magicsearch hijack help

whowants2know · Feb 7, 2004

heres my log

CWShredder v1.47.5 scan only report

Windows 98 (4.10.1998 )
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Profiles\saiyanwarrior@charter.net\Application Data
Username: saiyanwarrior@charter.net

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchAssistant
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,Search
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,www
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer,Search
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
Infected data: http://www.magicsearch.ws
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://www.magicsearch.ws
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
Infected data: http://www.magicsearch.ws
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://www.magicsearch.ws
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Infected data: http://www.magicsearch.ws/?q=
Infected Registry value:
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes,www,http://
Infected data: http://www.magicsearch.ws/?q=
Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Found CWS.Smartsearch.3 file: C:\WINDOWS\notepad32.exe (21568 bytes, H)
Found CWS.Smartsearch.3 file: C:\Program Files\Common Files\Services\users32.exe (21568 bytes, H, running)
Found CWS.Smartsearch.3 file: C:\Program Files\Common Files\Services\win64.exe (21568 bytes, H)
CWS.Vrape/CWS.Addclass Registry value: DefaultPrefix [] http://www.magicsearch.ws/?q=
CWS.Vrape/CWS.Addclass Registry value: WWW Prefix [www] http://www.magicsearch.ws/?q=
Registry value: Mosaic Prefix [mosaic] http://
Registry value: Home Prefix [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8838 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2372 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

snowbound · Feb 7, 2004

What i need u to do is instead of scan only please open CWShredder and press next and let it try and fix all those entries.

snowbound

snowbound · Feb 7, 2004

After that could u please post a HIjackThis Log.

U can download it here,

http://www.tomcoyote.org/hjt/

Thanks.

snowbound

whowants2know · Feb 7, 2004

Logfile of HijackThis v1.97.7
Scan saved at 8:33:28 PM, on 2/7/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\NBTV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\3CODECAL.EXE
C:\WINDOWS\SYSTEM\XZ11DBL.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\STARCRAFT\SCXE START.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NBTV] C:\WINDOWS\SYSTEM\NBTV.exe
O4 - HKLM\..\Run: [3CODECAL] C:\WINDOWS\SYSTEM\3CODECAL.exe
O4 - HKLM\..\Run: [XZ11DBL] C:\WINDOWS\SYSTEM\XZ11DBL.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE"
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [PopUpStopperProfessional] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - User Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - User Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .php?name=Downloads&d_op=getit&lid=21&prev=/search?q=Rpg-maker-2000-charsets&hl=en&lr=&ie=UTF-8: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37989.8371296296
O16 - DPF: {B9D029D3-CDE3-11CF-855E-00A0C908FAF9} (ActiveX Tree Control) - file://C:\Program Files\VBScript Training\ie\webfiles\treectl.cab
O16 - DPF: {B797C9C3-39C1-11D1-95AC-00609721D4C2} (ButtonControl.Button) - file://C:\PROGRAM FILES\VBSCRIPT TRAINING\IE\webfiles\cab\NButton.CAB

There she be snowbound, hijack this log this time.

snowbound · Feb 7, 2004

I don't see magicsearch in your log. CWShredder must of fixed it for now.
There is still some suspicious entries in your log but
iam by no means an expert at HJT so this is as far as i can advise u.

Most of the experts live in different time zones so just be patient and they will help u with the rest of your log.

Something u could do for me is reboot and tell me if your homepage is still Hijacked.

Magicsearch has a nasty habit of coming back if not fixed completely.

Thanks.

snowbound

whowants2know · Feb 7, 2004

Nope, its about:blank now, im gonna set it back 2 google

Thanks a Bunch Snowbound,

Whowants2know

Log in or Sign up

magicsearch hijack help

whowants2know Guest

snowbound Retired Moderator

snowbound Retired Moderator

whowants2know Guest

snowbound Retired Moderator

whowants2know Guest

Log in or Sign up

magicsearch hijack help

whowants2know Guest

snowbound Retired Moderator

snowbound Retired Moderator

whowants2know Guest

snowbound Retired Moderator

whowants2know Guest

Useful Searches