Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis fun


  • Please log in to reply
1 reply to this topic

#1 shekysheky

shekysheky

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 16 January 2005 - 10:00 AM

*edited to add more details*

My HijackThis log. It seems I've been hit with CoolWebSearch, since last night... but, no luck getting it totally out yet. Before this, I ran AdAware and Spybot (updated versions), then CWShredder, all while disconnected from the internet.

Here's the log:

=========================
Logfile of HijackThis v1.99.0
Scan saved at 9:35:52 AM, on 1/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Apache\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
E:\winkey\WinKey.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
e:\dynamic dns client .net edition - service\dyndnswinservice.exe
E:\Norton SystemWorks\Norton Ghost\GhostStartService.exe
E:\NORTON~3\NORTON~2\NPROTECT.EXE
E:\Apache\Apache.exe
E:\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\usrshutd.exe
C:\WINDOWS\system32\winmsdc.exe
C:\WINDOWS\system32\vwipxspnt.exe
C:\WINDOWS\system32\tlntadmnx.exe
C:\Program Files\ATI Multimedia\main\ATIMMC.exe
E:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32

\mcicdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32

\mcicdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32

\mcicdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32

\mcicdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: Search - {A1DDDC31-F8C3-4EC2-9E7A-CB4B01916418} - C:\WINDOWS\system32

\Q713239053.dll
O2 - BHO: BitBeamer IE Plugin - {4BD9653E-D4C7-454B-9151-A8517B84BA08} -

E:\BitBeamer\ieplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBC9D27-BD1F-45C5-8D38-CD7E113E3027} - C:\WINDOWS\system32\msvwn.dll
O2 - BHO: (no name) - {67F2B0B7-C4EA-4FA3-81D5-7BA8583142C0} - C:\WINDOWS\system32\mcicdb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Norton SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Norton

SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecust.dll
O3 - Toolbar: Search - {0623DE39-6CA8-4731-BB95-E3934CEBEFE6} - C:\WINDOWS\system32

\Q713239053.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef

/Migration32
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - Startup: Winkey.lnk.lnk = E:\winkey\WinKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All with BitBeamer -

res://E:\BitBeamer\ieplugin.dll/getlinks
O8 - Extra context menu item: Download with BitBeamer - res://E:\BitBeamer\ieplugin.dll/download
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Search - {0623DE39-6CA8-4731-BB95-E3934CEBEFE6} - C:\WINDOWS\system32

\Q713239053.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI

Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -

E:\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co.../wuweb_site.cab?

1093658197836
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) -

http://avatar.mabinogi.com:88/renderer/mabiweb.2004.7.19.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C61228D-7173-4F15-8F89-09329FC13689}: NameServer =

69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7D2F2E-553A-4A04-A7EC-FD269F167333}: NameServer =

69.50.188.178,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C61228D-7173-4F15-8F89-09329FC13689}: NameServer =

69.50.188.178,69.31.80.244
O18 - Filter: text/html - {ECFEFD9A-9179-413A-BFFA-074281FE3710} - C:\WINDOWS\system32

\mcicdb.dll
O18 - Filter: text/plain - {ECFEFD9A-9179-413A-BFFA-074281FE3710} - C:\WINDOWS\system32

\mcicdb.dll
O23 - Service: Apache - Unknown - E:\Apache\Apache.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dynamic DNS Client for Windows (service) - Mike Hacker - e:\dynamic dns client

.net edition - service\dyndnswinservice.exe
O23 - Service: GhostStartService - Symantec Corporation - E:\Norton SystemWorks\Norton

Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - E:\Norton

SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - E:\NORTON~3\NORTON~2

\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Norton SystemWorks\Norton

Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1

\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\NORTON~3\NORTON~2\SPEEDD~1

\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
=========================

So far, only major problems are: its almost total integration into IE, giving me a toolbar whenever I open it up; and, occasionally opening popup windows in IE to places like casinos and such. It's also changed my homepage to some other search engine, and it gives me "links" to programs that "remove" spyware... I haven't tried them, I'm pretty sure they're bogus. It also installs a toolbar that comes back now and again; it says it's "FreshBar" and it links to casinos, adult sites, etc. (but for some reason, the Norton Antivirus bar is checked when I see it, and not FreshBar... odd). I also have another search bar just labelled Search, with similar options.

Also, Windows keeps bugging me about how my system's been compromised... no surprise there. But, there's another window that pops up, and it makes a sound (I tell you about the sound because I've disabled _all_ other sounds windows makes, I always do). This is what it says exactly:

------
WARNING: WIndows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

Do you want to download certificated software and protect your computer? (Yes/No)
------

"certificated"? Is that even a word? I mean, I know what they're alluding to, but I don't think that's the proper term... in any case, I haven't tried to use that, either.

Also, before, from time to time a little window would pop up telling me to click OK to install FREE programs!. Whenever I try to close the window, it pops up again right away... it doesn't go away. I think I got rid of that, but I can't be too sure...

Anything I can do from here? Or could possibly uninstalling IE solve this? I'm pretty much switching to Firefox after this is over, anyway, but I don't want to leave any loose ends.

Edited by shekysheky, 16 January 2005 - 02:09 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:09 AM

Posted 17 January 2005 - 02:11 AM

Please download this tool to your desktop.
http://securityresponse.symantec.com/avcenter/FxAgentB.exe


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mcicdb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: Search - {A1DDDC31-F8C3-4EC2-9E7A-CB4B01916418} - C:\WINDOWS\system32\Q713239053.dll
O2 - BHO: (no name) - {5DBC9D27-BD1F-45C5-8D38-CD7E113E3027} - C:\WINDOWS\system32\msvwn.dll
O2 - BHO: (no name) - {67F2B0B7-C4EA-4FA3-81D5-7BA8583142C0} - C:\WINDOWS\system32\mcicdb.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecust.dll
O3 - Toolbar: Search - {0623DE39-6CA8-4731-BB95-E3934CEBEFE6} - C:\WINDOWS\system32\Q713239053.dll
O9 - Extra button: Search - {0623DE39-6CA8-4731-BB95-E3934CEBEFE6} - C:\WINDOWS\system32\Q713239053.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2004.7.19.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C61228D-7173-4F15-8F89-09329FC13689}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7D2F2E-553A-4A04-A7EC-FD269F167333}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C61228D-7173-4F15-8F89-09329FC13689}: NameServer = 69.50.188.178,69.31.80.244
O18 - Filter: text/html - {ECFEFD9A-9179-413A-BFFA-074281FE3710} - C:\WINDOWS\system32\mcicdb.dll
O18 - Filter: text/plain - {ECFEFD9A-9179-413A-BFFA-074281FE3710} - C:\WINDOWS\system32\mcicdb.dll

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\mcicdb.dll
C:\WINDOWS\system32\msvwn.dll
C:\WINDOWS\system32\mcicdb.dll
C:\WINDOWS\system32\iecust.dll
C:\WINDOWS\system32\Q713239053.dll
C:\WINDOWS\system32\mcicdb.dll

Run fixagentb and let it scan your computer and fix what it finds.

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users