Verify Process for removing "thebestse" hijacker

[jdthomp434]

Hi!

I came across a thread (posted by graham27, answered by tellco, dated June 23rd, 2004, 10:11 AM ) that basically indicated to run a hijackthis log and post to remove the "thebestse" hijacker.

Whenever I start IE, www.thebestse.com comes up as the default setting, or whenever I click on a link that is potentially related to an adult site, this "free porn" web page constantly come up. A few times I have clicked on links not realizing that they were related to porn material.

I primarily use AOL to browse the Internet.

My questions are:

1. Is all that I need to do is follow the advice posted in the response by tellco and the above mentioned posting?

2. How did this hijacker get on my computer and how can I, once the puter is clean, prevent such items from occurring again?


Below is the log file from HijackThis.

Thanks for your help!

DJ


HijackThis Log File:
============================================

Logfile of HijackThis v1.98.2
Scan saved at 11:20:49 AM, on 1/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\tsi32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
D:\Programs\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\windows\tsi32\tsircusr.exe
O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
O3 - Toolbar: Toolbar Browser - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "The Thompson Family"
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://ultimateplugin.com/plugin/109185.exe
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://mplayer.com/join/signup/mplayer.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

 

[mjack547]

Welcome to TSG

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described


CWshredder from http://www.subratam.org/?page=removal
Spybot - Search & Destroy from http://security.kolla.de
Download Adaware SE http://www.lavasoftusa.com/support/download/


then
Run CWSHREDDER,

Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you have all of Microsoft security updates

then reboot &

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &


Run ADAWARE

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)


Restart your computer.
then post a new hijackthis log

 

[jdthomp434]

Hey Mjack547!

Thanks for the advice. I followed it to the T and here is the resultant hijackthis log:
========================================

Logfile of HijackThis v1.98.2
Scan saved at 11:02:19 AM, on 1/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
c:\windows\tsi32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Washer\washer.exe
D:\Programs\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\windows\tsi32\tsircusr.exe
O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
O3 - Toolbar: Toolbar Browser - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "The Thompson Family"
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpySweeper] "D:\Programs\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://mplayer.com/join/signup/mplayer.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net
O19 - User stylesheet: (file missing)

==============================================

One thing to note however, Adaware SE Build 1.05 has a major problem when doing the full system scan to lock up on the "performing conditional scan...." portion of the full system scan. Their site indicates that the user should cancel the search right before this phase comes up in order to remove files, otherwise you must defrag, scan disk, reboot in safe mode, start adaware in smart scan mode in order to finish the scan.

Just FYI.

I also downloaded and used the trial version of spysweeper from webroot and it seemed to do a pretty good job. Some items were found with spysweeper that adaware did not catch. Webroot seems pretty legit so I doubt that they "planted" malware to be caught.

What else do you recommend I do now?

Thanks tons for your advice.

JD

 

[mjack547]

I miss this the first time.

A new version of Hijack This has been released so get rid of the old one and
download from this site http://majorgeeks.com/download3155.html

 

[mjack547]

Got to add/remover programs and see if NewDotNet is listed.

Please let me know


Run Hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)

O19 - User stylesheet: (file missing)


And if you did not put these in with Spybot S & D fix them two

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot and post a new hijackthis log