Hijacked + Searchbar (HijackThis log included)

Discussion in 'adware, spyware & hijack cleaning' started by Nookie, Dec 5, 2003.

Thread Status:
Not open for further replies.
  1. Nookie

    Nookie Guest

    Hey all, I saw some other persons got the same hijack as me, the lucky search main page, I tried to follow the instructions, but my log is way different that the ones posted. Can some1 look into it? I also have a searchbar popping up each time I start a new browser screen... (a blue searchbar with a search field and several buttons)

    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:42, on 5-12-2002
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    D:\Program Files\Winamp\winampa.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Documents and Settings\Jan Peter\Bureaublad\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?ydtfs about:blank (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?ydtfs about:blank (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=209.234.157.13:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.alcatel.com/consumer/dsl/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?ydtfs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?ydtfs (obfuscated)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6a25893e-b1a3-4cd4-89cc-bb76c1207306} - C:\DOCUME~1\Marjan\APPLIC~1\yessvcrtrd.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: frffouthxtr - {75fe48bd-b013-4bab-bfa4-1252ab843201} - C:\DOCUME~1\Marjan\APPLIC~1\yessvcrtrd.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
    O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [vkxsari] rundll32 C:\WINDOWS\System32:vkxsari.dll,Init 1
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKLM\..\RunOnce: [*vkxsari] rundll32 C:\WINDOWS\System32:vkxsari.dll,Init 1
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: HotWhois (HKLM)
    O9 - Extra 'Tools' menuitem: &HotWhois (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'cslsp.dll' missing
    O13 - DefaultPrefix: http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/c/c.pl?url=
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6810E627-B2F5-4537-963C-331726D5D77A}: NameServer = 62.251.0.6 62.251.0.7
    O19 - User stylesheet: C:\WINDOWS\Web\win.def
    O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

    Any help is welcome, thx in advance :)
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Nookie :)

    Can you first download this removal tool , created by Merijn :

    CWShredder

    Open -> doubleclick cwshredder.exe -> click 'next'

    Reboot and repost another log.

    Thanks!

    Note : it can be the download link is not really available at the moment, as Merijn is working on his page. It will be back online asap

    Cheers,
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Nookie,

    Please do the steps in this following order.

    Download, unzip and run: http://www.wilderssecurity.com/attachments/cwshredder1380.zip

    Click "Start" > "Run" > type or copy&paste rundll32 C:\WINDOWS\System32:vkxsari.dll,Uninstall > "OK"

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {6a25893e-b1a3-4cd4-89cc-bb76c1207306} - C:\DOCUME~1\Marjan\APPLIC~1\yessvcrtrd.dll

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: frffouthxtr - {75fe48bd-b013-4bab-bfa4-1252ab843201} - C:\DOCUME~1\Marjan\APPLIC~1\yessvcrtrd.dll

    O4 - HKLM\..\Run: [vkxsari] rundll32 C:\WINDOWS\System32:vkxsari.dll,Init 1

    O4 - HKLM\..\RunOnce: [*vkxsari] rundll32 C:\WINDOWS\System32:vkxsari.dll,Init 1

    O13 - DefaultPrefix: http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/c/c.pl?url=

    Then reboot.

    Regards,

    Pieter

    Hi Unzy :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.