Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log posted - Please help


  • This topic is locked This topic is locked
8 replies to this topic

#1 saleen

saleen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 07 May 2004 - 02:40 PM

I was wondering if someone can take a look at my hijackthis log and tell me what to do from there. Some of my problems: 'golden palace casino', BlazeFind.Bridge & GAIN.gator. Any help is greatly appreciated, Thanks!

-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 3:38:56 PM, on 5/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\WinOnCD\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\usr.USR-V48X8KB7KHH\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.pcworld.com/downloads/file_desc...fid,7423,00.asp
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloaded games\nimo\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\WinOnCD\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [SpyHunter] D:\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8052.5431712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

BC AdBot (Login to Remove)

 


#2 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 07 May 2004 - 03:20 PM

First thing I need you to do is download hijackthis again and extract it into its own directory like c:\hijackthis.

Then follow these steps:

You are infected with a variant of the CoolWebSearch.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.



When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 saleen

saleen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 07 May 2004 - 05:46 PM

Thanks for the advice, I think I've accomplished all the steps you mentioned ... here is my new log:

-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 6:42:03 PM, on 5/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\WinOnCD\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\usr.USR-V48X8KB7KHH\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.pcworld.com/downloads/file_desc...fid,7423,00.asp
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloaded games\nimo\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\WinOnCD\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8052.5431712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#4 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 07 May 2004 - 07:32 PM

Looks much better. Just fix these please:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.pcworld.com/downloads/file_desc...fid,7423,00.asp
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) [b]If you cant fix this one, dont worry about it[/b[
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

Repost a new log, but after this you should be all clean

#5 saleen

saleen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 08 May 2004 - 10:14 AM

Alright, fixed those that you mentioned ... here is my current log. Thanks a lot for your time, I really appreciate you going through all of this step-by-step with me :thumbsup:

-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 11:04:44 AM, on 5/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Roxio\WinOnCD\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\usr.USR-V48X8KB7KHH\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloaded games\nimo\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\WinOnCD\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8052.5431712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited by saleen, 08 May 2004 - 10:16 AM.


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,585 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 08 May 2004 - 10:52 AM

That log looks good. You're good to go.

I do however, strongly urge you to get Windows updated. That alone will prevent most CoolWebSearch infections.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 saleen

saleen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 08 May 2004 - 07:03 PM

Alright, thanks for the recommendation .... but how exactly do I go about getting this windows update?
Thanks

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 09 May 2004 - 12:08 AM

Hi saleen,

how exactly do I go about getting this windows update?

Looking at your log I see that you don't have even SP1, so you have much more than one update. It will take a while for you to download and install, but it is absolutely essential to protect yourself against the vermin that want to get on your PC. All manner of malware, including viruses, are getting good at exploiting security flaws in Windows, so you need to keep Windows patched by installing ALL updates rated ctitical to close those holes up.

The easiest way to begin is to open Internet Explorer, click Tools, then Windows Update. You will be taken to a webpage (here's the URL: http://v4.windowsupdate.microsoft.com/en/default.asp). Click the little green arrow next to "Scan for updates". Your system will be scanned for several seconds to see which updates are needed. When the scan is completed you will be presented with a list of which updates are needed in the main pane. In your case you should choose SP1 and have it downloaded and installed by itself. Then go back and scan again and begin downloading all available critical updates. If you have a choice, you should do no more than four at a time. However you may be told that you need one update called Rollup 1. This is a large collection of updates bundled together into one.

NOTE: Before beginning any download of updates, you should disable any antivirus, firewall or other security software that is running in the background. They should auto start again when you reboot after updating, but check to make sure.

A less time consuming alternative that will also reduce the chance of errors (disconnects, corrupt downloads, etc.) is to order the Windows Security Update CD. This CD includes all updates available up to the date listed on the webpage. It also includes a one year free trial of EZ Armor, a combination of Antivirus & Firewall (the firewall is actually ZoneAlarm).You don't need & should not install the antivirus, but you can install the firewall seperately--that's what I did. The CD is free; you pay only the cost of shipping to Microsoft--about 10 USD.

Once you are updated, you will have effectively removed the Microsoft Java Virtual Machine (MSJVM). This will close the hole that most varieties of the CoolWebSearch parasite comes in through. But it may cause some problems with how images appear on webpages, among other things. Recommend you replace it with Java from Sun Microsystems--and don't worry, it doesn't have the same hole that plagued the MSJVM. Get it here: Java.

Another thing you can do to prevent a large number of infections is to set ActiveX to at least prompt. Without getting into a long explaination of what ActiveX is & why it should be set this way, here is what I recommend.

1. With Internet Explorer open, click Tools>Internet Options>Security tab.
2. Click Custom Level.
3. Set "Download Signed ActiveX Controls" to prompt.
4. Set "Download Unsigned ActiveX Controls" to prompt or disable.
5. Set "Initializ and script ActiveX Controls not marked as Safe" to disable.
6. The two ActiveX settings below that can be set to enable or prompt. If set to prompt, tho, they might soon drive you crazy.
7. Click OK, then OK again to exit Internet Options.

Now you will have a chance to see what is getting downloaded onto your PC. Otherwise some parasites will install without you ever knowing about it, just from you visiting certain webpages or clicking on links (including popups). That's what is called a drive-by download.

Another way to prevent driveby downloads is to use a different browser. Mozilla/Firefox does not have ActiveX enabled by default. But there will be times when you will need to use IE, so it still needs to be secured in any event.

And finally, you can prevent reinfestation by installing preventative tools. The following three are recommended & you can learn how to use them by reading these tutorials.

Using SpywareBlaster to protect your Web Browser
Using SpywareGuard to protect your computer from Spyware/Hijackers
Using IE-Spyad to enhance your privacy and security

Edited by Papakid, 09 May 2004 - 12:21 AM.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#9 saleen

saleen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 09 May 2004 - 01:20 PM

Thanks Papakid for all the info .... I will definitely take your advice & get the necessary updates. Once again I would like to thank Plimsol & Papakid for all their help and advice :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users