hijackthis log

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

Also I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup ad-Aware and spyBot
http://www.zerosrealm.com/scanning.php

reboot computer and post a new log

Thank you so much for your quick response and help. Here is the current hijackthis log.
It appears that the cwshredder was specific to that one trojan. I'm guessing this log says I have more/other "things" yet.

Logfile of HijackThis v1.97.7
Scan saved at 11:38:29 PM, on 5/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
A:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://attdslservice.att.net
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll (file missing)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem214.dll
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\system32\iSearch\toolbar_.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O9 - Extra button: iSearch Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: iSearch Toolbar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbar.CAB
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_50019/QDow.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.pornno2000.com/activex/sexshows.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004a_pack.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDistIO.CAB
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://prodweb.metro.local/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE584773-00EE-4D9C-B4B1-1C9A5F907FCC}: NameServer = 12.127.16.83,12.127.18.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metro.local

Hello,

I am not sure if you have traces of other things out there (I am primarily a Mac / Linux user, and any Windows machine we come across at work get re-imaged instantly), but I do see that you have valid websites in the 127.0.0.X subnet. This means that your computer will not properly locate these resources that you are expecting.

You will need to track down the /etc/hosts file, and edit those addresses out. The only legitimate address that should be in that file is

127.0.0.1 localhost

Once you have the computer repaired, what are your plans for protection so you do not re-infect yourself? I am not sure if you read the sticky notes at the top of this forum, but there are good hints to refer to for understanding what happened, and help you plan a method of resisting future issues.

Christian

you are running hiajckthis from a floppy although ok its not recomended dopy it to a folder on you hard drive aomething like c:\hjk\hijackthis.exe.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll (file missing)

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem214.dll

O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\system32\iSearch\toolbar_.dll (file missing)

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/initial.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_50019/QDow.cab

O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.pornno2000.com/activex/sexshows.cab

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab

O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari..._1004a_pack.cab

O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDistIO.CAB

Reboot and check you computer and then run hijack this again and post new log .

Thanks for your help. Here is my latest log following your advice. I have also now installed ad-adware and spybot per your suggestion.

Logfile of HijackThis v1.97.7
Scan saved at 12:58:44 AM, on 5/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\hjk\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://metalink.oracle.com/metalink/plsql/ml2_gui.startup
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metro Wastewater District
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [AddClass] C:\WINNT\AddCLS.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\iSearch\toolbar_.dll/SEARCH.HTML
O9 - Extra button: iSearch Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: iSearch Toolbar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://finweb.metro.local
O15 - Trusted Zone: http://prodweb.metro.local
O15 - Trusted Zone: http://testweb.metro.local
O15 - Trusted Zone: http://web2.metro.local
O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbar.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://prodweb.metro.local/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{404BE85B-3D9A-4AD5-8803-B585264EF251}: NameServer = 10.1.1.100 10.1.100.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE584773-00EE-4D9C-B4B1-1C9A5F907FCC}: NameServer = 12.127.16.83,12.127.18.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metro.local

Caperjack?

Should I assume I'm clear now? Or did you just lose track of me? I do seem to have control of IE now, uses my intended "home page", no isearch, no extraneous icons/buttons etc.

Thanks so much for your help.

Just learning what some of these other buttons/options do!

You still have the coolwebsearch infection. Update the shredder & run it agin. Select *fix* & not scan only. Make sure ALL other windows are closed B4 running it. Am goint to post the rest of the fix next.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [AddClass] C:\WINNT\AddCLS.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\iSearch\toolbar_.dll/SEARCH.HTML

O9 - Extra button: iSearch Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: iSearch Toolbar (HKLM)

If you never added the 015 entries, fix them.

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\Internet Optimizer< folder
C:\WINNT\AddCLS.exe< file

Reboot normally.

Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one>
_{1C78AB3F-A857-482e-80C0-3A1E5238A565}

Notice the underscore at the end.

Right click on it, and select delete.
If you get a confirmation question, respond OK then close out of the program.

Please go here & install ALL critical updates required for your system.

Post a new log after a reboot please.

Thanks forthe suggestion, Crunchie. I started the shredder and clicked on the 'check for update' and it says I have the latest version. I will try running it again making very sure to select 'Fix' and not just scan only.

Yikes! I see you are a lot faster than I am. I will follow the instructions in your last post at 10:25 AM Thursday.!

It's 1 AM here & I'm off to bed B4 my daughter get's up lol. I will check back later.

latest log.

I had difficulty following some of your last instructions.
When I went to the C: drive in safe mode, I did not find the Internet optimizer folder or the WINNT\AddCls.exe.

I believe I need to keep the 015 entries. I recognize them as node names on a VPN I need to log onto.

I downloaded the Register Lite editor , but when I tried to past the HKEY_CURRENT_USERS..... into the address bar, I was taken to some kind of an MSN search page. Was not able to locat the Key you indicated to remove.

I have started running spybot and ad-aware inbetween these posts. I hope that is the right thing to do.

Logfile of HijackThis v1.97.7
Scan saved at 1:09:48 AM, on 5/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\hjk\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://metalink.oracle.com/metalink/plsql/ml2_gui.startup
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metro Wastewater District
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.2.18:80
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://finweb.metro.local
O15 - Trusted Zone: http://prodweb.metro.local
O15 - Trusted Zone: http://testweb.metro.local
O15 - Trusted Zone: http://web2.metro.local
O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbar.CAB
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://prodweb.metro.local/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE584773-00EE-4D9C-B4B1-1C9A5F907FCC}: NameServer = 12.127.16.83,12.127.18.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metro.local

Clean log :) . For some reason that R3 doesn't show up now.

:cheesy: Thanks so much for the feedback, crunchie!. Per your suggestion, I have learned to run hijackthis to fix, not just scan, plus running spybot, ad-aware and using Black Ice to block intruders.

I am trainable!

Thats what I like to hear. Music to my ears :)