Pls check my log for browser hijack

Discussion in 'adware, spyware & hijack cleaning' started by Spicey25, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    Coolwebsearch hijacked or something

    Logfile of HijackThis v1.97.7
    Scan saved at 12:40:35 AM, on 6/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Port Explorer Evaluation\PEDemo.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Downloads (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1080626940750
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
    O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
    O17 - HKLM\System\CS1\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Spicey25,

    Nothing in sight. What are the symptoms?

    Regards,

    Pieter
     
  3. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    In my HijackThis log, I am concerned about the following:
    01 – Hosts: 64-91-255.87 www.dcsresearch.com
    017 – HKLM\System\CS\Services\Tcpip\.........

    I have been scanning daily with Spy Sweeper and it always detect “Adware found trace of CoolWWW.” Spy Sweeper deletes it, but when I scan again the next day Spy Sweeper detects it again.

    Apps are appearing in my startup group that I did not put there.
    Here are a few that I have deleted.
    QD FastAndSafe C:\PROGRAM~1\ZONELA~1\ ZONELA~1\zlclient.exe
    Msconfig C:\PCHealth\HelpCtr\Binaries

    Upon booting up my computer, Norton AntiVirus tray icon is disabled and I experience a delay of around 60 seconds before ZoneAlarm and Spy Sweeper appear in the tray.

    If there is nothing in sight in my HijackThis log, can I assume that it is clean?

    Thank you.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    O1 is a redirect put there by TDS, so you end up on their current site and not the old one
    O17 are the DNS servers for Verizon, which looks correct from the rest of your log

    If you disable programs in msconfig Windows displays a warning which could look like: Msconfig C:\PCHealth\HelpCtr\Binaries

    If you disabled zlclient it is only logical that ZoneAlarm takes a bit longer to start up. ;)

    I would be curious to know what exactly SpySweeper finds, but it could be a CWS site in your Restricted Zone (have seen that before)

    If I can't find anything in your log, that does not mean there is nothing going on. Some things just don't show up, but can be recognized by the problems they produce.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.