Please help!

Discussion in 'adware, spyware & hijack cleaning' started by nickmisky, Apr 18, 2004.

Thread Status:
Not open for further replies.
  1. nickmisky

    nickmisky Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    1
    Hi there, hope someone here can help.
    Had trouble with homepage, constantly changing to look-n-search.com, coolshader also popping up. Also one other homepage which I think was fastsearch.
    Perhaps more importantly, certain words are now highlighted on all pages that I view. Scrolling over the words gives a drop down menu and clicking on any of the items in that takes me to look-n-search.com search pages.

    Installed and ran SPYBOT S&D

    Installed and ran Hijack This

    Log results
    Logfile of HijackThis v1.97.7
    Scan saved at 12:51:09, on 18/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system\serve.exe
    C:\WINDOWS\cihost.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\CMMON32.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\simon\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A6F42CAD-2559-48DF-AF30-89E480AF5DFA} - C:\WINDOWS\bho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
    O4 - HKLM\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
    O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\system32\cihost.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://play.ladbrokescasino.com/ladbrokes/FlashAX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02EDBA37-31DD-485A-BF45-2C028001111F}: NameServer = 193.38.113.3 194.117.157.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{02EDBA37-31DD-485A-BF45-2C028001111F}: NameServer = 193.38.113.3 194.117.157.4

    Any help is greatly appreciated.
    Thanks in advance, nickmisky.
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first find these 2 files, copy them and zip them up and send them to me at submit@thespykiller.co.uk
    C:\WINDOWS\system\serve.exe
    C:\WINDOWS\cihost.exe


    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: (no name) - {A6F42CAD-2559-48DF-AF30-89E480AF5DFA} - C:\WINDOWS\bho.dll
    O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
    O4 - HKLM\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
    O4 - HKCU\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
    O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\system32\cihost.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\system\serve.exe
    C:\WINDOWS\cihost.exe


    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    AdAware 6 from http://www.lavasoft.de/support/download


    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R296 16.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then post a new hijackthis log to check what is left
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi nick

    unfortunately the files you sent me were the prefetch files from the prefetch folder not the actual .exe files so were no good

    check you did delete the actual files themselves and post a new log so we can check if the sytem looks clean

    has the hijacking stopped now

    from your email you said you had trouble deleting the cihost file

    if that is running in safe mode, that would be quite unusual and in which case do this

    press CTRL + ALT + DEL once to bring up task manager and look on the processes tab for cihost.exe
    click on it and press stop process, then using windows explorer delete it

    if it isn't deleted yet before you do so, please do this , right click on it, select send to compressed folder, that makes a zipped copy of it and puts it in c:\windows, then attach that zipped folder to an email and send it to me please.

    do the same for the serve.exe file from teh c:\windows\system as well please
     
Thread Status:
Not open for further replies.