Help !! I've Been Hijacked

Question

Can someone please look at the attached log and tell me what to delete. ? Thanks, John Logfile of HijackThis v1.97.7Scan saved at 5:47:00 PM, on 4/26/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Norton Internet Security\Norton AntiVirus
avapsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\system32\dla	fswctrl.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\cjlarklc.exeC:\WINDOWS\Wast.exeC:\WINDOWS\System32undll32.exeC:\Program Files\Common Files\Real\Update_OBealsched.exeC:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\AIM\aim.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\America Online 9.0\aoltray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\SpywareGuard\sgmain.exeC:\Program Files\HP\hpcoretech\comp\hptskmgr.exeC:\Program Files\SpywareGuard\sgbhp.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\John\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\djnkp.dll/sp.html (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\djnkp.dll/sp.html (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_3_16_0.dllO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dllO2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla	fswshx.dllO2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla	fswctrl.exeO4 - HKLM\..\Run: [StorageGuard] 'C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe' /rO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] 'C:\Program Files\Dell\Media Experience\PCMService.exe'O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeO4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe'O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exeO4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe'O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeO4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exeO4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\HP\HP Software Update\HPWuSchd2.exe'O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [nnqbsnhf] C:\WINDOWS\cjlarklc.exeO4 - HKLM\..\Run: [Wast] C:\WINDOWS\WastO4 - HKLM\..\Run: [RunDLL] rundll32.exe 'C:\WINDOWS\Downloaded Program Files\bridge.dll',LoadO4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osbootO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)O9 - Extra button: Research (HKLM)O9 - Extra button: AIM (HKLM)O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/budicon.cabO16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Texruss · Answer

We can try to help...but the about:blank home page hijacker variant is at present without an automated solution. There is a manual fix, but it is very hard.

Let's see what we can do:

Get CW Shredder to repair your CoolWebSearch infestation:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip version 1.57

Follow the directions for running the program at the next link.

http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

At bleepingcomputer.com start reading at the section that says:

You can download this program here: CWShredder

(Note...we have noticed recently some CWS variants are harder to remove unless the shredder is run in Safe Mode...hit F8 while booting to enter Safe Mode and run the shredder.)

After cleaning with the shredder in Safe Mode do this:

Download and run these two programs (Spybot S&D and Adaware). Use Spybot first. (1.3 version)
http://www.majorgeeks.com/download2471.html

Follow the directions completely at:

http://www.cjwd.demon.co.uk/spybot-adaware.html

Reboot if asked by either program and let it complete any cleanup. Then reboot a final time after running both and run Windows Disk Cleanup: Start/Run/ type: cleanmgr

I check all the categories to be deleted here.

Then reboot and make a new C:\HJT folder. Your present folder is a bad place to run Hijackthis as backup logs will be in a precarious location for safety. Follow my directions here for relocating your Hijackthis file:

http://russelltexas.com/spywareinfo/createhjtfolder.htm

In Hijackthis do a new scan and check the following items if still present:

C:\WINDOWS\cjlarklc.exe
C:\WINDOWS\Wast.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\djnkp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\djnkp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [nnqbsnhf] C:\WINDOWS\cjlarklc.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/budicon.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

With no other browsers or windows open (only Hijackthis) click fix checked.

Reboot to SAFE mode
How to start the computer in Safe mode

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill down and delete the following:

C:\WINDOWS\cjlarklc.exe   file
C:\WINDOWS\Wast.exe     file
C:\WINDOWS\System32\djnkp.dll     file
C:\WINDOWS\Downloaded Program Files\bridge.dll   file

Reboot in normal mode after running the deletions and run Windows Disk Cleanup again: Start/Run/ type: cleanmgr

Post back with a new log as a reply to this message (stay in this message posting thread for continuity). Most of your infections will be addressed with these tools, but you must follow the directions exactly to make final manual cleanup easier.

HTH,

Texruss

Virus & Spyware

Was this post helpful?