Jump to content



  • Please log in to reply
5 replies to this topic

#1 The_Homie



  • Full Member
  • Pip
  • 17 posts

Posted 20 June 2004 - 07:00 PM

Im on WinXp Pro.SP1
all updates up to date.

I know alot of people are haveing this problem but i cant seen to fix it .

I can run CWS shredder and all other spyware finder's Adaware 6 spybot1.3 the cleaner witch is a trojin finder system mechanic pro., NSW 04 , all upto date Virii def, and all Def's for the spyware finder's but CWS shredder is the only one that tells me it found and Fixed CWS searchx but upon reboot its back. or in a hour or 2 its back.

I get the about:blank HomePage.

HERE Is HijackThis Log..

Logfile of HijackThis v1.97.7
Scan saved at 7:29:34 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe
C:\Documents and Settings\CR1P70\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CR1P70\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CR1P70\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CR1P70\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CR1P70\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CR1P70\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CR1P70\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2PortalMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8147.6668518518
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Ive looked at most howto remove sites for this and im confertable messing around the Reg. i just want some Expert help as this is a slippery little booger that keep's slipping By me.

Thx to any 1 who can help me.

#2 dmforst



  • Full Member
  • Pip
  • 7 posts

Posted 20 June 2004 - 07:17 PM

Coolweb is a 2 stage infection. This fix is not for inexperienced users. You need to understand how to use the recovery console and also the registry editor. Everything here is for a W2K install which is what I have. Should be similar for XP. First how the infection works:

1) A small dll is loaded onto your machine in the \winnt\systems32 directory. I do not know the method of infection. My machine had the ByteVerifier patch so it wasn't through that backdoor.
2) This dll is loaded with very strange file permissions. It has all permissions but copy denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You can not see it using File explorer or dos prompts like dir. It also can not have its attributes set so that you can see it.
3) This little dll (resaf.dll on my machine, but proably different on each install) hooks itself to the HLKM/Software/Current Version/WindowsNT/Windows/AppInit_DLLs registry key. Of course you can't see the entry and searching for it will reveal nothing. Probably uses the same permissions trick but I was unable to verify this.
4) Once this dll is running it can do whatever it wants. What it does is load a full set of secondary infection files. It creates a file in your temp directory call sp.html. This is the file that is displayed each time you start IE. It also creates a bunch of registry entries to enforce this as the start page.
5) Next a second dll is loaded. This one you can see and remove. Of course it just comes back a few hours later. Not sure what this does.
6) Latest cut of Adaware gets rid of all of the secondary infections, but is unable to find the primary infection. After about 2-3 hours the infection just keeps coming back.

How to get rid of this.
1) You need a tool to find the nasty dll. A tool called "xfind" ( find it here http://home.mnet-onl...muc/index.html) does a text serach for a string within all files in the \winnt\system32 directory. Run it from the command line as XFIND "anything" C:\winnt\system32\*.dll. It turns out that the string itself is unimportant, it is the fact that this utility is unable to open the file that reveals the dlls identity. The utility posts an unable to read reaf.dll notice. This is your first clue.
2) Run adaware with the latest reference file and cleanup the secondary infection. Run it until no further infection is found. It may take a couple of passes.
3) Now you know the name of the file we need a way to get rid of it. Not possible inside Windows that I can see. Tried killbox and other programs but they are not able to find it. Using your original windows cd, start the recovery console.. This is done by booting from the cd and then when it finishes loading selecting R for repair and C for recovery console. Log in as requested and you are at a command prompt. The file can now be seen using dir. I just renamed it at this point in case I was wrong and it was a real windows file. I could then get it back if I needed it.
4) Restart the machine in windows. Using regedit, search for the AppInit_DLLs key. The value will now be visible. Delete the value, not the key!
5) The dll will now also be visible and can be deleted.
6) Run adaware one more time to make sure all of the secondary infection is gone and your done.

I would like to thank the dedicated folks at adawre I could not do without them. Also the kind folks who wrote the utilities I used to get this thing off. Good luck.

#3 The_Homie



  • Full Member
  • Pip
  • 17 posts

Posted 20 June 2004 - 10:16 PM

This is the file found when i ran a defrag [d3dhii.dll]

here is what the defrag log said: File's that couldn't be moved by defrag is d3dhii.dll

i was told to run defrag and that the file it couldnt move is the file im looking for.

but when i go into sytem32 folder check show hidden file's & folders i cant find this file. i reall need some help guys, could some 1 give some clearer steps pls. Thx Alot.

#4 The_Homie



  • Full Member
  • Pip
  • 17 posts

Posted 20 June 2004 - 10:40 PM

find all.bat confirm's that this is the Dll file, some 1 pls help me man..

#5 BCGovtMartyr


    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 20 June 2004 - 11:02 PM

Homie... refer to this topic and follow the directions towards the bottom of the page. Same hijack and they list the fix there (same as dmforst's just alil easier). I used dmforst's fix and it worked but took some work and know-how.
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#6 The_Homie



  • Full Member
  • Pip
  • 17 posts

Posted 21 June 2004 - 10:05 PM

I fixed it.. finaly But Thx anyway for the Topic and reply.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!