help with cool web

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by wamai, May 31, 2004.

  1. wamai

    wamai Private E-2

    I am knee deep with this cool web thing I have tried everything from ad-aware, cwshredder, AVG, the darn thing keeps reloading by the next day. I have tried dowloading patches from windows to no avail. Any suggestions? my os is windows xp home edition
     
    wamai, May 31, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shutdown all browsers (IE, etc) and all Win Explorer sessions and run HiJaak This. Post your complete log so we can see what is going on. HiJaak This is available here: http://www.majorgeeks.com/download3155.html
     
    chaslang, May 31, 2004
    #2
  3. wamai

    wamai Private E-2

    here is my log I hope it helpsLogfile of HijackThis v1.97.7
    Scan saved at 12:34:56 AM, on 6/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\chris wamai\Local Settings\Temp\Temporary Directory 35 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {530F2728-BC8C-42E6-BB79-9EBC1E596BA0} - C:\WINDOWS\System32\bkfn.dll (file missing)
    O2 - BHO: (no name) - {CFA37481-47A9-4F28-8716-7524F6741885} - C:\WINDOWS\System32\clhc.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sysmgr32] sa2
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38102.3832638889
     
    wamai, Jun 1, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK! Shutdown all browser and Win Explored sessions and run HiJaak This again and put check makrs on the following items and have HiJaak fix them:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iefc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {530F2728-BC8C-42E6-BB79-9EBC1E596BA0} - C:\WINDOWS\System32\bkfn.dll (file missing)
    O2 - BHO: (no name) - {CFA37481-47A9-4F28-8716-7524F6741885} - C:\WINDOWS\System32\clhc.dll (file missing)

    By the way, did you install this:
    O4 - HKLM\..\Run: [sysmgr32] sa2

    As far as I know it is a key logger/password hacking tool. If you did not install it, I would get rid of it.
     
    chaslang, Jun 1, 2004
    #4
  5. wamai

    wamai Private E-2

    thanks chaslang I will do it. By the way thanks for the tip on the spy/ password thing it is kind of strange
     
    wamai, Jun 1, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome! Let us know how it works out after the clean up.
     
    chaslang, Jun 1, 2004
    #6
  7. Jimclure

    Jimclure Private E-2

    Iam having the same problem going to post my hijaak on here. Let me know which to get rid of if u can thanks.Logfile of HijackThis v1.97.7
    Scan saved at 10:39:38 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\apius.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\WINDOWS\iepf32.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdawn.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdawn.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdawn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdawn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wdawn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdawn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {B8460335-3BB1-0C22-657E-91A1AF013E8D} - C:\WINDOWS\system32\d3zf32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [apius.exe] C:\WINDOWS\apius.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Jimclure, Jun 27, 2004
    #7
  8. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    As you can see, you have the same problem, follow similar steps. Its considered bad etiqette to stomp on someone elses thread, as it can become confusing, please start your own thread if you can not fix it. Thanks :)

    For example kill these:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdawn.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdawn.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdawn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdawn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wdawn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdawn.dll/sp.html#96676

    Read this and remove anything you know you did not install:

    http://www.majorgeeks.com/vb/showthread.php?t=35407

    From there, new thread for yourself please.
     
    Major Attitude, Jun 27, 2004
    #8
  9. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    For Chaslang as well:

    FYI, the forums at the Hijack This page say that unbelieveably, system restore kills this if you have a restore point from a few days to a week back.
     
    Major Attitude, Jun 27, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Jim,

    As Major has indicated, you need to post in your own thread. But if you want to try his suggestion on making use of a system restore point, do the following. (This could be the fastest solution.)

    We are going to be using System Restore to restore your system to a point before the problem began. You need to just know about when this problem began a pick a restore point on your system prior to that date. Take a look at this link it will explain System Restore to you:

    http://www.microsoft.com/windowsxp/...lew/03may19.asp

    Note that doing this does also have the effect of removing anything else you have installed or setup after the System Restore point too. Once you have decide that you want to do this, you should be able to go right to the heading that says "Use System Restore".

    If this does not work, I will post a step by step method to try.
     
    chaslang, Jun 28, 2004
    #10
  11. Jimclure

    Jimclure Private E-2

    ok iama start my own post
     
    Jimclure, Jun 28, 2004
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds