HiJack This Log

Discussion in 'adware, spyware & hijack cleaning' started by Chris_Raska, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. Chris_Raska

    Chris_Raska Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    27
    I have just recently been hijacked by http://www.your-search.info/start.html. Every time I reset my computer my homepage will go back to that url. I ran HijackThis heres my log file. I ran Ad-Aware and it didnt find anything. Thankyou guys for your help.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:35:37 AM, on 3/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\SYSTEM32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8FYDWF27\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.your-search.info/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.your-search.info/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your-search.info/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.your-search.info/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
    O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: sytem32.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{63D63BF9-2570-4DF1-80E6-3403C19AAAC5}: NameServer = 216.234.97.2 216.234.97.3
    O19 - User stylesheet: C:\WINDOWS\sstyle.css
    O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Chris_Raska,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.your-search.info/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.your-search.info/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your-search.info/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.your-search.info/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe

    O4 - Global Startup: sytem32.exe

    O19 - User stylesheet: C:\WINDOWS\sstyle.css
    O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and delete:
    C:\WINDOWS\system\systeminit.exe
    C:\WINDOWS\sstyle.css
    c:\Documents and Settings\sys.exe
    sytem32.exe <= NOTE: the missing "S"


    Regards,

    Pieter
     
  3. Chris_Raska

    Chris_Raska Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    27
    Ok I did what you told me to. The only promlem is I couldnt locate the :\Documents and Settings\sys.exe I even ran a search for it and nothing was found. Is there something I should do about that? Thankyou for your time and the help. Heres my updated log file.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:50:35 AM, on 3/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\My Documents\hijackthis1977[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
    O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{63D63BF9-2570-4DF1-80E6-3403C19AAAC5}: NameServer = 216.234.97.2 216.234.97.3
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    don't worry if that sys.exe isn't there as it ihas been found in some examples of this pest, so it's wise to check in all cases

    what is a bit concerning though is this entry
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

    That is a common entry in windows98 & ME but isn't usual in XP.

    It can be a sign of a trojan infection so search for the systray.exe file probably in c:\windows and see if it exists there

    the correct version will be at c:\windows\system32\systray.exe and will be 3kb in size

    if you find any other versions except for the system32 version please note where they are and post back so we can check

    sometimes that entry is a left over from an earlier install of windows.
     
  5. Chris_Raska

    Chris_Raska Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    27
    My computer was upgraded from Windows 98 to Xp. A few months ago I ran the Disk Cleanup then and there was some files left from the old operating system. I checked the box and removed them. So do you think that its a lingering file or a file of some risk? What should I do?
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If it's an update then it's a fairly common left over and no risk

    just do a search and see where it is

    you will might find 2 versions then, one in c:\windows\system and one in c:\windows\system32

    if there is one just in c:\windows then I would have that file checked against the online virus checker here
    http://www.kaspersky.com/remoteviruschk.html
     
  7. Chris_Raska

    Chris_Raska Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    27
    I found a file called systray it is an Application File located at C:\WINDOWS\SYSTEM32, the date modified is 8/23/2001 12:00pm. It also found SYSTRAY.EXE-345DCC1C.pf it is a PF File, the date modified is Today, March 28, 2004, 10:09:36 AM. I should delete the second one right? The first one is from when I had Windows 98 so that would make it a safe file left over from changing OS's. I will wait for a responce if I should delete the second one though. Thankyou all again for your help.
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    They are both Ok so can be left

    the pf file is an xp preloader that is supposed to speed things up a bit so isn't important but leave them both alone.


    We just wanted to check just in case as I said earlier it's unusual to see that systray.exe in an XP HJT log as it runs as a service in XP not a process
     
  9. Chris_Raska

    Chris_Raska Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    27
    Thankyou all. You saved me having to buy a new computer. :D Keep up the good work.
     
Thread Status:
Not open for further replies.