PLEASE HELP! Infected by a NEW(?) coolwebsearch variant? (dinamo.directwebsearch.net)
I'd like to report what appears to be a new strain of the coolwebsearch or omegasearch viruses and ask..., okay, BEG - for help in removing it. I'm including as much information as I can think of; if I'm missing something essential, I'll be happy to submit it in a follow-up...
Okay, here's the story: I've been infected by what appears to be a variant of the coolwebsearch virus and NOTHING is able to remove it. My homepage keeps getting changed to:
http://dinamo.directwebsearch.net/index.php
and my search page has also been directed there, my favorites have been deleted and replaced, etc.
I've tried each of the following programs - all updated - and NOTHING seems able to detect or remove the infestation:
Norton Anti-virus 2004
ZoneAlarm Pro
Ad-aware 6
SpyBot S&D 1.3
SpywareGuard
SpywareBlaster 3.1
CWShredder
miniremoval_coolwebsearch_smartkiller.exe
I've run HijackThis, which detected the bug, but I'm not sure what to delete and how to recognize the more hidden, insidious references to the bug. I'm attaching the HijackThis log, below.
I was recently infected with coolwebsearch and CWShredder worked beautifully to remove the beast. No such luck this time around...
What makes this even MORE frustrating is that I've searched the Internet for references to 'dinamo' and/or 'directwebsearch' or 'direct web search' etc, and can't find a SINGLE reference to this strain of the virus. I'd GREATLY appreciate any help I can get to remove this nasty pest.
Here is the HijackThis log:
Logfile of HijackThis v1.97.7
Scan saved at 1:29:01 PM, on 6/27/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MONSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
D:\DOWNLOAD\OMEGASEARCH REMOVAL UTILITIES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dinamo.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dinamo.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dinamo.directwebsearch.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Alps Electric USB Server] MONSERV.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRAM FILES\SECCOPY\SECCOPY.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdSubtract.LNK = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38013.6021759259
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.180/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
Your assistance is GREATLY appreciated!
John
Okay, here's the story: I've been infected by what appears to be a variant of the coolwebsearch virus and NOTHING is able to remove it. My homepage keeps getting changed to:
http://dinamo.directwebsearch.net/index.php
and my search page has also been directed there, my favorites have been deleted and replaced, etc.
I've tried each of the following programs - all updated - and NOTHING seems able to detect or remove the infestation:
Norton Anti-virus 2004
ZoneAlarm Pro
Ad-aware 6
SpyBot S&D 1.3
SpywareGuard
SpywareBlaster 3.1
CWShredder
miniremoval_coolwebsearch_smartkiller.exe
I've run HijackThis, which detected the bug, but I'm not sure what to delete and how to recognize the more hidden, insidious references to the bug. I'm attaching the HijackThis log, below.
I was recently infected with coolwebsearch and CWShredder worked beautifully to remove the beast. No such luck this time around...
What makes this even MORE frustrating is that I've searched the Internet for references to 'dinamo' and/or 'directwebsearch' or 'direct web search' etc, and can't find a SINGLE reference to this strain of the virus. I'd GREATLY appreciate any help I can get to remove this nasty pest.
Here is the HijackThis log:
Logfile of HijackThis v1.97.7
Scan saved at 1:29:01 PM, on 6/27/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MONSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
D:\DOWNLOAD\OMEGASEARCH REMOVAL UTILITIES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dinamo.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dinamo.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dinamo.directwebsearch.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Alps Electric USB Server] MONSERV.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRAM FILES\SECCOPY\SECCOPY.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdSubtract.LNK = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38013.6021759259
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.180/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
Your assistance is GREATLY appreciated!
John
0
Comments
Boot into safe mode, run HiJackThis, and delete the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dinamo.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dinamo.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dinamo.directwebsearch.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dinamo.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dinamo.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dinamo.directwebsearch.net/search.php
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O13 - WWW. Prefix: http://
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.180/winsearchie32.c...nsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
Reboot and run a new HiJack scan. Please post the log here. You should also install a HOSTS file and SpywareBlaster.
Thank you so much for your speedy and excellent reply. I followed your instructions and, so far - knock on wood - everything seems nice and CLEAN! If any thing changes, I'll post a reply here. In the mean time, I'll post the current HijackThis log, below. I do have a few questions for you:
1. Have you ever seen this variant before? I couldn't find a SINGLE reference to it in all of my hunting around the Internet - including here at Short-Media...
2. I've got SpywareGuard v2.2.0 installed and running all the time, but the latest reference file (definitions date) is 1/22/04. I've tried the auto updater and it says I have the latest version of the definitions file. Seems a little odd to me, and was wondering what you think. Perhaps I should contact wildersecurity?
3. I've already got SpywareBlaster installed and will definitely install HOSTS file - if I can figure it out (I briefly looked at the website and it looks a bit complicated...) Is there anything else I should - or shouldn't - try?
4. I noticed, when trying to read the HijackThis log file, the notepad.exe is all of a sudden missing from my computer. Do you think this is related to this infestation? MediaPlayer is also missing, but I received a pop-up message from one of the spyware programs that said it had been infected and was going to be deleted. I never got any such message regarding notepad...
5. When I brought up the "open with..." dialog, I noticed a program called "Dummy" that has the SpyBot S&D icon. Is this a good thing??
Here's the logfile:
Logfile of HijackThis v1.97.7
Scan saved at 6:48:04 PM, on 6/27/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MONSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SECCOPY\SECCOPY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\Program Files\WSCam\WSCAM.EXE
D:\DOWNLOAD\OMEGASEARCH REMOVAL UTILITIES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Alps Electric USB Server] MONSERV.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRAM FILES\SECCOPY\SECCOPY.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdSubtract.LNK = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38013.6021759259
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
Again, I can't thank you enough. May much good karma come your way!
Regards,
John
Delete the value (not the key) if it exists. You might also want to delete your temp files and Recycle Bin. Follow up with a complete scan while in Safe Mode.
I've attached a new notepad.exe for you. It goes in your Windows\System32 folder.
"if problem : click here"
Takes you to:
If you don't want to continue using this page, follow instruction below:
1. Download uninstaller (right click and choose "Save target as.." from pulldown menu
2. Run it
3. Reboot your PC
4. Run it second time
5. Change your start page to "about:blank" in the IE settings (Tools -> Internet Options)
6. Click "Start" -> "Run" -> regedit
7. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
8. Select key {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} and delete it
Enjoy with your clear PC.. and stop looking for free porn - try to buy membership on a good paysite
These guys are fu**ed in the head.
No reference to 'PINF' in the registry... Thanks for notepad, but it won't launch - I keep getting an error message. Perhaps it's the wrong version - I'm running Windows ME...
I've already emptied my temp files and recycle bin and will do the safe mode scan now...
Thanks again,
John
....ZoneAlarm - firewall running all the time
....SpySweeper - cleaned out spywares
....Grisoft Anti-virus - cleaned out all viruses
....CWShedder.exe - cleaned out CoolWebSearch (no more sign of it)
....HijackThis - got rid of everything except that 14 registry settings
...........keep coming back bad and fixes them and comes back again.
I have not run in SAFE MODE yet. I will do that today.
Also my NOTEPAD & WMPLAYER were deleted. As you said, it notified of the WMPLAYER being deleted, but not NOTEPAD. I have gotten my NOTEPAD back on by doing this:
....1. Go to the directory WINDOWS\CAB
....2. (If you have WINZIP installed, if not install it from www.winzip.com)
........double-click on the each .CAB file, which will start winzip in a
........window and show the files in the .CAB. Do this until you find the one
........containing NOTEPAD.EXE then click on it to highlight it, select the
........directory you want it to go to (in my case C:WINDOWS), and click on
........EXTRACT.
....................NOTE: My NOTEPAD.EXE was found in ???????42.CAB
.............................I forgot the first part of the name, but is 42.
....3. No try to open a text document or other file to verify it works
WMPLAYER - I have downloaded version 9 from Microsoft and run the install
but the install does not finish correctly. It just disappears.
Can you help me???????? 1. getting WMPLAYER installed & 2. getting rid of
this blasted dinamo.websearch.net for good??????????
Thanks for the help.
http://www.authentium.com/threats/portal.asp
For those of you who want a direct link, it is below:
http://www.commandondemand.com/eval/index.cfm
Command Software has integrated about 110 new viral thing defs in last three days alone, to thier products(about 30% were trojans or hybrids that also drop trojans). This free scanner can both scan and kill, and covers trojans as well as normal viruses and worms. Lots of the new "junk" infects also drop trojans as the attack progresses, adn Symantec's consumer products are just playing catchup in new versions of thier products to a full-scale trojan detection. Quite a few of these new\recent attacks are trojan horse renewed, unfortunately. F-Prot, Kaspersky, and Authentium all are AV folks that intergrate trojan detection into AV. So, for trojan issues that North American AV might not yet have defs for or even fully address, this kind of scan from someone REPUTABLE overseas makes sense.
Command Software is the product line name Authentium uses for its AV products. Note that single users do not have to give info to run, Enterprise Users DO have to.
Kaspersky Labs has a very good online AV scanner (that can kill many viruses and trojans) also, and Housecall is Trend Micro's CORPORATE grade online scanner which is also free to end users. Both these scanners can detect many trojans and can use very good Heuristics also. There are five AV companies I know of that like Kaspersky Lab's heuristics set so well that they license it.
If you have a "suspicious" file, Kaspersky has a page that will accept it for upload and scan it if it is one MB or smaller. The scanner will then tell you if it is a known virus, trojan, worm, Macro, script virus, and if you give the script an email address Kaspersky will also let you know in email what they think. They do this to build up their def sets and knowledge, no charge for scan. Kaspersky has defs first many times for viral things out of the far east, they are in Moscow, Russia. They literally publicly fingered the group that did Download.ject. Thier site also has a decent AV killing info base.
Link Below:
http://www.kaspersky.com/scanforvirus
One more thing, on Me, 2000, and XP, a lot of the malware attacks use trojans and\or system restore calls to reload. When you clean, if you can get to safe mode, do that, and get off the network connects while using HJT, SpyBot S&D, and AdAware to clean.
they work much better this way. Second, for Me and 98, there is a very recently released security patch for IE. This patch does two things-- it takes IE to high security by default and adds a bunch of site names and IPs to the Restricted Zone. All folks using IE need this config patch.
I have followed your instructions, but I think that I should have deleted the wrong key!!
My IE is not working at all now....
Anyone can save me!?
How to restore my key on;
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Explorer\Browser Helper Objects\
Cheers