magicsearch hijack help

Discussion in 'adware, spyware & hijack cleaning' started by whowants2know, Feb 7, 2004.

Thread Status:
Not open for further replies.
  1. :doubt: heres my log

    CWShredder v1.47.5 scan only report

    Windows 98 (4.10.1998 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Profiles\saiyanwarrior@charter.net\Application Data
    Username: saiyanwarrior@charter.net

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,SearchAssistant
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,Search
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,SearchURL
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,www
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer,Search
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer,SearchURL
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
    Infected data: http://www.magicsearch.ws
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
    Infected data: http://www.magicsearch.ws
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
    Infected data: http://www.magicsearch.ws
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
    Infected data: http://www.magicsearch.ws
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    Infected data: http://www.magicsearch.ws/?q=
    Infected Registry value:
    HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes,www,http://
    Infected data: http://www.magicsearch.ws/?q=
    Hosts file not present
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    Found CWS.Smartsearch.3 file: C:\WINDOWS\notepad32.exe (21568 bytes, H)
    Found CWS.Smartsearch.3 file: C:\Program Files\Common Files\Services\users32.exe (21568 bytes, H, running)
    Found CWS.Smartsearch.3 file: C:\Program Files\Common Files\Services\win64.exe (21568 bytes, H)
    CWS.Vrape/CWS.Addclass Registry value: DefaultPrefix [] http://www.magicsearch.ws/?q=
    CWS.Vrape/CWS.Addclass Registry value: WWW Prefix [www] http://www.magicsearch.ws/?q=
    Registry value: Mosaic Prefix [mosaic] http://
    Registry value: Home Prefix [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (8838 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2372 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    What i need u to do is instead of scan only please open CWShredder and press next and let it try and fix all those entries.




    snowbound
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    After that could u please post a HIjackThis Log.

    U can download it here,

    http://www.tomcoyote.org/hjt/



    Thanks.



    snowbound
     
  4. Logfile of HijackThis v1.97.7
    Scan saved at 8:33:28 PM, on 2/7/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\NBTV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\3CODECAL.EXE
    C:\WINDOWS\SYSTEM\XZ11DBL.EXE
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\PROGRAM FILES\STARCRAFT\SCXE START.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [NBTV] C:\WINDOWS\SYSTEM\NBTV.exe
    O4 - HKLM\..\Run: [3CODECAL] C:\WINDOWS\SYSTEM\3CODECAL.exe
    O4 - HKLM\..\Run: [XZ11DBL] C:\WINDOWS\SYSTEM\XZ11DBL.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE"
    O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunServices: [PopUpStopperProfessional] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE"
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - User Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - User Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .php?name=Downloads&d_op=getit&lid=21&prev=/search?q=Rpg-maker-2000-charsets&hl=en&lr=&ie=UTF-8: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37989.8371296296
    O16 - DPF: {B9D029D3-CDE3-11CF-855E-00A0C908FAF9} (ActiveX Tree Control) - file://C:\Program Files\VBScript Training\ie\webfiles\treectl.cab
    O16 - DPF: {B797C9C3-39C1-11D1-95AC-00609721D4C2} (ButtonControl.Button) - file://C:\PROGRAM FILES\VBSCRIPT TRAINING\IE\webfiles\cab\NButton.CAB

    There she be snowbound, hijack this log this time.
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I don't see magicsearch in your log. CWShredder must of fixed it for now.
    There is still some suspicious entries in your log but
    iam by no means an expert at HJT so this is as far as i can advise u.

    Most of the experts live in different time zones so just be patient and they will help u with the rest of your log.

    Something u could do for me is reboot and tell me if your homepage is still Hijacked.

    Magicsearch has a nasty habit of coming back if not fixed completely.



    Thanks.

    snowbound
     
  6. Nope, its about:blank now, im gonna set it back 2 google

    Thanks a Bunch Snowbound,

    Whowants2know
     
Thread Status:
Not open for further replies.