Tech Support Forum - View Single Post - mxTarget HIJACK

**Detah** · 09-21-2004, 02:28 PM

Hello and welcome to TSF-

You have several problems that we need to address. We will be using several anti-spyware & anti-adware programs. I recommend that you keep these programs on your system permanently. Only use HiJackThis under the guidance of an expert! Print out these instructions so you may reference them without any programs open. It is very important that no programs (expecially internet browsers) are running when implementing these fixes. [You may leave your firewall and virusscan running.]
----------------------------------------------------------------
Never ever ever run internet browsers (eg Internet Explorer) during any scans or fixes.
----------------------------------------------------------------
To show hidden files instructions
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extentions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
----------------------------------------------------------------
Turn off System Restore instructions
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot.
After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point.
----------------------------------------------------------------
I am not 100% positive, but it looks like you have a CoolWebSearch trojan in addition to the mxstuff. It wont hurt to run CWShredder and check anyways.

Please download and run CWShredder.

CWShredder instructions (137 kB)
Download CWShredder (written by Merijn Bellekom) from
http://www.majorgeeks.com/download4086.html
Save cwshredder.zip into its own directory, NOT in a TEMPorary folder or on the DESKTOP.
I recommend, c:/program files/CWShredder

Close all browsers
Unzip into same directory
Doubleclick cwshredder.exe
Click <Check for updates> and let it install all updates
Click <Fix>
If it asks you to delete a file, write down the whole path and file name and choose <No>. Post it to the forums.
Click <Next>
Close CWShredder//

----------------------------------------------------------------
Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Open HiJackThis | Config | Misc Tools | Open process manager. Select the following and click <Kill process> for each one if they are still listed (they may not be, and that's ok):

C:\WINDOWS\System32\cisvc.exe <---- This one is a Keylogging program. If you didnt put it there, check it
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\selevx.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

----------------------------------------------------------------
Uninstall the following (from Start | Settings | Control Panel | Add/Remove Programs) if they exist:

Webshots

----------------------------------------------------------------
Open HiJackThis
Put a check next to the following items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/redir.adp?a...ma/default.jsp? (obfuscated)
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [zurunytzojsiz] C:\WINDOWS\System32\selevx.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - Startup: Trillian.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: wpvi.com Desktop Alert.lnk = ?
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...5ffa3c41a69ed6e
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...iTunesSetup.exe
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - http://172.21.205.149/Web/MediaMasENU.CAB
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1095165668876
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://172.22.205.13/installs/j2re-1_3_1-win-i.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meeting.webex.com/client/la...bex/ieatgpc.cab

Confirm that you have only the ones above then press <Fix checked>
Close HJT
----------------------------------------------------------------
Now delete the following files (or delete the whole folder if no specific file is given):

C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\selevx.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\wupdt.exe
C:\Program Files\Webshots\

----------------------------------------------------------------
* Empty your c:/windows/temp or c:/winnt/temp folder. Note: only empty the contents of the folder, leave the folder there.
* Now empty your Recycle Bin.
* Reboot in Normal Mode.
----------------------------------------------------------------
Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly.

Spybot Search & Destroy instructions (~3.5MB)

Download Spybot (written by Patrick Kolla). Click <download> from
http://www.safer-networking.org/[BR]
Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
I recommend c:/program files/spybot/
Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
Open Spybot from Start | Programs | Spybot | Spybot S&D
Select <Search for Updates>. Let it install all updates. This is very important!
Select <Immunize>
Select <Check for Problems>
Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
Select <Fix Selected Problems>
Close Spybot//

Ad-Aware instructions (2563 kB)

Download Ad-Aware SE build 1.05 (written by Lavasoft) from
http://www.lavasoft.de/
If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
Open AdAware from Start | Programs | Lavasoft | Adaware.
Select <Check for updates now>, <Proceed>
Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. New settings:
- By default you begin in the <General> section. The following should be checked:
  - Automatically save logfile
  - Automatically quarantine objects prior to removal
  - Safe Mode (always request confirmation)
  - Prompt to update outdated confirmation - change to "7 days"
- Click <Scanning>
  - Check Scan within Archives
  - Select "Select drives & folders to scan", check all of your harddrives. Usually its just c:/, <Proceed>
  - Under Memory & Registry, select all options
- Click <Advanced>
  - Under Shell Integration, select "Move deleted files to Recycle Bin"
  - Under Logfile detail, select all options
- Click <Defaults>
  - Type in the full URL of what you want as your default homepage and search page eg. http://www.google.com
- Click <Tweak>
  - Expand Scanning Engine and make sure the following are selected:
    - Unload recognized processes during scanning
    - Obtain command line of scanned processes
    - Scan registry for all users instead of current user only
  - Expand Cleaning Engine and make sure the following are selected:
    - Always try to unload modules before deletion
    - During removal, unload explorer and IE if necessary
    - Let Windows remove files in use at next reboot
    - Delete quarantined objects after restoring
  - Expand Safety Settings and make sure the following are selected:
    - Write-protect system files after repair (Hosts file, etc)
Click <Proceed> | <Start> | select Use custom scanning options | <Next>
When the scan is finished, rightclick on any entry and choose <Select All Objects>.
Select <Clean>
Close Adaware//

----------------------------------------------------------------
You should run an online virus scan. Select one or more of the following. Select Autoclean if you use TrendMicro. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner.
Panda aka http://www.pandasoftware.com/actives..._principal.htm
TrendMicro aka http://housecall.trendmicro.com/]
RAV Antivirus aka http://www.ravantivirus.com/scan

Reboot. When you are done, post a new HJT log.

09-21-2004, 02:28 PM	#5 (permalink)
Detah TSF Enthusiast Join Date: Jun 2004 Location: from IL; now in KY Posts: 642 OS: Win98SE/XP My System	Hello and welcome to TSF- You have several problems that we need to address. We will be using several anti-spyware & anti-adware programs. I recommend that you keep these programs on your system permanently. Only use HiJackThis under the guidance of an expert! Print out these instructions so you may reference them without any programs open. It is very important that no programs (expecially internet browsers) are running when implementing these fixes. [You may leave your firewall and virusscan running.] ---------------------------------------------------------------- Never ever ever run internet browsers (eg Internet Explorer) during any scans or fixes. ---------------------------------------------------------------- To show hidden files instructions Doubleclick My Computer \| Tools \| Folder Options \| View tab Select Show Hidden Files and Folders Uncheck Hide extentions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders \| Yes \| Apply \| OK ---------------------------------------------------------------- Turn off System Restore instructions Rightclick My Computer \| Properties \| System Restore \| check “Turn off System Restore”, <Apply>, <OK>. Reboot. After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point. ---------------------------------------------------------------- I am not 100% positive, but it looks like you have a CoolWebSearch trojan in addition to the mxstuff. It wont hurt to run CWShredder and check anyways. Please download and run CWShredder. CWShredder instructions (137 kB) Download CWShredder (written by Merijn Bellekom) from http://www.majorgeeks.com/download4086.html Save cwshredder.zip into its own directory, NOT in a TEMPorary folder or on the DESKTOP. I recommend, c:/program files/CWShredder Close all browsers Unzip into same directory Doubleclick cwshredder.exe Click <Check for updates> and let it install all updates Click <Fix> If it asks you to delete a file, write down the whole path and file name and choose <No>. Post it to the forums. Click <Next> Close CWShredder// ---------------------------------------------------------------- Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode. ---------------------------------------------------------------- Open HiJackThis \| Config \| Misc Tools \| Open process manager. Select the following and click <Kill process> for each one if they are still listed (they may not be, and that's ok): C:\WINDOWS\System32\cisvc.exe <---- This one is a Keylogging program. If you didnt put it there, check it C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\selevx.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe ---------------------------------------------------------------- Uninstall the following (from Start \| Settings \| Control Panel \| Add/Remove Programs) if they exist: Webshots ---------------------------------------------------------------- Open HiJackThis Put a check next to the following items. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/redir.adp?a...ma/default.jsp? (obfuscated) O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [zurunytzojsiz] C:\WINDOWS\System32\selevx.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - Startup: Trillian.lnk = ? O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: wpvi.com Desktop Alert.lnk = ? O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...5ffa3c41a69ed6e O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...iTunesSetup.exe O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - http://172.21.205.149/Web/MediaMasENU.CAB O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/...SWebManager.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1095165668876 O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://172.22.205.13/installs/j2re-1_3_1-win-i.exe O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meeting.webex.com/client/la...bex/ieatgpc.cab Confirm that you have only the ones above then press <Fix checked> Close HJT ---------------------------------------------------------------- Now delete the following files (or delete the whole folder if no specific file is given): C:\WINDOWS\System32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\selevx.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\WINDOWS\mxTarget.dll C:\WINDOWS\systb.dll C:\WINDOWS\wupdt.exe C:\Program Files\Webshots\ ---------------------------------------------------------------- * Empty your c:/windows/temp or c:/winnt/temp folder. Note: only empty the contents of the folder, leave the folder there. * Now empty your Recycle Bin. * Reboot in Normal Mode. ---------------------------------------------------------------- Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly. Spybot Search & Destroy instructions (~3.5MB) Download Spybot (written by Patrick Kolla). Click <download> from http://www.safer-networking.org/[BR] Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/spybot/ Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory. Open Spybot from Start \| Programs \| Spybot \| Spybot S&D Select <Search for Updates>. Let it install all updates. This is very important! Select <Immunize> Select <Check for Problems> Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it. Select <Fix Selected Problems> Close Spybot// Ad-Aware instructions (2563 kB) Download Ad-Aware SE build 1.05 (written by Lavasoft) from http://www.lavasoft.de/ If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/ Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory. Open AdAware from Start \| Programs \| Lavasoft \| Adaware. Select <Check for updates now>, <Proceed> Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. New settings: By default you begin in the <General> section. The following should be checked: Automatically save logfile Automatically quarantine objects prior to removal Safe Mode (always request confirmation) Prompt to update outdated confirmation - change to "7 days" Click <Scanning> Check Scan within Archives Select "Select drives & folders to scan", check all of your harddrives. Usually its just c:/, <Proceed> Under Memory & Registry, select all options Click <Advanced> Under Shell Integration, select "Move deleted files to Recycle Bin" Under Logfile detail, select all options Click <Defaults> Type in the full URL of what you want as your default homepage and search page eg. http://www.google.com Click <Tweak> Expand Scanning Engine and make sure the following are selected: Unload recognized processes during scanning Obtain command line of scanned processes Scan registry for all users instead of current user only Expand Cleaning Engine and make sure the following are selected: Always try to unload modules before deletion During removal, unload explorer and IE if necessary Let Windows remove files in use at next reboot Delete quarantined objects after restoring Expand Safety Settings and make sure the following are selected: Write-protect system files after repair (Hosts file, etc) Click <Proceed> \| <Start> \| select Use custom scanning options \| <Next> When the scan is finished, rightclick on any entry and choose <Select All Objects>. Select <Clean> Close Adaware// ---------------------------------------------------------------- You should run an online virus scan. Select one or more of the following. Select Autoclean if you use TrendMicro. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner. Panda aka http://www.pandasoftware.com/actives..._principal.htm TrendMicro aka http://housecall.trendmicro.com/] RAV Antivirus aka http://www.ravantivirus.com/scan Reboot. When you are done, post a new HJT log.