Hijacked by Won.net

knurte · January 15, 2006

A site called won.net seemed to have taken over my entire computer and start page.

I have tried everything in my not-so-computer-savy power but nothing finds it. I have scanned with TrendMicro, Panda activescan, Spybot, Adaware, Spyware doctor, registry fix and norton, but everything comes up clean.

I am praying that someone here can help me and that I haven't deleted anything essential in my frenzy to fix.

This is my Hijack log.

Logfile of HijackThis v1.99.1

Scan saved at 22:38:01, on 15.01.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Spyware Doctor\sdhelp.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jason\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Zone Labs Client] C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [GCS] "C:\Programfiler\GrabClipSave\GrabClipSave.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\DOCUME~1\Lin\LOKALE~1\Temp\IXP000.TMP\MsiExec.exe (file missing)

O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programfiler\Spyware Doctor\sdhelp.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you in advance.

jwbirdsong · January 16, 2006

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please download Ewido Anti Malware, it is a free version of the program.

Install ewido security suite
When installing the program, under "Additonal Options" uncheck...
- Install background guard
- Install scan via context menu

[*] Launch ewido, there should now be an icon on your desktop, double-click it.

[*] The program will now open to the main screen.

[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*] You will need to update ewido to the latest definition files:

On the left hand side of the main screen click update.
Then click on Start Update.

[*] The update will start and a progress bar will show the updates being installed.

(the status bar at the bottom will display "Update successful")

[*] Close Ewido

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Next, please enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu

2) Click "Folder options"

3) Select the "View" tab

4) Make sure "Show hidden files and folders" is selected

5) Make sure "Hide extensions for known file types" is unchecked

6) Make sure "Hide protected operating system files (recommended)" is unchecked

Please run HijackThis and click "Scan." Place checks next to the following entries:

O4 - HKCU\..\Run: [GCS] "C:\Programfiler\GrabClipSave\GrabClipSave.exe"

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

Next, delete the following folders (if they exist):

C:\Programfiler\GrabClipSave

Start Ewido Anti-Malwaree

Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
Click on Complete System Scan, the scan will now begin.
While the scan is in progress you will be promted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
Click Save Report.
Now save the report .txt file to your desktop.
Close Ewido

When Ewido is finished scanning; reboot back to normal mode and run this online virus scan: ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company
Click the big Scan Now button
If/when you get a notice that Panda wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.

Post

The Ewido log
A new HijackThis log
Results of Panda scan

in your next reply here.

knurte · January 16, 2006

Thanks for quick reply.

I followed your instructions and am ready to post the logs. Before I do though I am wondering if I should go back to the tools menu and reset the changes I made - is that necessary?

Hijack log.

Logfile of HijackThis v1.99.1

Scan saved at 06:52:05, on 16.01.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe

C:\Programfiler\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Spyware Doctor\sdhelp.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\ewido anti-malware\ewidoctrl.exe

C:\Documents and Settings\Jason\Mine dokumenter\Intern video\drweb-cureit.exe

C:\DOCUME~1\Jason\LOKALE~1\Temp\RarSFX0\drw_start.exe

C:\DOCUME~1\Jason\LOKALE~1\Temp\RarSFX0\drweb32w.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Documents and Settings\Jason\Mine dokumenter\Intern video\HijackThis.exe