Hijackthis log (Magicsearch)

Hello there,

I've managed to get to this very impressive forum after deleting my hosts file.

I originally posted on cexx.org forum and Unzy very kindly replied. I ran CWShredder as requested and this is the subsequent Hijackthis log.

Sorry if I've caused confusion by transferring this over, but this forum seems to me to be the place to get the best help (I won't re-post on cexx).

Many thanks,
Keith.


Logfile of HijackThis v1.97.7
Scan saved at 23:19:41, on 04/02/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Windows\system\directx.exe
C:\Documents and Settings\Keith Bonney\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://magicsearch.ws/?q=
O13 - WWW Prefix: http://magicsearch.ws/?q=
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E5D502-5A05-42A8-96BB-2C5A03CF24D7}: NameServer = 193.38.113.3 194.117.157.4

 

Hi Gallileo

Welcome to Wilders.

When u ran CWShredder did u update it?

I still see magicsearch.ws in your log. This is a domain of the CoolWebSearch Hijacker. I'm almost positive CWShredder should have taken care of that.

If u can, update CWShredder and try running it again.

EDIT-Then post a fresh HijackThis log.

Thanks.


snowbound

 

Hi snowbound, thanks for your reply and welcome.

Yes I updated CWShredder today, file dated 04/02/2004.

After fixing with CWShredder should I reboot?

Many thanks for your time.

 

Yes, then post a fresh HijackThis log.

Your Welcome



snowbound

 

Hi Gallilleo,

If running the latest version of CWShredder does not solve it:

Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe

O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\directx.exe

You will get several alerts from Regprot. Do not allow the new startups and reboot.
Then delete directx.exe and run CWShredder again.
Make and post a new HijackThis log after doing so.

Regards,

Pieter

 

Hi Pieter,

Downloaded regprot as requested, then came to check the two reg entries you quoted in hijackthis, problem is they arn't there any more and I havn't done anything yet!

Looks like they have been replaced by

O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe

O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe

I have therefore not continued until you have had a chance to look at the fresh log I have posted.

Many thanks for your trouble.


Logfile of HijackThis v1.97.7
Scan saved at 17:27:59, on 05/02/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Windows\system\sistem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Keith Bonney\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\sistem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.magicsearch.ws/?q=
O13 - WWW Prefix: http://www.magicsearch.ws/?q=
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E5D502-5A05-42A8-96BB-2C5A03CF24D7}: NameServer = 193.38.113.3 194.117.157.4

 

Hi again pieter,

Just out of interest, I checked my C:/Windows/System folder for directx.exe and sistem.exe.

They were both there along with a number of other suspicious applications which are all dated and timed 31/01/2004 14:28 (31/01 is the date I picked up this nasty bugger). They are all hidden apart from two which are directx.exe and time.exe and they are all sized 23KB.

autorun.exe
clrssn.exe
critical.exe
directx32.exe
directx.exe
explore.exe
explorer32.exe
iexplorer.exe
inetinf.exe
milannet.exe
sistem.exe
systeem.exe
time.exe
uninstall.exe
volume.exe
win32e.exe

Could it be that on boot-up, one or more of these applications is being randomly loaded, hence the change in the hijacklog listing?

Hope this information helps further.
Keith.

 

Decided to test my theory by re-booting, sure enough the "sistem.exe" entries have been replaced by

O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\critical.exe

O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\critical.exe

now all the above mentioned applications are hidden with the exception of time.exe

I feel sure that ALL the files I named above have the same code and are in fact all the same program, just named differently so that if one gets found out and deleted another will take it's place at the next boot-up.

I'm no expert though, so if you don't mind, I'll leave the rest up to you guys who know what you're looking at.

Keith.

 

I can tell you what we are looking at: CWS

We have alerted Merijn today that CWShredder is not taking care of this variant.

Could you please download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

Then run HijackThis and fix the two current lines with
[MicrosoftWindows] C:\Windows\system\

You will get a lot of alerts from regprot. Do not allow these changes and reboot into safe mode and delete all the files that are in this "not-so-merry-go-round"

Keep us posted,

Pieter

 

Hi Pieter,

Many thanks..............do I delete all the .exe files I found?

 

Ok Pieter,

You are a wizard, I am indebted to you..........everything is now fixed.

I did as you asked and went ahead and deleted all those .exe files anyway. I also deleted a prefetch file called CRITICAL.EXE-********.pf (the 8*'s are numbers which I can't remember). It seemed the right thing to do.

Many many thanks for your help, and that of snowbound and unzy, you guys are the best. Thank goodness there are good guys out there to help out us dunces.

All the best.
Keith.

 

Excellent job, Gallilleo.

Unfortunately I'm getting experienced helping people get rid of this junkware.
Install the latest IE patches, so you won't get reinfected that easily.

Regards,

Pieter

 

Will do and thanks once again.

 

No problem. It´s what we like to do.

Pieter