New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 23)
· Marcia's (CO8)
· Bill G's (CO11)
· Paul's (AR 5)
· Robin's (AR 2)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1018
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

Your-Searcher

 
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My!
View previous topic :: View next topic  
Author Message
meee

Cadet
Cadet



Joined: May 31, 2004
Posts: 2
Location: USA

PostPosted: Mon May 31, 2004 10:22 pm    Post subject: Your-Searcher
Reply with quote

Been reading several threads about this and none of them had a answer to my prob Sad i know i need to check thease:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

but what more do i need to remove? this is my log:

Logfile of HijackThis v1.97.7
Scan saved at 02:10:16, on 2004-06-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\docume~1\spinal\lokala~1\temp\TJs.exe
C:\docume~1\spinal\lokala~1\temp\dhcjum.exe
C:\docume~1\spinal\lokala~1\temp\bxBc.exe
C:\docume~1\spinal\lokala~1\temp\QD4P.exe
C:\windows\cvchost.exe
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
C:\WINDOWS\System32\wuauclt.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TJs.exe] C:\docume~1\spinal\lokala~1\temp\TJs.exe
O4 - HKLM\..\Run: [dhcjum.exe] C:\docume~1\spinal\lokala~1\temp\dhcjum.exe
O4 - HKLM\..\Run: [bxBc.exe] C:\docume~1\spinal\lokala~1\temp\bxBc.exe
O4 - HKLM\..\Run: [QD4P.exe] C:\docume~1\spinal\lokala~1\temp\QD4P.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O4 - Startup: WinMySQLadmin.lnk = C:\apache\mysql\bin\winmysqladmin.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/158cc0a...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8002.2627430556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
Back to top
View users profile Send private message
irelynnmisses

1st Responder
1st Responder



Joined: Jan 27, 2004
Posts: 1105
Location: USA

PostPosted: Tue Jun 01, 2004 3:58 am    Post subject:
Reply with quote

You have several viruses running from your temp folder..

These ones are optional to remove, but removal will speed up your pc and its performance. You can still access them manually by clicking on the icon. They usually arn't malware, just a resource hogs. I recommend you fix them, your decision.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O4 - HKLM\..\Run: [TJs.exe] C:\docume~1\spinal\lokala~1\temp\TJs.exe
O4 - HKLM\..\Run: [dhcjum.exe] C:\docume~1\spinal\lokala~1\temp\dhcjum.exe
O4 - HKLM\..\Run: [bxBc.exe] C:\docume~1\spinal\lokala~1\temp\bxBc.exe
O4 - HKLM\..\Run: [QD4P.exe] C:\docume~1\spinal\lokala~1\temp\QD4P.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/158cc0a...ip/RdxIE601.cab


Go to START>.ALL PROGRAMS..ACCESSORIES>>SYSTEM TOOLS>> DISK CLEAN UP>> and clean everything...

Go to start >Run and paste this in:
%Userprofile%\Local Settings\Temp folder

It will open your temp folder.

Go to the toolbar>Edit>Select All
Then go back to File>Delete


Reboot and delete the following files or folders:
C:\WINDOWS\System32\wtstr.exe
c:\windows\cvchost.exe


Then get an online virus scan here: http://housecall.trendmicro.com/ Please select the Autoclean option when prompted.
or here: http://www.pandasoftware.com/activescan/

FLUSH RESTORE POINTS
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore on all Drives.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.


then reboot and post a new log and we will take it from there.

_________________
Forum Moderator at:
http://killspyware.go.dyndns.org/
Helper At:
http://www.spywareinfo.com/
1st Rwsponder At:
http://www.computercops.biz/
Back to top
View users profile Send private message Send email Visit posters website AIM Address Yahoo Messenger MSN Messenger
meee

Cadet
Cadet



Joined: May 31, 2004
Posts: 2
Location: USA

PostPosted: Tue Jun 01, 2004 8:19 am    Post subject:
Reply with quote

Thx for taking you're time helping me irelynnmisses Smile

I did all those things, but there wassn't any file named wtstr.exe ion my system32 folder Sad here is my new log tho:

Logfile of HijackThis v1.97.7
Scan saved at 14:18:49, on 2004-06-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
C:\WINDOWS\System32\wuauclt.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spinal.tk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O4 - Startup: WinMySQLadmin.lnk = C:\apache\mysql\bin\winmysqladmin.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77...scan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
Back to top
View users profile Send private message
irelynnmisses

1st Responder
1st Responder



Joined: Jan 27, 2004
Posts: 1105
Location: USA

PostPosted: Wed Jun 02, 2004 10:38 pm    Post subject:
Reply with quote

ok, you still have a virus.. Please do this..

Please Download CWShredder from [URL=http://www.spywareinfo.com/~merijn/files/CWShredder.exe ]http://www.spywareinfo.com/~merijn/files/CWShredder.exe [/URL] and run the Program. Press the "Fix Button" Let it fix all variants. Next, Close the program and Post a Fresh HijackThis log.

Run hijackthis again.. and in the boxes to the left of the entry, please place a check marck next to these.. and then click on FIX SELECTED ITEMS...


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe

Then reboot and search for then delete this file or folder: c:\windows\cvchost.exe

You can't possibly expect to resolve any future exploits without proper updates.
I would go to windowsupdates and install ALL critical updates. They are very important to have since they are vital to the health of your system. That will fix innumerable bugs, update a large number of important system files, and plug many security holes. It can also prevent future catastrophes! People have no idea how many predators there are out there. It's a shame really.
http://v4.windowsupdate.microsoft.com/en/default.asp


then reboot and post a fresh log.

_________________
Forum Moderator at:
http://killspyware.go.dyndns.org/
Helper At:
http://www.spywareinfo.com/
1st Rwsponder At:
http://www.computercops.biz/
Back to top
View users profile Send private message Send email Visit posters website AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops