searchx.cc again - HijackThis log file

Discussion in 'adware, spyware & hijack cleaning' started by Alessa, Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    Can anyone please check my HijackThis log file?
    My home page has been changed to "search for..." (http://searchx.cc/) and there's no way i can get rid of it.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:50:08 PM, on 6/6/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TWAIN_32\VIVID\FLATBED.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\SBPCI\CTMIX32.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
    C:\PROGRAM FILES\PV-951\TVPANEL.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\NET\DOWNLOADS\HIKACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: load=C:\WINDOWS\twain_32\Vivid\FLATBED.EXE
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
    O2 - BHO: (no name) - {A3C08C03-B719-11D8-A90F-0040AE22D7D1} - C:\WINDOWS\SYSTEM\HOOB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [USSShReg] C:\WINDOWS\SYSTEM\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Control Panel.lnk = C:\Program Files\PV-951\TvPanel.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8122.4916319444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn2004/inst...erInstaller.exe

    am i supposed to delete this : o_Oo_Oo_Oo_Oo_Oo_Oo_Oo_Oo_O?

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HOOB.DLL/sp.html (obfuscated)

    I appreciate any kind of help,
    Alessa
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Alessa,

    Download: StartDreck and unzip it.
    DoubleClick: 'StartDreck.exe'
    Hit: config
    Hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    Hit >ok.

    Post the log it makes.

    Do not Fix anything yet, we will get to that later.

    Regards,

    Pieter
     
  3. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    Thanks for reply!
    This is it:

    StartDreck (build 2.1.5 public BETA) - 2004-06-06 @ 15:48:14
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    *IncrediMail=C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
    »RunOnce
    »Default User
    »Run
    *IncrediMail=C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *USSShReg=C:\WINDOWS\SYSTEM\USSSHREG.EXE /r
    *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    *NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
    »RunServicesOnce
    **ngn=rundll32 C:\WINDOWS\SYSTEM\D3D.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFE0D133=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF110F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE



    o_O?what nexto_O?
     
  4. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    oh, sorry - that was not all of it

    StartDreck (build 2.1.5 public BETA) - 2004-06-06 @ 15:48:14
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    *IncrediMail=C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
    »RunOnce
    »Default User
    »Run
    *IncrediMail=C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *USSShReg=C:\WINDOWS\SYSTEM\USSSHREG.EXE /r
    *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    *NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
    »RunServicesOnce
    **ngn=rundll32 C:\WINDOWS\SYSTEM\D3D.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFE0D133=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF110F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFF1C9F=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFF8CA3=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFF948B=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFFF4F3=C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    *FFFF7CCB=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFFE0AA7=C:\WINDOWS\EXPLORER.EXE
    *FFFE2FFB=C:\WINDOWS\RUNDLL32.EXE
    *FFFDE81B=C:\WINDOWS\TASKMON.EXE
    *FFFDF04B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFC38CF=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    *FFFCE0B3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFE7AFF7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FFE705E3=C:\WINDOWS\SYSTEM\PSTORES.EXE
    *FFFA258F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFF879C3=C:\WINDOWS\TEMP\RAR$EX09.290\STARTDRECK.EXE
    »Application specific


    that's the entire log file
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Alessa,

    We have to be extra carefull, since StartDreck came up with a filename for the guilty party that could also be a legitimate one.

    Can you see if this file is visible on your computer:
    C:\WINDOWS\SYSTEM\D3D.DLL

    Let me know.

    Regards,

    Pieter
     
  6. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    i can't find any file by this name
    only D3dim.dll, D3dxof.dll and other alike ,even in "show all files" mode
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Good. The fact that it is hidden confirms that it is the CWS file.

    -Download: Win98Fix.zip from http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm and unzip it.
    -DoubleClick on: 'RunFix.reg' file, hit 'yes' on the prompt!
    -Restart computer!
    -C:\WINDOWS\SYSTEM\D3D.DLL should be visible now
    -Delete it.

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

    Regards,

    Pieter
     
  8. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    After installing but before running, update Ad-aware by using its Globe icon

    what Globe icon?
     
  9. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    nevermind, I found it!!
     
  10. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    this is the fresh log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:09:32 PM, on 6/6/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TWAIN_32\VIVID\FLATBED.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\SBPCI\CTMIX32.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
    C:\PROGRAM FILES\PV-951\TVPANEL.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\NET\DOWNLOADS\HIKACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: load=C:\WINDOWS\twain_32\Vivid\FLATBED.EXE
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [USSShReg] C:\WINDOWS\SYSTEM\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Control Panel.lnk = C:\Program Files\PV-951\TvPanel.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38122.4916319444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  12. Alessa

    Alessa Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    8
    I can't tell you how much i appreciate this!
    Thanks again for your help

    All my best,
    Alessa
     
Thread Status:
Not open for further replies.