Hijackthis help pls-log included

I am getting a popup in IE Explorer browser even when not surfing the internet. The browser attempts to open the page: http://trafficex.org/trs/redirect.php?adv=aI8pgk

but doesn't appear to get anywhere.

As per advice on other threads, I've run updated versions of Spybot, Adaware, and CWShredder but the problem continues. It seems linked to coolweb search in that I find evidence of coolweb search when I run Spybot.

I ran google and altavista searches on "trafficex.org" and found nothing.

I ran hijackthis and am providing the log below.

Logfile of HijackThis v1.97.7
Scan saved at 6:19:36 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\consol32.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Internet Explorer\iexplore.exe
C:\Steve\backup\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/www.msn.com"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38023.7333217593

There were a few obvious malware entities identified in a previous run of hijackthis (dialers, etc) that I deleted before consulting the experts-perhaps not the best choice in retrospect.

Any help you can provide in getting rid of this annoying popup would be most appreciated.

best regards and many thanks,

Cam

 

Hi cameronst,

Welcome to Wilders.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe

O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe

O13 - DefaultPrefix:
O13 - WWW Prefix:

There also may be hidden files. See HERE for how to show hidden files.

Then reboot into safe mode, and zip the following files before deletion and e-mail them to Pieter at the address in his profile. Please include a link to this thread.

C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\consol32.exe

Now delete the following files:

C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\consol32.exe

Reboot and then post a fresh HijackThis log.

Regards,
Kent

 

Kent,

I followed your suggestions and the problem appears to be fixed. I am posting an updated HijackThis log below.

I really appreciate your help.

Cam



Logfile of HijackThis v1.97.7
Scan saved at 8:57:30 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Steve\backup\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\imapi.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/www.msn.com"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\@@@@@@@\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38023.7333217593

 

Congratulations cameronst, your system is clean.

Regards,
Kent

 

Thank you for the files you sent me.

consol32.exe is definitely CWS related
It contained a link to hxxp://trafficex.org which is redirected to hxxp://www.008k.com which is a known CWS domain

The other two were picked up by TDS as:

Positive identification <Adv>: Possible WebDownloader
File: i:\manege (kijk uit)\oogstweek14\scchost.exe

Positive identification <Adv>: Possible WebDownloader
File: i:\manege (kijk uit)\oogstweek14\swchost.exe

swchost downloads a file called r1.exe when run

Kaspersky online scan about that one
r1.exe Packed: UPX
r1.exe Infected: TrojanDropper.Win32.Small.fp

Forwarded the entire package to several vendors for further investigation.

Regards,

Pieter