Jump to content


Photo

Remove that "SMARTSEARCH" hijakc attack


  • Please log in to reply
3 replies to this topic

#1 TheRag

TheRag

    Member

  • New Member
  • Pip
  • 4 posts

Posted 18 June 2004 - 07:59 AM

Hey buddies,

i need some help in removing the SMARTSEARCH page from my IE startpage...
in fact it seems not to be a real site like .html document or so couse if i refresh the about:blank comes clear with no rubbish and smarsearch doesnt load when the WMP window is opened in the browser...
so far
cws shredder doesnt help

now follows the hijackthis-log:


Logfile of HijackThis v1.97.7
Scan saved at 14:26:19, on 18.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\System32\drrss.exe
C:\WINDOWS\System32\lssass.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\Betty\Desktop\dont remove\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [routcnf] C:\Programme\Telekom\Eumex 504PC USB\routcnf.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] lssass.exe
O4 - HKLM\..\Run: [DSService] dmrss.exe
O4 - HKLM\..\Run: [93454E9D] C:\WINDOWS\System32\medrskj.exe
O4 - HKLM\..\Run: [WSAConfiguration] drrss.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lssass.exe
O4 - HKLM\..\RunServices: [DSService] dmrss.exe
O4 - HKLM\..\RunServices: [FDDD9EC6] C:\WINDOWS\System32\medrskj.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] drrss.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update] lssass.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}


thx for ur help buddies,.....

TheRag

#2 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 18 June 2004 - 08:17 AM

***Added
TheRag....I know it frustrating to have this garbage on your machine but in the future please be a little more civil with the title of post......yours here is quite borderline as this is a 'family' type forum..we cater to people of all ages and sensitivity
Thanks
*****end of Added



Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\WINDOWS\System32\drrss.exe
Put a check next to these in hijackthis:
O4 - HKLM\..\Run: [DSService] dmrss.exe
O4 - HKLM\..\Run: [93454E9D] C:\WINDOWS\System32\medrskj.exe
O4 - HKLM\..\Run: [WSAConfiguration] drrss.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lssass.exe
O4 - HKLM\..\RunServices: [DSService] dmrss.exe
O4 - HKLM\..\RunServices: [FDDD9EC6] C:\WINDOWS\System32\medrskj.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] drrss.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update] lssass.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE <---Optional but Highly recomeded to remove not needed at start and huge resource hog
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}


THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".


Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-
C:\WINDOWS\System32\drrss.exe
C:\WINDOWS\System32\medrskj.exe
C:\WINDOWS\System32\systemse.exe
C:\WINDOWS\System32\lssass.exe
C:\WINDOWS\System32\mscnfg32.exe

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ [color=red]<---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"

Reboot
Run an online virus scan at Housecall and/or Panda Online. Please note any virus found and report back with new log.

Then Reboot and post a fresh log back to this thread for me to check.

Edited by jwbirdsong, 18 June 2004 - 08:40 AM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#3 TheRag

TheRag

    Member

  • New Member
  • Pip
  • 4 posts

Posted 18 June 2004 - 09:39 AM

hedihey...

ive followed your steps... and finally its done!!
Smartsearch went off from my browsers startpage....

at my first (guided) run of hijackthis i didnt REALLY close all windows, one browser window kept open due to -erm "not working" problems...
and so the lssass and systemse and hijack stuff again appeared in the hjt log...

cws shredder always finds the following scripst/viruses/worms or whatever:

- CWS.Svchost32
- CWS.Jksearch




Here´s my newest hijackthis log:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\lssass.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\devldr32.exe
C:\Dokumente und Einstellungen\Betty\Desktop\dont remove\HijackThis.exe
C:\Programme\Messenger\msmsgs.exe

O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [routcnf] C:\Programme\Telekom\Eumex 504PC USB\routcnf.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



Thanks alot jwbirdsong for your very quick help!!

the hijacking wasnt all ive found on my sisters pc- there must have been a dialer or so
although we have dsl the (dont know how its called in english) internet connection displayed a number to dial different to the regular server number i always thought dialers only work with dial-up connections and isdn but not with dsl.
I just threw that out and got my router back from the office...

Ok, so thanks again to this site and the people behind it.

TheRag (germany)

Edited by TheRag, 18 June 2004 - 09:40 AM.


#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 18 June 2004 - 10:18 AM

TheRag
This is my 2nd try at this post...lost the other somewhere..

CWShredder ALSO must have all windows closed when you run it for it to work properly. Also ALWAYS check for updates before you run it..latest version is 1.59

This one new line causes some small concern..fix it w/ HJT :
O1 - Hosts: 213.159.117.235 auto.search.msn.com

Then go ahead and run CWShredder as described above:

Download VX2Finder from HERE[/url

Run Vx2Finder click on the click to find VX2.BetterInternet. Then click make log.

Copy and paste the contents of the log back to this thread.

Lastly would you Run an online virus scan at Housecall and/or Panda Online. Please note any virus found and report back with new log.

Above is because you still have C:\WINDOWS\System32\lssass.exe running..did you empty all the temp and TIF folders as described in last post??

Barring any major result for the above your looking pretty good; to stay that way read on...

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

And also see TonyKlein's good advice in
[url="http://forums.net-integration.net/index.php?showtopic=3051"]So how did I get infected in the first place?

Edited by jwbirdsong, 18 June 2004 - 10:21 AM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button