Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can anyone verify if my system is now clean? Just

Started by brbalaji , Jun 14 2005 03:00 PM

  • Please log in to reply

#1
brbalaji
Posted 14 June 2005 - 03:00 PM

brbalaji

    New Member

  • Member
  • Pip
  • 1 posts
Hello,

Just now cleaned up the "clicksearchclick" malware based on the instructions given in this forum. Can anyone check if my system is now clean?

Following are the "hijack log", "startup list" and "uninstall list"

Thanks in advance,
Balaji
Logfile of HijackThis v1.99.1
Scan saved at 2:03:31 AM, on 6/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Network Associates\Common Framework\FrameworkService.exe
P:\Program Files\Network Associates\VirusScan\mcshield.exe
P:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
P:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
P:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
P:\Program Files\Zamaan's Software\Browser Hijack Retaliator 2.1\BHR2.1.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
P:\Program Files\Maxthon\Maxthon.exe
D:\Downloads\AV\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [ShStatEXE] "P:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "P:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [BHR2.1] P:\Program Files\Zamaan's Software\Browser Hijack Retaliator 2.1\BHR2.1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - P:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - P:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - P:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with GetRight Browser - P:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0A0184D-4035-40A7-9EF3-61013FCAF18D}: NameServer = 203.145.184.13 202.56.250.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DynaWeb Internet Server http-6336 (dwhttpd-6336) - Unknown owner - P:\Dynaweb\win32\bin\dwhttpd.exe
O23 - Service: DynaWeb Internet Server http-6337 (dwhttpd-6337) - Unknown owner - P:\DynaBomb\Win32\Bin\dwhttpd.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - P:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - P:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - P:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome81Agent - oracle - P:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - P:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Unknown owner - P:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - P:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMY - Oracle Corporation - p:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - P:\Oracle\Ora81\BIN\OWASTSVR.EXE

===========================================================================

StartupList report, 6/15/2005, 2:00:38 AM
StartupList version: 1.52.2
Started from : D:\Downloads\AV\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Network Associates\Common Framework\FrameworkService.exe
P:\Program Files\Network Associates\VirusScan\mcshield.exe
P:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
P:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
P:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
P:\Program Files\Zamaan's Software\Browser Hijack Retaliator 2.1\BHR2.1.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
P:\Program Files\Maxthon\Maxthon.exe
D:\Downloads\AV\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CnxDslTaskBar = "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
ShStatEXE = "P:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "P:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
BHR2.1 = P:\Program Files\Zamaan's Software\Browser Hijack Retaliator 2.1\BHR2.1.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - P:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - P:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
(no name) - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll - {C08DF07A-3E49-4E25-9AB0-D3882835F153}

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Balaji\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\Balaji\Cookies\index.dat||C:\DOCUME~1\Balaji\LOCALS~1\History\History.IE5\index.dat|||i

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,225 bytes
Report generated in 0.031 seconds

===========================================================================

3ds max 4
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PageMaker 7.0
Adobe Photoshop 7.0
AmiBroker 4.60
aspi
ASUSDVD XP
AutoCAD 2000
Best-Charts version 4.32
Bombardier DynaWeb 4.3
Browser Hijack Retaliator 2.1
CCHelp
CCleaner (remove only)
CCScore
C-Dilla Licence Management System
ChessRally 2
Conexant AccessRunner USB ADSL WAN Adapter
CorelDRAW 10
CorelDRAW 10
CR2
Creative PlayCenter
Dev. Web App. with VB .NET and Visual C Sharp .NET eBook
Download Accelerator Plus
DynaWeb 4.3
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSTUTOR
ESSvpaht
ESSvpot
GetRight
HijackThis 1.99.1
HLPCCTR
HLPIndex
HLPPDOCK
iBall Ball Mouse 1.2
InCD (Ahead Software)
InCD EasyWrite Reader (Ahead Software)
Indiatimes Messenger
Java 2 Runtime Environment Standard Edition v1.3.1_15
Java 2 Runtime Environment, SE v1.4.1_06
Java 2 Runtime Environment, SE v1.4.2_01
Java Web Start
Jybe (beta)
Kodak EasyShare software
KSU
LiveUpdate 1.80 (Symantec Corporation)
Logitech MouseWare 9.50
Macromedia Director 7
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash 5
Macromedia Flash MX
Macromedia FreeHand 10
Maxthon Browser (remove only)
MCP Exams Practice Tests
Mediachase Calendar.NET Evaluation
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Beta
Microsoft Internet Explorer WebControls
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2000
Microsoft Visio Viewer 2002
Microsoft Visual Studio .NET Enterprise Architect - English
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
mIRC
MSDN Library - April 2004
MSN Messenger 6.2
Murasu Anjal2000
Nero
NeroVision Express (Ahead Software)
Network Spy
Notifier
NVIDIA Drivers
OTtBP
Oxford Advanced Genie
PCDLNCH
Power Indiabulls
Practice Test, Version 4.0
QuickTime
Rational XDE Professional v2002, Microsoft .NET Edition
Rational XDE Professional v2002, Microsoft .NET Edition Help
RealDownload
RealOne Player
RichFX Player
RssReader
Serials 2000 v6.0
SFR
SFR2
SoftK56 Data Fax Voice Speakerphone CARP
Sonic Foundry Sound Forge XP 4.5
Sound Blaster Live!
Sound Blaster Live! Web 2K/XP
Spinner Plus
Spybot - Search & Destroy 1.3
TextPad
The File Splitter 1.21
TypingMaster 2002
USB97C223 Software
VCAMCEN
VCDCutter
Viewpoint Media Player
WinBoard
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB835732
Windows XP Hotfix (SP1) [See Q321856 for more information]
WinZip
Yahoo! Messenger
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP