Jump to content


Photo

HELP!!! hijacked by jksearch.biz


  • This topic is locked This topic is locked
8 replies to this topic

#1 hawkeye182

hawkeye182

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 10:44 AM

Any help would be appreciated, here's my log.

Logfile of HijackThis v1.97.7
Scan saved at 8:39:31 AM, on 5/21/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
c:\jetsuite\jsdaemon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://tranenet/auto...5autoconfig.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = laxhuf1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg
O4 - Global Startup: winlogin.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8071.4333796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{350FF5A3-4680-4804-9AFB-47B443AAC8B2}: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com

#2 Guest_BoOchan_*

Guest_BoOchan_*
  • Guests

Posted 21 May 2004 - 11:03 AM

Hello

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from http://spywareinfo.c.../cwshredder.exe and run the Program. Press the "Fix Button" Let it fix all variants. Next, Close the program and Post a Fresh HijackThis log.

#3 hawkeye182

hawkeye182

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 12:32 PM

I'm having trouble getting into my docs to run hijackthis. Everytime I click on My Documents or My Computer my computer freezes.

#4 hawkeye182

hawkeye182

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 01:04 PM

Ran CWShredder nothing was detected but 4 items were restored. Spybot and Ad-aware are no help either, here's the new log.

Logfile of HijackThis v1.97.7
Scan saved at 11:01:33 AM, on 5/21/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
c:\jetsuite\jsdaemon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\WSCOMP\NITERM32.EXE
C:\WINNT\System32\NAUDPWC3.DRV
C:\WINNT\System32\SCardSvr.exe
C:\PROGRA~1\Citrix\ICACLI~1\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Documents and Settings\tsphx148\Local Settings\Temporary Internet Files\Content.IE5\SXQZCXI7\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://tranenet/auto...5autoconfig.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = laxhuf1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg
O4 - Global Startup: winlogin.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8071.4333796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{350FF5A3-4680-4804-9AFB-47B443AAC8B2}: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com

#5 hawkeye182

hawkeye182

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 02:01 PM

:angry: :( :angry: :( THIS THING HAS JACKED-UP MY WHOLE SYSTEM!!!

(shameless bump)

#6 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 21 May 2004 - 02:08 PM

Ok please copy the contents of the quote box to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]


hit save as
give it the name clear.reg
under the filename set file types to all files.
save it to the desktop.

After done double click the clear.reg
when asked to merge say yes

reboot

then find this file:
system32.dll
its probably in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll
and delete it.

Than fix these with hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

Edited by shadowwar, 21 May 2004 - 02:09 PM.




#7 hawkeye182

hawkeye182

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 04:29 PM

That seems to have worked for jksearch but I thinked I'm double-jacked because I'm having trouble with any-find. What should I do.

#8 hawkeye182

hawkeye182

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 04:31 PM

I forgot the log


Logfile of HijackThis v1.97.7
Scan saved at 2:31:35 PM, on 5/21/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
c:\jetsuite\jsdaemon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://any-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://tranenet/auto...5autoconfig.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = laxhuf1:80
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - Global Startup: winlogin.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8071.4333796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{350FF5A3-4680-4804-9AFB-47B443AAC8B2}: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americanstandard.com,field.cg.na.trane.com,trane.com

#9 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 22 May 2004 - 08:19 AM

check and fix these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://any-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
O4 - Global Startup: winlogin.exe
Reboot into safe mode.
Delete this file:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button