Hijackthis log (Magicsearch)

Discussion in 'adware, spyware & hijack cleaning' started by Gallilleo, Feb 4, 2004.

Thread Status:
Not open for further replies.
  1. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Hello there,

    I've managed to get to this very impressive forum after deleting my hosts file.

    I originally posted on cexx.org forum and Unzy very kindly replied. I ran CWShredder as requested and this is the subsequent Hijackthis log.

    Sorry if I've caused confusion by transferring this over, but this forum seems to me to be the place to get the best help (I won't re-post on cexx).

    Many thanks,
    Keith.


    Logfile of HijackThis v1.97.7
    Scan saved at 23:19:41, on 04/02/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Windows\system\directx.exe
    C:\Documents and Settings\Keith Bonney\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://magicsearch.ws/?q=
    O13 - WWW Prefix: http://magicsearch.ws/?q=
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E5D502-5A05-42A8-96BB-2C5A03CF24D7}: NameServer = 193.38.113.3 194.117.157.4
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Gallileo :)

    Welcome to Wilders.

    When u ran CWShredder did u update it?

    I still see magicsearch.ws in your log. This is a domain of the CoolWebSearch Hijacker. I'm almost positive CWShredder should have taken care of that.

    If u can, update CWShredder and try running it again.

    EDIT-Then post a fresh HijackThis log.

    Thanks.


    snowbound
     
  3. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Hi snowbound, thanks for your reply and welcome.

    Yes I updated CWShredder today, file dated 04/02/2004.

    After fixing with CWShredder should I reboot?

    Many thanks for your time.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Yes, then post a fresh HijackThis log.

    Your Welcome :)



    snowbound
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Gallilleo,

    If running the latest version of CWShredder does not solve it:

    Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe

    O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe

    You will get several alerts from Regprot. Do not allow the new startups and reboot.
    Then delete directx.exe and run CWShredder again.
    Make and post a new HijackThis log after doing so.

    Regards,

    Pieter
     
  6. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Hi Pieter,

    Downloaded regprot as requested, then came to check the two reg entries you quoted in hijackthis, problem is they arn't there any more and I havn't done anything yet!

    Looks like they have been replaced by

    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe

    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe

    I have therefore not continued until you have had a chance to look at the fresh log I have posted.

    Many thanks for your trouble.


    Logfile of HijackThis v1.97.7
    Scan saved at 17:27:59, on 05/02/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Windows\system\sistem.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Keith Bonney\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://www.magicsearch.ws/?q=
    O13 - WWW Prefix: http://www.magicsearch.ws/?q=
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E5D502-5A05-42A8-96BB-2C5A03CF24D7}: NameServer = 193.38.113.3 194.117.157.4
     
  7. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Hi again pieter,

    Just out of interest, I checked my C:/Windows/System folder for directx.exe and sistem.exe.

    They were both there along with a number of other suspicious applications which are all dated and timed 31/01/2004 14:28 (31/01 is the date I picked up this nasty bugger). They are all hidden apart from two which are directx.exe and time.exe and they are all sized 23KB.

    autorun.exe
    clrssn.exe
    critical.exe
    directx32.exe
    directx.exe
    explore.exe
    explorer32.exe
    iexplorer.exe
    inetinf.exe
    milannet.exe
    sistem.exe
    systeem.exe
    time.exe
    uninstall.exe
    volume.exe
    win32e.exe

    Could it be that on boot-up, one or more of these applications is being randomly loaded, hence the change in the hijacklog listing?

    Hope this information helps further.
    Keith.
     
  8. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Decided to test my theory by re-booting, sure enough the "sistem.exe" entries have been replaced by

    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\critical.exe

    O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\critical.exe

    now all the above mentioned applications are hidden with the exception of time.exe

    I feel sure that ALL the files I named above have the same code and are in fact all the same program, just named differently so that if one gets found out and deleted another will take it's place at the next boot-up.

    I'm no expert though, so if you don't mind, I'll leave the rest up to you guys who know what you're looking at.

    Keith.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I can tell you what we are looking at: CWS

    We have alerted Merijn today that CWShredder is not taking care of this variant.

    Could you please download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

    Then run HijackThis and fix the two current lines with
    [MicrosoftWindows] C:\Windows\system\

    You will get a lot of alerts from regprot. Do not allow these changes and reboot into safe mode and delete all the files that are in this "not-so-merry-go-round"

    Keep us posted,

    Pieter
     
  10. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Hi Pieter,

    Many thanks..............do I delete all the .exe files I found?
     
  11. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Ok Pieter,

    You are a wizard, I am indebted to you..........everything is now fixed.

    I did as you asked and went ahead and deleted all those .exe files anyway. I also deleted a prefetch file called CRITICAL.EXE-********.pf (the 8*'s are numbers which I can't remember). It seemed the right thing to do.

    Many many thanks for your help, and that of snowbound and unzy, you guys are the best. Thank goodness there are good guys out there to help out us dunces.

    All the best.
    Keith.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Excellent job, Gallilleo. :)

    Unfortunately I'm getting experienced helping people get rid of this junkware.
    Install the latest IE patches, so you won't get reinfected that easily.

    Regards,

    Pieter
     
  13. Gallilleo

    Gallilleo Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    8
    Location:
    UK
    Will do and thanks once again.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    No problem. It´s what we like to do. :)

    Pieter
     
Thread Status:
Not open for further replies.