Plz help with Hijack This

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hyepride213, Jun 9, 2004.

  1. hyepride213

    hyepride213 Private E-2

    i am running windows XP, i use adaware and spybot on a daily basis, and i update when there are updates available. my browser got hijacked and my start page is that "search for...." crap. here is my hijack this log, plz tell me what to erase, thanx alot guyz


    Logfile of HijackThis v1.97.7
    Scan saved at 2:56:51 PM, on 6/9/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\CasinoOnline\CsRemnd.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Shant\LOCALS~1\Temp\Rar$EX01.734\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {1E61C2B8-DD82-4528-A48A-F5C2D496E055} - C:\WINDOWS\System32\ekcl.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - https://fastsend.com/products/Fsplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.530462963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3889B9D7-9DB3-4558-8463-AC0B691F5423}: NameServer = 64.164.99.50 206.13.30.12
     
    hyepride213, Jun 9, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hyepride,

    Shut down all applications expecially browsers and win explorer sessions.
    Run HijaakThis again and have it fix the following lines:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekcl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {1E61C2B8-DD82-4528-A48A-F5C2D496E055} - C:\WINDOWS\System32\ekcl.dll

    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

    =============================================================
    Did you install Ares? Do you know what it is? I am leaning towards removing it but at this point I'm not positive about it. If you didn't purposely install maybe you can make that call. If you decide to remove it, shut down all applications especially browsers. Open Task Manager(Ctrl-Alt-Del) and end task on Ares.exe if you see it.
    And include in the list to fix with HijaakThis the following line:

    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h


    Now reset your web settings, if your do not know how to do that go here:
    http://www.pestpatrol.com/Support/HowTo/How_To_Clear_a_Hijack.asp
    and under the Search Hijacks section see the info on "Reset Web Settings" so you know how to do this. But do not do it yet.


    Restart your computer in safe mode. If you don't know how to do that see the following link:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Find and delete these files or folders

    C:\PROGRAM FILES\ARES (only if you decided to remove it)
    C:\Program Files\CasinoOnline

    Now boot normal and recheck Hijaak This to make sure nothing came back. And then lets see how things are running.
     
    chaslang, Jun 9, 2004
    #2
  3. hyepride213

    hyepride213 Private E-2

    thanks for all ur help buddy, ill try it now, and ares is a p2p prog like kazaa, i highly recomend it if ur looking for a kazaa alternative. thanks
     
    hyepride213, Jun 10, 2004
    #3
  4. hyepride213

    hyepride213 Private E-2

    did what you said and now my computers back to normal. thanks alot man
     
    hyepride213, Jun 10, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's great news! Your welcome. A word of advice though. Becareful with Ares. P2P programs can be dangerous. And loads of crap will lurking around on other peoples PCs. You better keep your AV program up to date and get yourself a good spyware blocker like SpyBlaster: http://www.majorgeeks.com/download2859.html. Stay current with their updates and run frequent full scans. And as you mentioned them earlier, keep Ad-aware and SpyBot S&D up to date too and scan with them also.
     
    chaslang, Jun 10, 2004
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds