Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked! www.oneclicksearches.com, possible more.. Help!


  • Please log in to reply
3 replies to this topic

#1 BillyButt

BillyButt

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 05 July 2005 - 04:06 PM

I get redirected to www.oneclicksearches.com now and then, strange pop-ups, virus warnings from programs i don't have installed etc.

I've runned Spy-Bot, Ad-Aware and Hijackthis prior to this log being posted. Can't seem to get rid of oneclicksearches.com bleep. Also, several of the running processes looks 'suspicious'.

I'm not very good at computers so hopefully someone here can help me get rid of this bleep? Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 22:54:42, on 2005-07-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\runservice.exe
E:\Program\Norton Internet Security 2004\Norton AntiVirus\navapsvc.exe
E:\Program\Norton Internet Security 2004\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Internet Explorer\iexplore.exe
G:\[ Utdelat ]\[ Nerladdat ]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6080.tmp
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program\Norton Internet Security 2004\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program\Norton Internet Security 2004\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "E:\Program\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [QuickTime Task] "E:\program\quicktime pro 6.0\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://E:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program\google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program\Norton Internet Security 2004\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program\Norton Internet Security 2004\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:09 AM

Posted 06 July 2005 - 06:09 PM

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.


Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.


Please download, install, and update the free version of Ewido Security Suite:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
  • Exit Ewido. DO NOT run a scan yet.
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions: Ad-Aware SE Setup
Be sure to check for updates. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6080.tmp
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe


With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HijackThis.


Open Windows Explorer (Windows key+e), navigate to and delete the following files (Don't be concerned if they can not be found):

C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\hookdump.exe


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal. Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.


Next, run Ad-aware and perform a full scan. Remove everything found.


Now open Ewido Security Suite
  • Click on Scanner
  • Click on Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
  • Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Website -> Uncheck "Security Info" if present.


Restart your computer in normal mode.


Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!


Finally, restart your computer once more, and post a new HijackThis log as well as the log from the Ewido scan here by using Add Reply. Let us know if any problems persist.

#3 BillyButt

BillyButt
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 08 July 2005 - 06:04 PM

I've followed very similar instructions to yours in a different thread and seem to have gotten rid of the problems. I'll post a Hijackthis log after my clean-up effort. If you find something suspicious i'll repeat it your way.

Thanks for your effort!

Logfile of HijackThis v1.99.1
Scan saved at 18:48:27, on 2005-07-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
E:\Program\ewido\security suite\ewidoctrl.exe
E:\Program\ewido\security suite\ewidoguard.exe
E:\Program\Norton Internet Security 2004\Norton AntiVirus\navapsvc.exe
E:\Program\Norton Internet Security 2004\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program\Norton Internet Security 2004\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program\Norton Internet Security 2004\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "E:\Program\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [QuickTime Task] "E:\program\quicktime pro 6.0\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://E:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program\google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program\Norton Internet Security 2004\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program\Norton Internet Security 2004\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:09 AM

Posted 08 July 2005 - 06:27 PM

Looks like you got it all. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users