Attack 1

gawdknows · Nov 18, 2003

Hi Group

since some days I think something's invaded my PC.

From my Internet-options, in the general Tab, I have given the instruction that a 'blank' page must start everytime I click on the IE button.

But recently it always starts with "

http://www.hand-book.com/hp/"

Where did this come from? when I inspect the 'general properties" I see instead of the 'blank' this has been put there..

My PC has also become slow.
As I write this mail, I see only the cursor move, the letters fall in place after an agonising 6-9 seconds[ wow!]

I have run Spybot and Hijack this...but can't get any joy.

I'm on IE5.5 on winME.

Some help to help this sick PC would be appreciated.
Thx.

carrr · Nov 18, 2003

Post your Hijack This! log here.

gawdknows · Nov 18, 2003

Here's the Log:
BTW I do see the URL in the Log
But how is the PC so slow...?

Even a mouse scroll is delayed by 6-8 seconds

*******Snip***********Logfile of HijackThis v1.97.3
Scan saved at 21:28:49, on 18-11-2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\WINDOWS\SVCHOST.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\NIKON\NKVIEW4\NKVWMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NIKON\FOTOSTATION EASY AUTOLAUNCH.EXE
C:\PROGRAM FILES\ATMEL\802.11 WIRELESS LAN\WLANMONITOR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://acc.count-all.com/--/?cociz

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://acc.count-all.com/-/?cociz

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.hand-book.com/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.hand-book.com/hp/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.hand-book.com/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.hand-book.com/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.hand-book.com/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.hand-book.com/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.hand-book.com/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =

http://acc.count-all.com/--/?cociz

(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =

http://acc.count-all.com/--/?cociz

(obfuscated)
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\KRYPTON\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Mijn documenten\iridium.exe
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [IridiumTimeWizard] C:\Mijn documenten\iridium.exe
O4 - HKCU\..\RunServices: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\RunServices: [loader] C:\WINDOWS\LOADER.EXE
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\Nikon\FotoStation Easy AutoLaunch.exe
O4 - Startup: Configuration & Monitor Utility.lnk = C:\Program Files\ATMEL\802.11 Wireless LAN\WlanMonitor.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 -

http://WWW Prefix:

http://ehttp.cc/?

O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

********End Snip*******

carrr · Nov 18, 2003

First, since you're running ME, turn off System Restore.
How to here, if you need it:

http://www.pchell.com/virus/systemrestore.shtml

Then, using Hijack This!, remove these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://acc.count-all.com/--/?cociz

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://acc.count-all.com/-/?cociz

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.hand-book.com/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.hand-book.com/hp/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.hand-book.com/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.hand-book.com/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.hand-book.com/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.hand-book.com/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.hand-book.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer,Search =

http://acc.count-all.com/--/?cociz

(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =

http://acc.count-all.com/--/?cociz

(obfuscated)

[Not sure what this is: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
...if it's not yours, then kill it too.)

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL

Trojans - KILL THESE
O4 - HKCU\..\RunServices: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\RunServices: [loader] C:\WINDOWS\LOADER.EXE
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE

Now, download this and run it for good measure:

http://www.spychecker.com/program/cwshredder.html

steamwiz · Nov 18, 2003

Hi

You have been hijacked by CWS

Download and run this program :-

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Then please post another hijackthis log so that we can tidy up the leftovers

steam

gawdknows · Nov 18, 2003

Wow...Rogue attack !

Thx. Group, I am going to execute the remedies and shall be back soon with the results.

TIA

gawdknows · Nov 18, 2003

Here's the new Hijack this log file...

am I clean this time around ?

BTW..I'm not seeing a runaway cursor anymore with the alphabets Falling behind....it's in synch. now ...

************Snip**********
Logfile of HijackThis v1.97.3
Scan saved at 22:57:25, on 18-11-2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\NIKON\NKVIEW4\NKVWMON.EXE
C:\PROGRAM FILES\NIKON\FOTOSTATION EASY AUTOLAUNCH.EXE
C:\PROGRAM FILES\ATMEL\802.11 WIRELESS LAN\WLANMONITOR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\KRYPTON\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Mijn documenten\iridium.exe
O4 - Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\Nikon\FotoStation Easy AutoLaunch.exe
O4 - Startup: Configuration & Monitor Utility.lnk = C:\Program Files\ATMEL\802.11 Wireless LAN\WlanMonitor.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

**********End Snip*******

carrr · Nov 18, 2003

Looks straight. [thumbsup2]

gawdknows · Nov 18, 2003

For every Bad guy out there there's a Good Guy/s in the Tek-tips
:-D

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Attack 1

gawdknows

Technical User

carrr

Technical User

gawdknows

Technical User

carrr

Technical User

steamwiz

Technical User

gawdknows

Technical User

gawdknows

Technical User

carrr

Technical User

gawdknows

Technical User

Similar threads

Part and Inventory Search

Sponsor