Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads, will be removed once you have signed in.

Create an Account Login to Account


Photo

Hijack Log And Coolsearch Removal


  • This topic is locked This topic is locked
4 replies to this topic

#1 jogsoid

jogsoid

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 14 May 2004 - 02:38 AM

hi, the other day i seem to have gotten the nasty little cool web search malware, i did some research, found hijack this, but instead of posting a log and getting advice like i should have done and am doing now, i decided to go off someone elses post and try to fix the problem myself, i did remove the cool web search bug, but explorer seemed to become unstable today, so i restored everything i fixed with hijack this, took a log and will now ask for advice of what to fix..

any help would be great!! - thanks in advance

!!!!!!!!!!!!!!!!! - hijack this log - !!!!!!!!!!!!!!!!!!!!!!

Logfile of HijackThis v1.97.7
Scan saved at 1:12:03 AM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\STREAM~1\Remote\zremote.exe
C:\Program Files\ZoneAlarm\zapro.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Jeff Brennan\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\mbbp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\mbbp.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\mbbp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Windows\System32\mbbp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\System32\mbbp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\Windows\System32\mbbp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=C:\Windows\System32\services\wmplayer.exe
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O1 - Hosts: 127.0.0.88 www.pchell.com
O2 - BHO: (no name) - {03AE692F-DFD5-41E9-A730-D60EB49D8F5A} - C:\Windows\System32\mbbp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9DC63C4A-27A7-43B4-A2DB-E75370652A11} - C:\Windows\System32\mbbp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StreamZap Remote] C:\PROGRA~1\STREAM~1\Remote\zremote.exe
O4 - HKLM\..\Run: [xpsystem] C:\Windows\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [xpsystem] C:\Windows\System32\services\wmplayer.exe
O4 - Startup: zapro.exe.lnk = C:\Program Files\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\Windows\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isear...ral/initial.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://cygnus.global...g/ie/SecMgr.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7882.9504976852
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

!!!!!!!!!!!!!!!!! - BYE THE WAY - i found and ran the CWshredder program, and the resulting log now shows.. - !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Logfile of HijackThis v1.97.7
Scan saved at 1:17:25 AM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\STREAM~1\Remote\zremote.exe
C:\Program Files\ZoneAlarm\zapro.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Jeff Brennan\Desktop\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=C:\Windows\System32\services\wmplayer.exe
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O1 - Hosts: 127.0.0.88 www.pchell.com
O2 - BHO: (no name) - {03AE692F-DFD5-41E9-A730-D60EB49D8F5A} - C:\Windows\System32\mbbp.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StreamZap Remote] C:\PROGRA~1\STREAM~1\Remote\zremote.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: zapro.exe.lnk = C:\Program Files\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\Windows\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isear...ral/initial.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://cygnus.global...g/ie/SecMgr.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7882.9504976852
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Advertisement


#2 Salado

Salado

    Authentic Member

  • New Member
  • PipPip
  • 86 posts

Posted 14 May 2004 - 11:52 AM

Hi jogsoid

Your first log indicated that you had the new CWS variant-- and normally, fixing it with CWS is not a long term fix. It will usually come back upon a couple reboots. So, if it does, then come back and we will do a permanent fix.

In the meantime, we can fix some other stuff in your log.

Now--Run Hijack This again and put a check by these.

Close all windows and browsers and with only HijackThis running, click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Check all of the 01 entries

O2 - BHO: (no name) - {03AE692F-DFD5-41E9-A730-D60EB49D8F5A} - C:\Windows\System32\mbbp.dll (file missing)

O8 - Extra context menu item: &iSearch The Web - res://C:\Windows\System32\toolbar.dll/SEARCH.HTML

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isear...ral/initial.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Reboot into safe mode, and delete the following:

C:\Windows\System32\mbbp.dll <==File (If still there)
C:\Windows\System32\toolbar.dll <==File


In case you're not sure how to boot into safe mode:
Starting your computer in Safe Mode!

Also, since the files may be hidden and you may not be sure how to see hidden files:
Heres How!

Paste another HJT log so we can see if all is OK. Good Luck.

#3 jogsoid

jogsoid

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 14 May 2004 - 06:50 PM

ok great! my log seems very clean now, ill post it just in case anyone sees anything else,

thanks alot, you guys are great..

Logfile of HijackThis v1.97.7
Scan saved at 5:49:04 PM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\STREAM~1\Remote\zremote.exe
C:\Program Files\ZoneAlarm\zapro.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Jeff Brennan\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StreamZap Remote] C:\PROGRA~1\STREAM~1\Remote\zremote.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: zapro.exe.lnk = C:\Program Files\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://cygnus.global...g/ie/SecMgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7882.9504976852
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 Salado

Salado

    Authentic Member

  • New Member
  • PipPip
  • 86 posts

Posted 15 May 2004 - 07:55 AM

jogsoid -- your log is clean. Did you use some other program to clean with? The reason I ask is that there were some entries that disappeared that were there before?

Like I said earlier-- the original variant may return. If so just repost here and we will fix it.

Got some suggestions for you though.

Your HOSTS file got hijacked. To help prevent that-- look here:
Under Windows XP Pro c:\winnt\system32\drivers\etc\hosts
or Windows XP Home c:\windows\system32\drivers\etc\hosts

Using WIndows Explorer search for the hosts file-- there will be no extension on it. Just HOSTS. Right click on the file and click properties. On the general page at the bottom-- click the box that says "read only". No other boxes should be checked. Hit Apply and OK.
---------------------------------------------------------------------------------------------
Also, For better protection, there are a few things that you should consider.

Here's an excellent article by TonyKlein. It gives you many tools to help protect yourself with.
http://computercops.biz/postt7736.html

IE_Spyad has over 4000 sites that it blocks. Read about that here.

http://www.windowsfo...?showtopic=6640

But for sure--For more protection, you should highly consider downloading SpywareBlaster from this site:
http://www.javacools...areblaster.html

It's free and helps to prevent spyware from ever being installed.

Download the file, click on Check for updates and if there are click on download update(s). Then click finish when all downloaded files have a green check mark.

If there were any updates, click on the "Select all" button and then click the "Protect Against Checked Items".

That's it. Close the file. Don't forget to check for updates every week.

I would also recommend that you download Ad-Aware indicated in TonyKleins article. Then run both Ad-Aware and Spybot at least once a week-- and don't forget to check for their updates before running.

Of course, one of the most important things is to keep the critical updates for Windows and Internet Explorer updated. You can check here:
http://windowsupdate.microsoft.com/

Empty your Temporary Internet Files and history in Internet Options. And clean out your %Userprofile%\Local Settings\Temp
folder. It's a good idea to do that regularly.

And last but not least--keep your anti-virus program updated as well.

#5 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 16 May 2004 - 03:55 PM

Glad we could help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)

The subject of the email must be "Reopen". Include your post username and details about why you need it reopened, with a valid link to your post.

Advertisement




Similar Topics: Hijack Log And Coolsearch Removal     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users