I need help with magicsearch.ws

Discussion in 'adware, spyware & hijack cleaning' started by pinto, Feb 8, 2004.

Thread Status:
Not open for further replies.
  1. pinto

    pinto Guest

    Here is my report of Hijack This log!
    can anybody see my log and help me?

    Logfile of HijackThis v1.97.7
    Scan saved at 15:57:09, on 8.2.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\sm56hlpr.exe
    C:\Program Files\KMaestro\KMaestro.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\KMaestro\WTS_KEY.EXE
    C:\Program Files\Common Files\Services\winmgnt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Web Software\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\winmgnt.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\winmgnt.exe
    O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O13 - DefaultPrefix: http://magicsearch.ws/?q=
    O13 - WWW Prefix: http://magicsearch.ws/?q=
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CCAC5D2B-441B-41EC-A443-556E8576EBD5}: NameServer = 161.53.114.135 161.53.114.145
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi pinto,

    Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

    Then check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://magicsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://magicsearch.ws/?q=
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O4 - HKLM\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\winmgnt.exe

    O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\winmgnt.exe

    O13 - DefaultPrefix: http://magicsearch.ws/?q=
    O13 - WWW Prefix: http://magicsearch.ws/?q=

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB

    After you clicked Fix checked you will get a lot of alarms by Regprot about Runkeys being added.
    Click No as to not allow them.
    Reboot and download and run: CWShredder
    Use the Fix button to clean your system.

    Regards,

    Pieter
     
  3. pinto

    pinto Guest

    Thank You Peter for help. Finally i can see my homepage..you are the man!!
    Regards from Croatia...
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Glad we could help. :)

    Pieter
     
  5. pinto

    pinto Guest

    Sorry., you name is Pieter...Can i delete backups of Hijack logs?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    If you are sure you only Fixed the ones I pointed out, I see no reason to keep the backups.
    There was no doubt on my mind about any of them. ;)

    Regards,

    Pieter
     
  7. pinto

    pinto Guest

    done, see you! ( i hope not to soon , but ,you never know )...cheers
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    There is no reason to come here only when you have problems, you know. ;)

    Pieter
     
  9. Graphics95

    Graphics95 Guest

    Hi Pieter,

    Will the same steps work for me...I have the same magicsearch.ws situation....Using Windows 98se & IE6.0.2800 ?
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Graphis95 :)

    Welcome to Wilders.

    Could u please start a new thread, follow the instructions here,

    http://www.wilderssecurity.com/showthread.php?t=15913

    then one of the experts will give u recommendations on your log.


    Thanks.


    snowbound
     
  11. Graphics95

    Graphics95 Guest

    Will do - thanks.
     
Thread Status:
Not open for further replies.