAM FILES\TESCONET\TESCONET.EXE -- IE Security modification allowed at user request
19:18: IE Security Shield: found: C:\PROGRAM FILES\TESCONET\TESCONET.EXE -- IE Security modification allowed at user request
19:24: Your spyware definitions have been updated.
19:28: | End of Session, 15 February 2006 |
I exited Spy sweeper and rebooted and then ran HiJack this as suggested.
I did the system scan and then went o place a check beside the entries you advised. This is what I found: -
These items to deal with were not there in the HijackThis list: -
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\e002lado1d0c.dll
you said this might be gone
Then after hitting "fixed checked" I searched for the files to delete
c:\\drsmartloadb.exe >>> file no trace of the file even with a full search
C:\windows\winsysupd.exe >>> file no trace of the file even with a full search however I did find a file C:\windows\winsysupd1.dat. I did not delet it is it connected.
C:\windows\winsysban.exe >>> file file no trace of the file even with a full search
I then deleted the contents of the prefetch folder which is now empty. The conents are in the recycle bin. I presume its ok to delete them.
Then rebooted and here is the latest HiJackThis log
Logfile of HijackThis v1.99.1
Scan saved at 22:02:07, on 15/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TESCOI~1\backweb\9655419\Program\SERVIC~1.EXE
C:\Program Files\Tesco Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Tesco Internet Security\backweb\9655419\program\fsbwsys.exe
C:\Program Files\Tesco Internet Security\Common\FSMA32.EXE
C:\Program Files\Tesco Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Tesco Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Tesco Internet Security\Common\FCH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tesco Internet Security\Common\FAMEH32.EXE
C:\Program Files\Tesco Internet Security\FSPC\fspc.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Tesco Internet Security\Common\FSM32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tesco Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Tesco Internet Security\backweb\9655419\Program\fspex.exe
C:\Program Files\Tesco Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Tesco Internet Security\FSGUI\fsguiexe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Visioneer OneTouch\OneTouchMon.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Tesco Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Tesco Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Tesco Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: NTLSignup - https://register.tesco.net/tesco/NTLSignup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136111518159
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DFDEB36-8873-4C80-A88B-1197BD6D84F8}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\lvru0999e.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Tesco Internet Security (BackWeb Plug-in - 9655419) - Unknown owner - C:\PROGRA~1\TESCOI~1\backweb\9655419\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Tesco Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Tesco Internet Security\backweb\9655419\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Tesco Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Tesco Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Tesco Internet Security\Common\FSMA32.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
I have done a couple of reboots and so far the system seems to be a lot better with no rouge IE windows opening up web sites we don't want to see.
If you have any other suggestions once you have had a chance to review the logs I would be happy to follow them through.
Its now 10:15GMT. I cant do anything tomorrow evening as I have a meeting to attend so if you can come back to me I will deal with any follow ups on Friday evening if that’s ok.
My neighbour and I are very grateful for your help.
Graham
pskelley
2006-02-16, 01:10
I then deleted the contents of the prefetch folder which is now empty. The conents are in the recycle bin. I presume its ok to delete them.Most of the stuff is good, perhaps it all might be. I find it easier to delete it all than to ask folks to find a few bad items, and an occaisional purge of prefetch will not hurt, just slow things down a little until windows repopulates with what it needs to "Prefetch" for you. You can let the stuff set for a day or two, then clean out the recycle bin. To comment around your red highlites, I have a tendency to overkill preferring looking for the junk several ways rather than miss it. Spysweeper got a lot of the junk before you looked for it.
C:\windows\winsysupd1.dat. I did not delet it is it connected.Yes...move that file to the recycle bin and delete it in a couple of days with the rest.
Use HJT to remove this line: O20 - Winlogon Notify: Run - C:\WINDOWS\system32\lvru0999e.dll (file missing)
Remember, once the trial is over, unless you purchase SpySweeper, it is of no value and just uses resources.
Once that line that is missing it's file is removed the log will be clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Here are some ideas that may help the computer run better, just don't tackle anything you are not comfortable with.
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
If there is anything else we can do, let us know...Safe surfing...Phil:bigthumb:
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Phil
Thanks again.
Just looked at your response from last night before I go to my meeting.
I have noted what you have said and will do as you suggest.
I will do this tomorrow evening.
Thank you once again for your help and advice. My neighbour thinks you are the main man.
I will only post again if I have problems and will use a new title.
Best wishes
Graham
pskelley
2006-02-16, 19:59
Hi Graham, Tell that nice neighbor to take care because it is a cyber jungle out there. Glad we could help out and I wish you safe surfing. Our tashi, esteemed member of Team Spybot will be along to close you shortly.
Thanks...Phil :greeting:
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier
Glad we could help, thanks Phil.:bigthumb: