Jump to content


Photo

RE: Hijack This Log File


  • Please log in to reply
5 replies to this topic

#1 dawnrae

dawnrae

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 June 2004 - 06:53 PM

I've gotten that blasted CWS spyware on my computer and have since tried to evict it. I ran adaware (the latest version/updated) and spybot search and destroy (the latest version/updated) and CWShredder. I then ran Hijack This as suggested and have created a log file. Is there someone willing to take a look at it and let me know if there are any lingering traces of it that I need to remove?

dawnrae

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 01 June 2004 - 10:01 PM

If you copy and paste the log into this topic, someone will look at it for you.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#3 dawnrae

dawnrae

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 June 2004 - 06:45 AM

Logfile of HijackThis v1.97.7
Scan saved at 6:50:02 PM, on 6/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
D:\VIRUS FIGHTING STUFF\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Documents/start.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8040.8461805556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

#4 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 03 June 2004 - 09:15 PM

Hello Dawnrae

I'm currently looking at your log and I'd like to cross check a couple of things.

Since you ran cwshredder have you had any of the browser problems you were having before?? Can you just let me know what was happening and if possible can you remember the names of any of the sites you were being redirected to. This may help identify the variant of coolwebsearch you had (there are many) and the likehood of any nasties remaining.

Also, are you familiar with this

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Documents/start.htm

Have you set something of your own to be loaded into your internet start page?
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#5 dawnrae

dawnrae

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 June 2004 - 10:08 AM

Hello Scoff

Actually, I think I got to it before it started hijacking my browser, at least in a major way. I found in a routine scan with Norton Antivirus that my windows media player was "adware." I did some research and found this was a possible virus/trojanhorse/spyware and proceeded to download the cwshredder. It removed the wmplayer and several registry keys then I ran adaware and spybot S&D and removed several other questionable items like Alexa keys, cookies, and a DSO exploit and several other things. I also ran Norton's Windoctor to look for anything else in the registry.
My browser was never hijacked to my knowledge, i. e. it never redirected me to a site upon launch of IE, nor did it change my home page (which is -- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Documents/start.htm). I do know that I was having trouble searching a couple days before, frequently getting the "can't find this page" page. Assuming my memory isn't faulty, I think I may have actually visited a link a few days earlier that said something along the lines of "Cool Web Search" in the address or title, but I just could be confused from all the other stuff that I've looked on the nasty bugger. I do know that I was searching for information on a video game and visited a number of sites, I don't remember any specific ones.
Still, other than the search stutter and wmplayer.exe thing, I've had no other problems and I've run cwshredder several other times since instituting the measures above but have found nothing. I installed Spyblaster as a precaution, upped my IE Active X security levels and did a bit of tweaking in my Norton Firewall to hopefully prevent this particular nasty from coming back.
If there's anything else you would recommend me doing to prevent this and any other nasties from paying a visit to my computer, just let me know. I'm appreciative of all help and advice.
Thank you,

Dawn

Edited by dawnrae, 04 June 2004 - 10:13 AM.


#6 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 05 June 2004 - 10:36 AM

If you don't have the latest version of spybot (v1.3) I suggest you get it, it has a function called teatimer that can prevent unauthorised changes. If you have v1.2 uninstall it before installing the new version.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

If you don't have an up to date hosts file it might be a good idea to replace it with a new one. This will help you block bad sites and ad servers. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.

Both are very small free programs that you run once, and then just occasionally to check for updates.

It may be worth reading How did I get infected in the first place?
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button