Hijackthis help pls-log included

Discussion in 'adware, spyware & hijack cleaning' started by cameronst, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. cameronst

    cameronst Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    6
    I am getting a popup in IE Explorer browser even when not surfing the internet. The browser attempts to open the page: http://trafficex.org/trs/redirect.php?adv=aI8pgk

    but doesn't appear to get anywhere.

    As per advice on other threads, I've run updated versions of Spybot, Adaware, and CWShredder but the problem continues. It seems linked to coolweb search in that I find evidence of coolweb search when I run Spybot.

    I ran google and altavista searches on "trafficex.org" and found nothing.

    I ran hijackthis and am providing the log below.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:19:36 PM, on 4/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\consol32.exe
    C:\WINDOWS\swchost.exe
    C:\WINDOWS\System32\scchost.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    c:\Program Files\Internet Explorer\iexplore.exe
    C:\Steve\backup\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/www.msn.com"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
    O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38023.7333217593

    There were a few obvious malware entities identified in a previous run of hijackthis (dialers, etc) that I deleted before consulting the experts-perhaps not the best choice in retrospect.

    Any help you can provide in getting rid of this annoying popup would be most appreciated.

    best regards and many thanks,

    Cam
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi cameronst,

    Welcome to Wilders.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
    O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe

    O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe

    O13 - DefaultPrefix:
    O13 - WWW Prefix:

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode, and zip the following files before deletion and e-mail them to Pieter at the address in his profile. Please include a link to this thread.

    C:\WINDOWS\swchost.exe
    C:\WINDOWS\System32\scchost.exe
    C:\WINDOWS\consol32.exe

    Now delete the following files:

    C:\WINDOWS\swchost.exe
    C:\WINDOWS\System32\scchost.exe
    C:\WINDOWS\consol32.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. cameronst

    cameronst Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    6
    Kent,

    I followed your suggestions and the problem appears to be fixed. I am posting an updated HijackThis log below.

    I really appreciate your help.

    Cam



    Logfile of HijackThis v1.97.7
    Scan saved at 8:57:30 PM, on 4/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Steve\backup\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\imapi.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/www.msn.com"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38023.7333217593
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Congratulations cameronst, your system is clean.

    Regards,
    Kent
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Thank you for the files you sent me.

    consol32.exe is definitely CWS related
    It contained a link to hxxp://trafficex.org which is redirected to hxxp://www.008k.com which is a known CWS domain

    The other two were picked up by TDS as:

    Positive identification <Adv>: Possible WebDownloader
    File: i:\manege (kijk uit)\oogstweek14\scchost.exe

    Positive identification <Adv>: Possible WebDownloader
    File: i:\manege (kijk uit)\oogstweek14\swchost.exe

    swchost downloads a file called r1.exe when run

    Kaspersky online scan about that one
    r1.exe Packed: UPX
    r1.exe Infected: TrojanDropper.Win32.Small.fp

    Forwarded the entire package to several vendors for further investigation.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.