bluzdude Posted November 23, 2004 Report Share Posted November 23, 2004 Hi, I have picked up a browser hijacker, at the very least, that resists automated removal programs, including HiJackThis, Ad-Aware6.0, SpyBot Search and Destroy, and CWS. It appears to be a variant of th Cool Web Search bug. I am experiencing IE slowdowns and lockups, pop ups, home page redirects, etc. Here is my HJT log:Logfile of HijackThis v1.97.3Scan saved at 6:04:53 PM, on 11/22/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\Program Files\DIGStream\digstream.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System\MSMSGSVC.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dllO4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe Link to post Share on other sites
therock247uk Posted November 23, 2004 Report Share Posted November 23, 2004 Woah what an old version of Hijackthis you have. Can you please download a newer Hijackthis version 1.98.2 from http://www.spywareinfo.com/~merijn/files/hijackthis.zip Unzip it into a permanent folder like c:/hjt and post a new Hijackthis log here in a reply from it. Link to post Share on other sites
bluzdude Posted November 23, 2004 Author Report Share Posted November 23, 2004 HJT version 1.98.2 log:Logfile of HijackThis v1.98.2Scan saved at 7:17:16 PM, on 11/22/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\Program Files\DIGStream\digstream.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System\MSMSGSVC.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\HiJackThis\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dllO4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE Link to post Share on other sites
therock247uk Posted November 23, 2004 Report Share Posted November 23, 2004 1. Ok open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dllO4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe2. Reboot and delete the files.C:\WINDOWS\dpe.dllC:\WINDOWS\System\MSMSGSVC.exe3. Then post a new Hijackthis log here in a reply. Link to post Share on other sites
bluzdude Posted November 23, 2004 Author Report Share Posted November 23, 2004 accomplished all except the deletion of:O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exeget a message that says: "Can't delete MSNSGSVC: Access denied"Here's the new log (it all came back after reboot, as you can see):Logfile of HijackThis v1.98.2Scan saved at 8:08:14 PM, on 11/22/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\Program Files\DIGStream\digstream.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System\MSMSGSVC.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\HiJackThis\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.homeR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dllO4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE Link to post Share on other sites
bluzdude Posted November 23, 2004 Author Report Share Posted November 23, 2004 Ok, I had to do a Ctrl/Alt/Del and End Process because the MSNSGSVC.exe application was running in the background. Repeated the scan/reboot/deletions and here is the latest HJT scan (it appears I'm clean now):Logfile of HijackThis v1.98.2Scan saved at 10:12:02 PM, on 11/22/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\Program Files\DIGStream\digstream.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exeC:\WINDOWS\SYSTEM32\3cshtdwn.exeC:\WINDOWS\SYSTEM32\3cmlink.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\ScanSoft\OmniPageSE\opware32.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\U.S. Robotics\ControlCenter\Reminder.exeC:\WINDOWS\FSScrCtl.exeC:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exeC:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\HiJackThis\hijackthis\HijackThis.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE Link to post Share on other sites
therock247uk Posted November 23, 2004 Report Share Posted November 23, 2004 Log looks clean how is the PC? Link to post Share on other sites
bluzdude Posted November 24, 2004 Author Report Share Posted November 24, 2004 Sorry I took so long to reply. My comp is working fine again. Thanks for your assistance Rock!Bluz Link to post Share on other sites
Recommended Posts