Recurring "Only the best" garbage...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by AKlein, Jun 29, 2004.

  1. AKlein

    AKlein Private E-2

    I am in need of some help. I have what seems to be a common problem. I have been reading numerous posts and trying a number of things all day to try and eliminate the problem without a post...I have reached my boiling point and now need help.

    I have checked for updates and ran
    --Ad Aware
    --Spyware Blaster
    --Spybot S&D
    --CWshredder

    My logfile looks like this. Any advice is greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:18:51 PM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\netxd.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\HistoryKill\histkill.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\Program Files\HistoryKill\hkPopupKiller.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\winyn32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Adam\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coksw.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jojo5.baseball.sportsline.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://coksw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coksw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://coksw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\coksw.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CFC2CF30-BAD3-6B1F-4A72-6F6A8D1F61C6} - C:\WINDOWS\crqs32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [netxd.exe] C:\WINDOWS\netxd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.cheapguys.com
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1704b3b19a942ae8a820/netzip/RdxIE601.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.3981828704
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://univ4.centra.com/SiteRoots/reliantrx/Install/CentraDownloader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    AKlein, Jun 29, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    You need to read:
    http://www.majorgeeks.com/vb/showthread.php?t=35917


    Your after

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coksw.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://coksw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coksw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://coksw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\coksw.dll/sp.html#96676

    The dll file will be called coksw.dll and will be found in Windows or Windows\system32\

     
    Major Attitude, Jun 29, 2004
    #2
  3. AKlein

    AKlein Private E-2

    Dear Mr. Major Attitude...

    I done everything...

    -started in safe mode, ran hijack this...deleted all the crap...ran ad aware...cwshredder...i even opened all files and folders so nothing is hidden (XP),...basically, my logfile looks great until I log on to IE. Then everything goes back to the dll chaos. Is there another place these files are hiding? Any other options to clean this up...
    Should I be able to find the coksw.dll files somewhere other than running Hijack This?
    Your help is appreciated.
     
    AKlein, Jun 29, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm still not convinced that Ad-aware or HSremove fix this problem. I still see too many people having problems after trying to resolve the problem this way. In addition HSremove is apparently going to screw up many users by removing Startup programs that they require. Not a good solution in my opinion.

    I still belive the longer procedure that I have used on a one by one bases (every infection is slightly different especially if users have been playing around trying to fix for a while) is a good alternative. Yes its longer and requires some work. But it has work for me at least 10 times.

    You can see the general procedure I'm talking about in this thread (still being worked): http://www.majorgeeks.com/vb/showthread.php?t=35496

    But again note, your filenames will all be different.
     
    chaslang, Jun 29, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Cool, maybe I will remove it. Its my understanding through some there is also an exe file. Heres the problem, a different name. So telling people to guess and delete in the Windows directory is a mess waiting to happen :(

    I will stick your post to mine as an option for people Chaslang.
     
    Major Attitude, Jun 29, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good idea Major. I'm typing upon a more generic solution. Its hard to make generic one, since it always has different names. Also adding a couple of typo fixes. I'll send it to you when I finish it. I hope to complete it tonight but it's getting late and I've been sick. I'll try to finish it.
     
    chaslang, Jun 30, 2004
    #6
  7. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Im sleeping too, this new hijack is tiring, I have spent as much time as possible helping, but we need a for sure fix to point people to. Maybe I will set you as mod here and you can modify your fix as needed.
     
    Major Attitude, Jun 30, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's okay with me! I doing my best to fight this damn thing!
     
    chaslang, Jun 30, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds