Please analyze my hijack this log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by PeMo, May 26, 2004.

  1. PeMo

    PeMo Private E-2

    Hi, please help.

    I've been having a lot of problems lately and I cannot clear them. I've been getting some fairly frequent pop ups lately and my home page keeps changing. The address it changes to is http://cashsearch.biz/redir.php. And I also noticed my host file updates every 3-4 seconds and adds a bunch of porn sites.

    I have run:
    Symantec AV Full Version 9.0.0.338
    PC-Cillin 2003 10.04 Build 1114
    Spybot Search and Destroy 1.3
    Ad-aware 6.0 Build 6.181

    ALL with current definitions/ref files. None of these programs detect anything.

    Here is my hijack this log (items in italics I'm pretty sure are OK):

    Logfile of HijackThis v1.97.7
    Scan saved at 9:42:14 PM, on 5/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Dell\QuickSet\Quickset.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Chameleon Clock\ChamClock.exe
    C:\Program Files\Avant Browser\iexplore.exe
    C:\Temp\hijack_this\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll - (I do use this!)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {C49AA86A-23BC-4690-90AD-4FF2392E20F4} - C:\WINDOWS\yitwotv.dll
    O2 - BHO: (no name) - {F43ADF6E-7A6D-47AA-A7CC-8F33064FE2EF} - C:\WINDOWS\yiynszflb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
    O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Pete\Application Data\ttuh.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Pete\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37980.3699884259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I will "fix" the R0 and R1's regarding the cashsearch.biz entry's, but what else can I do?

    Please help me with this issue, as well as any advice on what can be fixed to speed up the system. Thanks in advance!
     
    PeMo, May 26, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As you said get rid of these:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

    Also fix these:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {C49AA86A-23BC-4690-90AD-4FF2392E20F4} - C:\WINDOWS\yitwotv.dll
    O2 - BHO: (no name) - {F43ADF6E-7A6D-47AA-A7CC-8F33064FE2EF} - C:\WINDOWS\yiynszflb.dll

    Stop running this if you don't need it:
    C:\Program Files\Chameleon Clock\ChamClock.exe
    O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
     
    chaslang, May 26, 2004
    #2
  3. PeMo

    PeMo Private E-2

    Thanks chaslang - I removed all of the R0/R1's as well as the O2's you mentioned. But the problem keeps happening - if I scan again the R0/R1's that reference that home page keep coming back. It's the same thing that's trying to update my hosts file. (I made that read-only for now until I clear up this nag)

    Any idea on how to figure out the file/program that's causing this to happen? If this helps - it happens while I'm in safe mode, too.

    BTW - I use the Chameleon Clock... pretty neat little clock/calendar program.

    - Thanks again
     
    PeMo, May 26, 2004
    #3
  4. Boccemon

    Boccemon First Sergeant

    Hey PeMo !! Welcome to MG! Did you disable system restore? If not, do it and re-run. It could very well be that the nasties are coming back from there. Don't forget to reactivate Sys restore after !!
     
    Boccemon, May 26, 2004
    #4
  5. PeMo

    PeMo Private E-2

    I don't have System Restore running. When I say it returns - I mean within 3-4 seconds, not after reboot.

    Thanks.
     
    PeMo, May 26, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I missed something the first time. Do all the previous stuff againg if still there and then fix this too:
    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

    Hit CTRL-ALT-DEL to bringup taskmanager and kill wnsintsv.exe if you find it.
    Then boot in safe mode and delete: C:\WINDOWS\System32\wnsintsv.exe

    It maybe necessary to enable viewing of hidden files to see it. Also make sure your options are set so that you do not hide extensions for known file types. (If you do not know how to do this, from Win explorer, click Tools, Folder Options, and then the View tab. You will see all the selections you can make for Files and Folders.)

    Search your hard disk for a file called PURITYSCAN.EXE. If you find it, delete it.

    Now run a full virusscan.
     
    chaslang, May 27, 2004
    #6
  7. PeMo

    PeMo Private E-2

    I fixed O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe and the R0/R1's again, but the wnsintsv.exe process wasn't running. And I searched for Purityscan.exe and it wasn't found. (I have show all files and don't hide know files enabled) And wnsintsv.exe wasn't in the System32 folder.

    I appreciate your help... (and patience! ;) )
     
    PeMo, May 27, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Search for wnsintsv.exe to see if it is anywhere else.

    By the way, any improvement?
     
    chaslang, May 27, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 27, 2004
    #9
  10. PeMo

    PeMo Private E-2

    CWShredder didn't find anything. Is it better to run these spyware programs in safe mode or regular?
     
    PeMo, May 27, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Safe mode is probably I good idea because it allows some items to be deleted when found rather than requiring a reboot with scan on reboot enabled.

    Can we give the following a try:

    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:
    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.
     
    chaslang, May 27, 2004
    #11
  12. PeMo

    PeMo Private E-2

    chaslang - Those Ad-aware settings are the default, and I tried both Smart system scan and scan on my C: drive. All it finds is tracking cookies.

    Mastertech - I am using the current ref files. I actually have 3 AV programs installed right now (I just downloaded AVG) - I was hoping one of them would fix this problem. I normally only run Symantec, but I like this AVG program - I might stick with that one.
     
    PeMo, May 27, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's not considered a virus, so I doubt it. Check the stuff in this thread out. It seems to have fixed the problem there. http://computercops.org/postt43891.html
     
    chaslang, May 27, 2004
    #13
  14. PeMo

    PeMo Private E-2

    Thank You! Thank You! The fix at Computer Cops worked.

    I was very close to reloading the OS because I was so annoyed with trying to fix that nag.
     
    PeMo, May 27, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's good news. Did you have to download that script file and run it? I want to know for future reference.
     
    chaslang, May 27, 2004
    #15
  16. PeMo

    PeMo Private E-2

    Yes - I downloaded and ran that file. My situation was exactly like the original poster in that thread. Running that file, removed system32.dll (in windows\system32 folder) and had hijack this fix those registry entries fixed the issue.

    Thanks again!
     
    PeMo, May 27, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome! Thanks for the feedback! :) You never know when we will run into this again.
     
    chaslang, May 27, 2004
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds