1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Verify Process for removing "thebestse" hijacker

Discussion in 'Virus & Other Malware Removal' started by jdthomp434, Jan 24, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. jdthomp434

    jdthomp434 Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    2
    Hi!

    I came across a thread (posted by graham27, answered by tellco, dated June 23rd, 2004, 10:11 AM ) that basically indicated to run a hijackthis log and post to remove the "thebestse" hijacker.

    Whenever I start IE, www.thebestse.com comes up as the default setting, or whenever I click on a link that is potentially related to an adult site, this "free porn" web page constantly come up. A few times I have clicked on links not realizing that they were related to porn material.

    I primarily use AOL to browse the Internet.

    My questions are:

    1. Is all that I need to do is follow the advice posted in the response by tellco and the above mentioned posting?

    2. How did this hijacker get on my computer and how can I, once the puter is clean, prevent such items from occurring again?


    Below is the log file from HijackThis.

    Thanks for your help!

    DJ


    HijackThis Log File:
    ============================================

    Logfile of HijackThis v1.98.2
    Scan saved at 11:20:49 AM, on 1/24/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\tsi32\tsircusr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\Program Files\Washer\washer.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Sierra\Planner\Plnrnote.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\TSIRCSRV.EXE
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    D:\Programs\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.thebestse.com/search.shtml
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\windows\tsi32\tsircusr.exe
    O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
    O3 - Toolbar: Toolbar Browser - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
    O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "The Thompson Family"
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
    O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://ultimateplugin.com/plugin/109185.exe
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://mplayer.com/join/signup/mplayer.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net
    O19 - User stylesheet: C:\WINDOWS\sstyle.css
    O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Welcome to TSG

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described


    CWshredder from http://www.subratam.org/?page=removal
    Spybot - Search & Destroy from http://security.kolla.de
    Download Adaware SE http://www.lavasoftusa.com/support/download/


    then
    Run CWSHREDDER,

    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
    and make sure you have all of Microsoft security updates

    then reboot &

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &


    Run ADAWARE

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)


    Restart your computer.
    then post a new hijackthis log
     
  3. jdthomp434

    jdthomp434 Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    2
    Hey Mjack547!

    Thanks for the advice. I followed it to the T and here is the resultant hijackthis log:
    ========================================

    Logfile of HijackThis v1.98.2
    Scan saved at 11:02:19 AM, on 1/25/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\TSIRCSRV.EXE
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    c:\windows\tsi32\tsircusr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Washer\washer.exe
    D:\Programs\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\wuauclt.exe
    D:\Programs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\windows\tsi32\tsircusr.exe
    O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
    O3 - Toolbar: Toolbar Browser - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "The Thompson Family"
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [SpySweeper] "D:\Programs\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
    O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://mplayer.com/join/signup/mplayer.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = roots-servers.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net
    O19 - User stylesheet: (file missing)

    ==============================================

    One thing to note however, Adaware SE Build 1.05 has a major problem when doing the full system scan to lock up on the "performing conditional scan...." portion of the full system scan. Their site indicates that the user should cancel the search right before this phase comes up in order to remove files, otherwise you must defrag, scan disk, reboot in safe mode, start adaware in smart scan mode in order to finish the scan.

    Just FYI.

    I also downloaded and used the trial version of spysweeper from webroot and it seemed to do a pretty good job. Some items were found with spysweeper that adaware did not catch. Webroot seems pretty legit so I doubt that they "planted" malware to be caught.

    What else do you recommend I do now?

    Thanks tons for your advice.

    JD
     
  4. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
  5. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Got to add/remover programs and see if NewDotNet is listed.

    Please let me know


    Run Hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

    O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll__SpybotSDDisabled (file missing)

    O19 - User stylesheet: (file missing)


    And if you did not put these in with Spybot S & D fix them two

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Reboot and post a new hijackthis log
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322922

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice