HiJacked Home Page (wdakk.dll)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KFBChuck, Jun 30, 2004.

  1. KFBChuck

    KFBChuck Private E-2

    HELP. EVERY single spyware download has failed to remove/correct my hi-jacked homepage which goes to this address each time:

    res://wdakk.dll/index.html#37680

    I am also getting pop-ups from deep-anal.com and pussy pool.com. I have had Google Toolbar POP-UP Blocker installed for a long time and have had very few pop-ups until the exact same time the homepage was hijacked.

    FYI- I know how to change homepage in TOOLS/OPTIONS, but it always changes it right back to the hijacker's site.

    Please assist if possible. Thanks.
     
    KFBChuck, Jun 30, 2004
    #1
  2. Kodo

    Kodo SNATCHSQUATCH

    can you post your HiJackThis log? this looks like a new one ...
     
    Kodo, Jun 30, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think there are multiple problems here Kodo. One of them (res://wdakk.dll/index.html#37680) still fits the syntax described in here http://www.majorgeeks.com/vb/showthread.php?t=35917. See step 12 the last example res:
     
    chaslang, Jun 30, 2004
    #3
  4. KFBChuck

    KFBChuck Private E-2

    I have no idea how to generate a hijack log?????
     
    KFBChuck, Jun 30, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Read Chaslangs post and follow that link, you have the new variant thats difficult to remove.
     
    Major Attitude, Jun 30, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download HijaakThis from here: http://www.majorgeeks.com/download3155.html

    Unzip it to its own directory. And then double click on HijaakThis.exe. Click scan.
    The click save log. That brings up the log in a notepad window. Copy the contents (CTRL-A and then CTRL-C) then paste (using CTRL-V) into your next message.

    Read about HijaakThis here: http://www.majorgeeks.com/vb/showthread.php?t=35407
     
    chaslang, Jun 30, 2004
    #6
  7. KFBChuck

    KFBChuck Private E-2

    Okay Chaslang...I will try. Thanks
     
    KFBChuck, Jul 1, 2004
    #7
  8. KFBChuck

    KFBChuck Private E-2

    Here's what I got after running the HiJackThis:

    Logfile of HijackThis v1.98.0
    Scan saved at 9:41:45 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\ieiv32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\mcc.exe
    C:\WINDOWS\sdkof32.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdakk.dll/sp.html#37680
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdakk.dll/index.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wdakk.dll/index.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdakk.dll/sp.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdakk.dll/sp.html#37680
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdakk.dll/index.html#37680
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by University of Phoenix Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {D7E7CCE3-E897-0FF8-81D6-3F27EA1CA24E} - C:\WINDOWS\system32\atlth32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
    O4 - HKLM\..\Run: [sdkof32.exe] C:\WINDOWS\sdkof32.exe
    O4 - HKLM\..\RunOnce: [ipgl32.exe] C:\WINDOWS\system32\ipgl32.exe
    O4 - HKLM\..\RunOnce: [apixj32.exe] C:\WINDOWS\apixj32.exe
    O4 - HKLM\..\RunOnce: [msxj.exe] C:\WINDOWS\system32\msxj.exe
    O4 - HKLM\..\RunOnce: [msvi.exe] C:\WINDOWS\msvi.exe
    O4 - HKLM\..\RunOnce: [addqg32.exe] C:\WINDOWS\system32\addqg32.exe
    O4 - HKLM\..\RunOnce: [ntuw32.exe] C:\WINDOWS\ntuw32.exe
    O4 - HKLM\..\RunOnce: [addfb32.exe] C:\WINDOWS\addfb32.exe
    O4 - HKLM\..\RunOnce: [ipgd32.exe] C:\WINDOWS\ipgd32.exe
    O4 - HKLM\..\RunOnce: [ipyt.exe] C:\WINDOWS\ipyt.exe
    O4 - HKLM\..\RunOnce: [ieob.exe] C:\WINDOWS\system32\ieob.exe
    O4 - HKLM\..\RunOnce: [netzo.exe] C:\WINDOWS\system32\netzo.exe
    O4 - HKLM\..\RunOnce: [crib32.exe] C:\WINDOWS\system32\crib32.exe
    O4 - HKLM\..\RunOnce: [msli.exe] C:\WINDOWS\system32\msli.exe
    O4 - HKLM\..\RunOnce: [mfcws32.exe] C:\WINDOWS\mfcws32.exe
    O4 - HKLM\..\RunOnce: [netft.exe] C:\WINDOWS\netft.exe
    O4 - HKLM\..\RunOnce: [sysgm32.exe] C:\WINDOWS\system32\sysgm32.exe
    O4 - HKLM\..\RunOnce: [ntpq.exe] C:\WINDOWS\ntpq.exe
    O4 - HKLM\..\RunOnce: [ipng.exe] C:\WINDOWS\ipng.exe
    O4 - HKLM\..\RunOnce: [atlki32.exe] C:\WINDOWS\atlki32.exe
    O4 - HKLM\..\RunOnce: [ipav32.exe] C:\WINDOWS\system32\ipav32.exe
    O4 - HKLM\..\RunOnce: [msln32.exe] C:\WINDOWS\system32\msln32.exe
    O4 - HKLM\..\RunOnce: [iegu.exe] C:\WINDOWS\iegu.exe
    O4 - HKLM\..\RunOnce: [appju.exe] C:\WINDOWS\appju.exe
    O4 - HKLM\..\RunOnce: [apphl.exe] C:\WINDOWS\system32\apphl.exe
    O4 - HKLM\..\RunOnce: [sysav.exe] C:\WINDOWS\sysav.exe
    O4 - HKLM\..\RunOnce: [appbg32.exe] C:\WINDOWS\appbg32.exe
    O4 - HKLM\..\RunOnce: [appds.exe] C:\WINDOWS\system32\appds.exe
    O4 - HKLM\..\RunOnce: [atlnz.exe] C:\WINDOWS\system32\atlnz.exe
    O4 - HKLM\..\RunOnce: [atlyl.exe] C:\WINDOWS\system32\atlyl.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://ecampus.phoenix.edu
    O16 - DPF: {00000000-0000-0000-0000-d4c4b96b0d97} -
    O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
    O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.mediaforge.com/downloads/xmirage.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_1.cab
     
    KFBChuck, Jul 1, 2004
    #8
  9. KFBChuck

    KFBChuck Private E-2

    I also disabled system restore, re-booted, then ran adaware AND Spybot S&D. Spybot found no problems and Adaware id'd only 7 files which I quarantined. None of the 7 looked real bad.
     
    KFBChuck, Jul 1, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do have the problem I pointed to earlier. See this link http://www.majorgeeks.com/vb/showthread.php?t=35917

    You need to follow that procedure and stop whatever else you have been doing. You are making it mutate and multiply.

    Your DLL to have notepad edit (step 5) is: C:\WINDOWS\system32\wdakk.dll

    Your O2 BHO (step 7) is: O2 - BHO: (no name) - {D7E7CCE3-E897-0FF8-81D6-3F27EA1CA24E} - C:\WINDOWS\system32\atlth32.dll

    Your O4 lines (step 8) are:

    O4 - HKLM\..\Run: [sdkof32.exe] C:\WINDOWS\sdkof32.exe
    O4 - HKLM\..\RunOnce: [ipgl32.exe] C:\WINDOWS\system32\ipgl32.exe
    O4 - HKLM\..\RunOnce: [apixj32.exe] C:\WINDOWS\apixj32.exe
    O4 - HKLM\..\RunOnce: [msxj.exe] C:\WINDOWS\system32\msxj.exe
    O4 - HKLM\..\RunOnce: [msvi.exe] C:\WINDOWS\msvi.exe
    O4 - HKLM\..\RunOnce: [addqg32.exe] C:\WINDOWS\system32\addqg32.exe
    O4 - HKLM\..\RunOnce: [ntuw32.exe] C:\WINDOWS\ntuw32.exe
    O4 - HKLM\..\RunOnce: [addfb32.exe] C:\WINDOWS\addfb32.exe
    O4 - HKLM\..\RunOnce: [ipgd32.exe] C:\WINDOWS\ipgd32.exe
    O4 - HKLM\..\RunOnce: [ipyt.exe] C:\WINDOWS\ipyt.exe
    O4 - HKLM\..\RunOnce: [ieob.exe] C:\WINDOWS\system32\ieob.exe
    O4 - HKLM\..\RunOnce: [netzo.exe] C:\WINDOWS\system32\netzo.exe
    O4 - HKLM\..\RunOnce: [crib32.exe] C:\WINDOWS\system32\crib32.exe
    O4 - HKLM\..\RunOnce: [msli.exe] C:\WINDOWS\system32\msli.exe
    O4 - HKLM\..\RunOnce: [mfcws32.exe] C:\WINDOWS\mfcws32.exe
    O4 - HKLM\..\RunOnce: [netft.exe] C:\WINDOWS\netft.exe
    O4 - HKLM\..\RunOnce: [sysgm32.exe] C:\WINDOWS\system32\sysgm32.exe
    O4 - HKLM\..\RunOnce: [ntpq.exe] C:\WINDOWS\ntpq.exe
    O4 - HKLM\..\RunOnce: [ipng.exe] C:\WINDOWS\ipng.exe
    O4 - HKLM\..\RunOnce: [atlki32.exe] C:\WINDOWS\atlki32.exe
    O4 - HKLM\..\RunOnce: [ipav32.exe] C:\WINDOWS\system32\ipav32.exe
    O4 - HKLM\..\RunOnce: [msln32.exe] C:\WINDOWS\system32\msln32.exe
    O4 - HKLM\..\RunOnce: [iegu.exe] C:\WINDOWS\iegu.exe
    O4 - HKLM\..\RunOnce: [appju.exe] C:\WINDOWS\appju.exe
    O4 - HKLM\..\RunOnce: [apphl.exe] C:\WINDOWS\system32\apphl.exe
    O4 - HKLM\..\RunOnce: [sysav.exe] C:\WINDOWS\sysav.exe
    O4 - HKLM\..\RunOnce: [appbg32.exe] C:\WINDOWS\appbg32.exe
    O4 - HKLM\..\RunOnce: [appds.exe] C:\WINDOWS\system32\appds.exe
    O4 - HKLM\..\RunOnce: [atlnz.exe] C:\WINDOWS\system32\atlnz.exe
    O4 - HKLM\..\RunOnce: [atlyl.exe] C:\WINDOWS\system32\atlyl.exe

    All of the above EXEs are bad and will be in your list to delete in step 10 along with what you find in step 6 for Network Security Services. And don't forget to delete C:\WINDOWS\system32\atlth32.dll too.

    Your R0 & R1 list to have HijaakThis fix in step 12 is:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdakk.dll/sp.html#37680
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdakk.dll/index.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wdakk.dll/index.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdakk.dll/sp.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdakk.dll/sp.html#37680
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdakk.dll/index.html#37680


    With these pointers see if you can follow the complete procedure in the link given at the beginning of this message. Follow the steps exactly in the order given and do exactly as requested.
     
    chaslang, Jul 1, 2004
    #10
  11. KFBChuck

    KFBChuck Private E-2

    Okay. I clicked on the link for thread 35917 in the first line of your reply and read the entire thing.

    I also read your entire reply listing what to do and how to do it.

    One problem is that your directions appear to have been translated into hieroglyphics as I barely understand what lots of the terms are and what to do.

    I really appreciate your assistance and time, but am very fearful I am going to really mess things up with your directions and my slight computer knowledge.

    Is there a single button I can click somewhere to fix it? I didn't think so.

    Oh man, I am going to kick my teenage step-son right in the ear over this one.
     
    KFBChuck, Jul 1, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is no one step solution that has worked. Other possible solutions like using System Restore to an earlier date before the problem occurred could resolve the problem too but you will loose anything you have installed or configuration settings etc since that time too. And sometimes backing up to a previous restore point can possible bring back other problems you may have fixed since that time frame. Tough problems require tough solutions.

    It really is not too bad. I put quite a bit of info in the procedure with a lot of hand holding too (like how to disable system restore, how to boot in safe mode, etc)

    What is it exactly that you do not understand?
     
    chaslang, Jul 1, 2004
    #12
  13. KFBChuck

    KFBChuck Private E-2

    Well, I'm married so I follow directions pretty well....


    For starters, what does DLL mean?

    The system restore to about 2 weeks ago (like a time machine?) would be really nice. I have not downloaded or installed anything I am not willing to sacrifice in the past two weeks to get rid of this thing.

    I WILL try the directions step by step to the letter after I print it all out, but it will have to wait til tomorrow.

    Thanks again. I have always been able to research and fix past hijackers and spyware stuff with only minor hassles. I was out of town when this little "bug" was installed.
     
    KFBChuck, Jul 1, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    DLL = Dynamic Link Library but I'm referring to the DLL file which means the file ending with a .dll Yours were wdakk.dll and atlth32.dll.

    System Restore is an option if you desire. It may work for you. Check this out it may help you: http://www.microsoft.com/windowsxp/expertzone/columns/ballew/03may19.asp
     
    chaslang, Jul 1, 2004
    #14
  15. KFBChuck

    KFBChuck Private E-2

    Thank you very much. I'll try it tomorrow when my head is clearer.
     
    KFBChuck, Jul 1, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Me too! It's 2:30 am here. Time for some zzzzzzzzzzz's
     
    chaslang, Jul 1, 2004
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds