Possible Hijack

Discussion in 'adware, spyware & hijack cleaning' started by ebachenh, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. ebachenh

    ebachenh Guest

    Hello - I keep getting annoying pop-ups that don't seem to go away, even after a good cleaning with Ad Aware or Spybot. I am pasting my Hijack This log below, and would welcome anyone's suggestion for getting rid of this pest.

    It seems to want to open the link to "www.search-company.com" as a pop-up, which ends up displaying some ad or something like that-

    Thanks,
    E

    Logfile of HijackThis v1.97.7
    Scan saved at 3:39:34 PM, on 4/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\system32\hidserv.exe
    C:\Oracle\bin\omtsreco.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\SNA\system\snabase.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\NALWIN32.EXE
    C:\WINNT\system32\tp4mon.exe
    C:\WINNT\system32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINNT\System32\qttask.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\WINNT\system32\NALDESK.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINNT\LOGI_MWX.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\CFGSAFE\AUTOCHK.EXE
    C:\Program Files\Microsoft Office\Access97\Office\OSA.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#23648
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#23648
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#23648
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.nyu.edu/proxy.pac:8000
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINNT\winie\mssearch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [KeyAccess] C:\WINNT\keyacc32.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Access97\Office\OSA.EXE
    O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: KeyAccess.lnk = C:\WINNT\keyacc32.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .RDF&cfund_code=18&cdept_id=C1020&cfiscal_year=2002&cacct_per=4&cprgrm_code=*&cprjct_id=*&caccount=*: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01A190E4-47B8-11D4-8153-005004D3072C} (Stentor iSite Control) - http://rad-stentor.med.nyu.edu/iSite1_1.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www3.sph.umich.edu/CFIDE/classes/CFJava.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://intranet.msnyuhealth.org/redzone/ScriptX.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {310BD666-1EA3-4453-AF49-7C65D107030A} (mw4_baseCtl Class) - https://mail.msnyuhealth.org/exchweb/cabs/usa/mw4_base.cab
    O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://a816-han.nyc.gov/NYCHAN/Portal/resources/msddsc.cab
    O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - https://www.oxhp.com/BenSum/swiftview/svinstall_a_stat.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) - https://a816-han.nyc.gov/HAN/VisualDx/install/jinstall-1_4_2_02-windows-i586.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kontiki/kontiki/current/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B48660AD-CDC8-46C4-85B6-6634DCA6E33A}: NameServer = 10.134.252.100,10.134.252.101
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msnyuhealth.org
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msnyuhealth.org
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msnyuhealth.org
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    First download CWshredder from https://www.wilderssecurity.com/showthread.php?t=14086 then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    reboot & post new log
     
Thread Status:
Not open for further replies.