SmartSearch HiJack

Discussion in 'adware, spyware & hijack cleaning' started by mdmscifi, May 17, 2004.

Thread Status:
Not open for further replies.
  1. mdmscifi

    mdmscifi Registered Member

    Joined:
    May 17, 2004
    Posts:
    2
    Hello

    I have made numerous attempts to remove what appears to be a hijack browser malware.

    Most recently I have installed and run Spybot 1.2 and removed the files it finds,
    I have run CWShredder but everytime I re boot I am re-infected with the same "smartsearch" malware.

    Below is the current Hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:14:20 PM, on 5/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\msawindows.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\GhostSurf\GhostSurf.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Logon\Desktop\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
    O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
    O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
    O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: GhostSurf Privacy Center (HKLM)
    O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {12F9CCA0-CF5B-11D2-B606-008098809FCA} - http://www.highedmath.aleks.com/aleks/j2re/install_j2re.cab?cache
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://usa1chat.tupperware.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.5856828704
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_5.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    any guidance or help is appreciated.

    I am familiar enough with the system edit the registry (though it is not my favorite thing to do, to easy to really cause a problem)

    I suspect the virus / trojan is hidden in memory, possibly the svchost.exe as it continually re-writes itself when I tried to end the process.

    Thanks

    mdmscifi
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi mdmscifi,

    Can you please email me this file? :

    C:\WINDOWS\System32\msawindows.exe <- this exe

    unzyATwilderssecurity.com (AT =@) thnx!

    Then have only HijackThis running and fix :

    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll

    O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

    Restart PC afterdoing so and remove :

    C:\WINDOWS\System32\msawindows.exe <- this file
    C:\PROGRAM FILES\AWS\ <- this folder

    Run shredder again

    Update XP and IE to the latest paches via windowsupdate.com

    Can you confirm if this proxy setting is correct? :

    ProxyServer = 127.0.0.1:7212

    Hope this helps

    Cheers,
     
  3. mdmscifi

    mdmscifi Registered Member

    Joined:
    May 17, 2004
    Posts:
    2
    I am still working on this.

    The computer is not mine (its a relatives) and I do not always have access to it. I had some difficulties attaching the requested file, but will try again this evening.

    Please bear with me, when you only get small windows to work on major problems, it can be difficult.

    Thanks for your assistance

    I will work on trying the suggested fix tonight as well.

    (Is this something fairly new? or are all the recent postings showing a trend?)

    PS I am primarily a MAC person, we have our own problems, but they tend to be fewer (I am aware of the recent security bulletin regarding Safari)
    Thanks

    mdsmcifi
     
Thread Status:
Not open for further replies.