1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I.E hacked / unable to stop/find cihost.exe

Discussion in 'Web & Email' started by Mazinger4, Apr 25, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Mazinger4

    Mazinger4 Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    8
    I ve been infected with a program that resets Internet explorer to an unwanted start page and undesirable favorite sites. Ive tried many things but nothing seems to help. Ive run the hack this, and here is the log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:33:19 AM, on 4/25/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\THOTKEY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\S3TRAY.EXE
    C:\TOSHIBA\IVP\ISM\PINGER.EXE
    C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
    C:\WINDOWS\SYSTEM\PWRTRAY.EXE
    C:\WINDOWS\SYSTEM\PSPCCARD.EXE
    C:\WINDOWS\SYSTEM\TESCKEY.EXE
    C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
    C:\WINDOWS\SYSTEM\TCDPBTN.EXE
    C:\WINDOWS\SYSTEM\TWBBTN.EXE
    C:\PROGRAM FILES\TIOGA\CLIENT\BIN\TGCMD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE
    C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE
    C:\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\MY DOWNLOADS\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
    O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
    O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
    O4 - HKLM\..\Run: [THotkey] THotkey.exe
    O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
    O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
    O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
    O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
    O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
    O4 - HKLM\..\Run: [TCDPbtn] TCDPbtn.exe
    O4 - HKLM\..\Run: [TWBbtn] TWBbtn.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [THotkey] THotkey.Exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Disk Master] C:\windows\diskserv.exe
    O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE
    O4 - HKCU\..\Run: [SPYKILLER] C:\PROGRAM FILES\ANONYMIZER\SK\SPYWAREKILLER.EXE /BOOT
    O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\cihost.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: Support (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    _________________________________________________________________

    Ive learned that cihost needs to be stopped and then removed because it is present in this file. Bu I cannot find the file anywhere in my system.
    Ive tried running ProcView to stop the process and then delete it with HackThis but it does not show in it.
    What can I do. Ive searched the web but no luck so far. Please help.
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    When youre finished Download CWShredder:
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip
    Unzip, run and hit the ->fix tab to fix all found problems

    CWShredder takes advantage of seurity holes in windows so you should install all critical as well as hotfixes available from windows update.


    Then repost a fresh Hijack this log .

    Download 'Hijack This!'. http://www.tomcoyote.org/hjt/ and save it to a folder on your desktop.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
     
  4. NilAdmirari

    NilAdmirari

    Joined:
    Oct 12, 2000
    Messages:
    75
    I'm still having problems with my hijacked browser. I tried using HijackThis and CWShredder and this is what my HJT log is. I don't want to delete more tags and risk messing up my computer. Anyone see anything potentially the matter?

    Logfile of HijackThis v1.97.7
    Scan saved at 12:44:29 PM, on 4/25/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\jonathan.ARCHIMEDES\Application Data\oata.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\FirstClass\Fcc32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\jonathan.ARCHIMEDES\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mjlj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mjlj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mjlj.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mjlj.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mjlj.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mjlj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {2A6F88AF-F370-4679-8814-35C54445DA9E} - C:\WINDOWS\System32\mjlj.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Eaim] C:\Documents and Settings\jonathan.ARCHIMEDES\Application Data\oata.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvtr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
     
  5. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    NilAdmirari, please don't piggy back onto an exisitng thread. It makes working on these logs that much more difficult when you're juggling multiple logs.

    Folks here will be happy to help. Please start your own thread.

    Thank you.

    :)
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Yes and for what its worth it appears as though you are still infected with cws hijackings. did you run it right is my question ? Reopen cws shredder and hit the ->fix tab to fix all found problems
     
  7. NilAdmirari

    NilAdmirari

    Joined:
    Oct 12, 2000
    Messages:
    75
    sorry bout that...I figured I'd try to keep things tidy with a similar problem in a similar thread. I'll try that cws shredder once again and see what happens. If it doesn't I'll start another thread. Thanks and sorry again.
     
  8. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    That's okay, no problem. (y)

    What invariably happens is that others start posting logs to the same thread and then it gets real confusing, real quick.

    Thanks.

    :)
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223682

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice