Sponsor for PC Pals Forum

Author Topic: HELP!!!  (Read 3359 times)

Offline mechelle1

  • New Member
  • *
  • Posts: 6
HELP!!!
« on: May 04, 2004, 18:15 »
Hi,
I have real problems with my pooter!!! I have been hijacked and i think i have solved a few probs myself and have now installed EZ firewall and anti virus software but since starting it i cannot access aol.co.uk which i use for some emails!
I have cw shredder, adware and spybot search and destroy which have been run in safe mode. I also have spyware blaster.
Below is the log from hijack this    what do i delete? and how do i access aol emails (i can access them if i disable the EZ software!

Thanks in advance
Mechelle xxx

Logfile of HijackThis v1.97.7
Scan saved at 18:16:29, on 04/05/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\VetMsgNT.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\services\wmplayer.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\32 Upload Window\filedrvsign.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\Application Data\obuw.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:/www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = ntlworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = ntlworld.com
F1 - win.ini: run=C:\WINNT\system32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wayshow] C:\PROGRA~1\32 Upload Window\filedrvsign.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Nmau] C:\Documents and Settings\Administrator\Application Data\obuw.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.1092824074
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{59035512-295F-4F25-8283-058A4BD7A4DB}: NameServer = 194.168.4.100 194.168.8.100


Offline mechelle1

  • New Member
  • *
  • Posts: 6
Re:HELP!!!
« Reply #1 on: May 04, 2004, 18:20 »
Hi,
Me again,
Also the home page still keeps changing to http://www.coolsearch.biz or http://aifind.info
and when i am online on variouse sites this web page takes over and then cuts out what i was on
1-2-3-4-5-6-7-8-9-8-7-6-5-4-3-2-1.sexocean.biz

Whats going on???

Offline Simon

  • Administrator
  • *****
  • Posts: 76527
  • First to score 7/7 in Quiz of The Week's News 2017
Re:HELP!!!
« Reply #2 on: May 04, 2004, 18:57 »
Hi Mechelle, and  

Nothing shouts at me from that HJT list, but then I'm no expert.  Two things I might perhaps wonder about are:

C:\Documents and Settings\Administrator\Application Data\obuw.exe

O4 - HKCU\..\Run: [Nmau] C:\Documents and Settings\Administrator\Application Data\obuw.exe


I can't find out what these are.  Well, nothing comes up on Google anyway.  Do you know what they might be?  I wouldn't delete anything just yet.

Until an expert comes along, I can only suggest fully updating all your spyware defences, and running them again, in safe mode, but with System Restore (if you're on XP) temporarily disabled, as something might be hiding in the System Restore folder, and therefore keeps coming back.
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline TR

  • Forum Fanatic
  • ******
  • Posts: 7123
Re:HELP!!!
« Reply #3 on: May 04, 2004, 19:19 »
This one sticks out a mile... >>> O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

And this 1 ..O4 - HKCU\..\Run: [internat.exe] internat.exe

And this 1 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Offline Simon

  • Administrator
  • *****
  • Posts: 76527
  • First to score 7/7 in Quiz of The Week's News 2017
Re:HELP!!!
« Reply #4 on: May 04, 2004, 19:59 »
That first one might be something, Hook, but I Googled 'internat', and found this.   :-\
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Adept

  • Guest
Re:HELP!!!
« Reply #5 on: May 04, 2004, 21:23 »
I found these removal instructions for removing CoolWebSearch. I presume they need to be performed on a PC booted into Safe Mode.

How to manually remove CoolWebSearch from your system?

WARNING : Modifying your registry or system files can render your system unusable in case of any error.

1. Remove coolwebsearch: DataNotary, BootConf and MSInfo variants

    * Turn off user-style sheet option at Tools->Internet Options->Accessibility in your Internet Explorer.
    * You should now be able to delete the user stylesheet from the Windows folder. With DataNotary it is called 'default.css'; with MSInfo it is called 'oslogo.bmp'; with Bootconf it may be either.

2. Remove coolwebsearch: MSInfo variant

    * Delete the line ?run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe? from win.ini file in your Windows folder. This line may be changed a little on different systems, but will always point to msinfo.exe.
    * Delete the ?c:\ProgramFiles\Common Files\MSInfo' folder.

3. Remove coolwebsearch: BootConf, SvcHost variants

    * Open the registry and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    * Delete the bootconf.exe or svchost.exe entry
    * You can then delete the bootconf.exe or svchost32.exe file from the System folder (called 'System32' on Windows NT/2000/XP).

4. Remove coolwebsearch: BootConf, SvcHost, MSInfo variants

    * Find the file ?HOSTS? with no extension in the drivers\etc folders in your System folder
    * Either edit it to remove the hijacker entries, or simply delete the file.

5. Remove coolwebsearch: PnP variant

    * Find the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    * Delete the SysPnP entry
    * Also delete the oemsysinf.pnp file from the 'inf' folder inside your Windows folder.

6. Remove coolwebsearch: MSSPI variant

    * This is very tricky to remove by hand as this can result in loosing your internet connection. It is advised that you do not do this by hand.
    * Open the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries
    * Delete the subkeys starting with the path of msspi.dll
    * Renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left.
    * Open the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    * Delete the a msupdate entry if it is there
    * Restart the computer and you should be to delete msspi.dll in the System folder (called 'System32' on Windows NT/2000/XP), along with msupdate.exe if it is present.

7. Remove coolwebsearch: DNSRelay variant

    * Open a DOS command prompt window and enter the following commands:
    * cd "%WinDir%\System"
    * regsvr32 /u dnsrelay.dll
    * Restart
    * You should be able to delete the file 'dnsrelay.dll' in the System folder (called 'System32' on Windows NT/2000/XP).

After you have removed any variants of CoolWebSearch which you have there is one last thing which you need to do to complete the removal process. Go to Internet Options->Programs->Reset Web Settings in your Internet Explorer to remove the hijacked home page and search settings.

Congratulations, you have successfully removed CoolWebSearch from your computer by the remove cool web search uninstalling and removal guide.

Offline Dack

  • Established Member
  • ****
  • Posts: 831
Re:HELP!!!
« Reply #6 on: May 04, 2004, 22:12 »
If you run HJT again and fix the following entries:


F1 - win.ini: run=C:\WINNT\system32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe     Downloader trojan
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe
O4 - HKCU\..\Run: [Nmau] C:\Documents and Settings\Administrator\Application Data\obuw.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe


You should be fixed - the wmplayer is not the real one. You would be best doing this in safe mode.

You can then go and delete the offending files.

The OS9 file is the standard office startup while the internat is the international support.
hey promised the earth! Then delivered mud.
Technically it did meet the spec.

Offline Simon

  • Administrator
  • *****
  • Posts: 76527
  • First to score 7/7 in Quiz of The Week's News 2017
Re:HELP!!!
« Reply #7 on: May 04, 2004, 23:39 »
Out of curiosity Dack, how did you know that wmplayer.exe isn't the real one?
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline Dack

  • Established Member
  • ****
  • Posts: 831
Re:HELP!!!
« Reply #8 on: May 05, 2004, 00:17 »
Because it's in the wrong place (it should be in Program files\Windows media player) and why would mediaplayer be loading on startup :)
hey promised the earth! Then delivered mud.
Technically it did meet the spec.

Offline mechelle1

  • New Member
  • *
  • Posts: 6
Re:HELP!!!
« Reply #9 on: May 05, 2004, 07:03 »
Thanks guys!! I will try everything you said and let you know, Does anyone know why i cant view aol emails?

Mechelle xx

Offline Simon

  • Administrator
  • *****
  • Posts: 76527
  • First to score 7/7 in Quiz of The Week's News 2017
Re:HELP!!!
« Reply #10 on: May 05, 2004, 08:05 »
I'm not familiar with EZ Firewall, but if you can access aol when you disable it, it sounds like the firewall is blocking it.  Try going into the Firewall options, and find the applications / programs list.  Find aol in that list, and, if it's blocked, either remove it from the list, so the Firewall asks for permission next time, and you can say Yes, or if there's an option to change it to 'Allow' (or similar), try that.
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline Michelle

  • Forum Fanatic
  • ******
  • Posts: 5242
    • Techieminx
Re:HELP!!!
« Reply #11 on: May 05, 2004, 08:26 »
Thats what I had to do with zone alarm Simon,  Aol do have a list of instructions on what to do with various firewalls,  I checked and EZ isn't on the list. But I'd assume it was the same.
Out of all the things I've lost .......I miss my mind the most!!

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re:HELP!!!
« Reply #12 on: May 05, 2004, 09:38 »
I was upgrading a neigbours PC and he had EZ Anti-Virus and Firewall. The firewall is in actual fact Zone Alarm, you know the little box that pops up "do you want to allow" well it was the same, just a different colour.
Athiesm is a non-prophet organization.

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re:HELP!!!
« Reply #13 on: May 05, 2004, 10:00 »
Anybody used http://www.simplysup.com/ it seems to be rated as a Trojan Remover ? It comes on a thirty day trial
Athiesm is a non-prophet organization.

Offline Simon

  • Administrator
  • *****
  • Posts: 76527
  • First to score 7/7 in Quiz of The Week's News 2017
Re:HELP!!!
« Reply #14 on: May 05, 2004, 20:18 »
Might be worth a try.  I'm using Trojan Hunter at the moment, which contains a real time scanner, and looks out for trojans as you download files.
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:


Show unread posts since last visit.
Sponsor for PC Pals Forum