Jump to content


Photo

Hijacked browser to http://count.cc/index.js?pin=2


  • Please log in to reply
21 replies to this topic

#1 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 June 2004 - 07:48 PM

I'm running current ad-aware and NAV, and I just downloaded hijackthis. I tried both, and in safe mode, with no luck.

My homepage is hijacked to "about:blank;" it's the usual-looking "Search the Web" type page listing the usual stuff like car insurrance, etc. One popup also opens, saying I have spyware on my computer (duh.) The popup also opens upon launching AIM. I looked in the temp internet files, and these three were listed there. I'm assuming these are ther paged my hijacked browser is being redirected to?

http://count.cc/index.js?pin=23
http://c1dcon.ewizar...pup2.php?pin=23
http://c1dcon.ewizar...p2/bullet_2.gif

Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 8:29:55 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysupd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJ\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.fin...iteyouneed.com/
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6DCF2D96-62A1-4594-B469-22670AB82631} - C:\WINDOWS\System32\dhcoflb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4FFB-8758-209B6AD74ACC} - C:\PROGRA~1\MICROS~4\System\MNYVIE~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8031.7278819444
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)

#2 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 June 2004 - 09:36 AM

I forgot to add: Every time I boot up, I get a window that says something about a bridge.dll file the computer was unable to find.

#3 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 June 2004 - 10:11 AM

Uninstall WildTangent from Add/Remove Programs if it exists.
Uninstall Viewpoint Manager from Add/Remove Programs if it exists.

Kill these in Task Manager if they are running:
>>C:\WINDOWS\sysupd.exe
>>C:\WINDOWS\wt\updater\wcmdmgr.exe
>>C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
>>C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Known baddies...

>>C:\WINDOWS\System32\HPZipm12.exe
Suspicious

Fix these in HijackThis:

>>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
>>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
>>R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
>>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
>>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
>>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
>>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
>>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
>>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.fin...iteyouneed.com/
Bad URL's

>>R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
>>O2 - BHO: (no name) - {6DCF2D96-62A1-4594-B469-22670AB82631} - C:\WINDOWS\System32\dhcoflb.dll
>>O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
>>O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
>>O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
>>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
>>O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
>>O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
>>O4 - Global Startup: hp psc 1000 series.lnk = ?
>>O4 - Global Startup: hpoddt01.exe.lnk = ?
Known baddies...

>>O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)
Troj/StartPa-D or similar. Likely part of a CWS infection that has already been fixed.

>>O9 - Extra button: Real.com (HKLM)
Just a little unnecessary junk...

>>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Loads Office at startup. Fixing may reduce startup time.



OK, now reboot to Safe Mode and delete these with Explorer if they exist. Make sure hidden files are visible.

C:\WINDOWS\sysupd.exe
C:\WINDOWS\wt
C:\Program Files\Viewpoint
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Rich\Local Settings\Temp\ <---All files in folder
C:\WINDOWS\System32\dhcoflb.dll
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\iedll.exe
The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#4 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 June 2004 - 12:08 PM

Otter, you are the man.

IE and AIM are working perfectly now. The only thing different is that I no longer have an icon for my printer in the tray. Can I get that back?

Thanks!
Rich

#5 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 June 2004 - 12:16 PM

Regarding the printer: I just used hijackthis to restore the one item,
>>O4 - Global Startup: hp psc 1000 series.lnk = ?

and now I have my printer icon back.

Thanks again,
Rich

#6 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 June 2004 - 03:52 PM

I'm back at the drawing board. I don't have the bridge.dll problem, but my homepage is still hijacked as well as my search function. New hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:53:37 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DE7A228A-D7D5-4201-8709-3F4001B109E7} - C:\WINDOWS\System32\ffn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4FFB-8758-209B6AD74ACC} - C:\PROGRA~1\MICROS~4\System\MNYVIE~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8031.7278819444

#7 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 22 June 2004 - 12:03 PM

I tried to cure it again with ad-aware, hijackthis, etc, while system restore is disabled, but it seems to only be a temporary fix. The problem comes back in a few hours.

New hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 1:04:31 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E708AE1F-1EBB-42EF-BC53-2EA8C64F0315} - C:\WINDOWS\System32\glagp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4FFB-8758-209B6AD74ACC} - C:\PROGRA~1\MICROS~4\System\MNYVIE~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8031.7278819444

#8 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 22 June 2004 - 04:48 PM

OK, this hijacker appears to be a new CWS variant. Try CWShredder from http://www.spywarein...erijn/downloads. Not sure if this has been fully updated to remove it or not.
The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#9 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 23 June 2004 - 03:03 PM

Otter -

I downloaded CWShredder and ran it. It's acting as a temporary fix only - the problem comes back a few hours later.

Does system restore affect this in any way? And what should I do next?

#10 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 23 June 2004 - 09:25 PM

OK, I have since completely fixed this on one machine, so I'll recommend the same steps:

1. Download AboutBuster: http://tools.zerosre...AboutBuster.zip
2. Fix all the R0 and R1 entries in HijackThis.
3. Reboot to Safe Mode and run CWShredder and AboutBuster.
4. Reboot normally and post another HijackThis log.

Good luck!
The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#11 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 23 June 2004 - 09:47 PM

More info on AboutBuster: http://www.annoyance...inxp/1088044823. If you have any questions, post your new HijackThis log before doing anything and I'll tell you what to fix before running AboutBuster.
The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#12 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 24 June 2004 - 10:13 AM

Otter -
I'm really in the dark concerning AboutBlaster. I downloaded it and tried to run it; it asks me for the website I'm being hijacked to and I tried a few things in the field: about:blank, as well as the sites listed in my first post. It keeps saying "incorrect URL" or something. What am I suppposed to put there? Here's my new hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 11:07:31 AM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4FFB-8758-209B6AD74ACC} - C:\PROGRA~1\MICROS~4\System\MNYVIE~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8031.7278819444

#13 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 24 June 2004 - 03:26 PM

My apologies, I was thinking this was the wrong hijacker. There is one that hijacks to res://<random>.dll\sp.html#<random>. The only other thing I can think of is to run all the tools in my signature, once normally, then in Safe Mode. If that doesn't knock it out, then I'm out of ideas, and you REALLY need an expert....

These were the only suspicious entries, and since they look the same as before, I doubt fixing them will fix the problem...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#14 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 25 June 2004 - 10:27 AM

Otter -

Your sig is gone! Can you post it again?

Also, where do I find an "expert?"

Rich

p.s. This thing is spreading - I now know of four people that have it just in my neighborhood.

#15 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 25 June 2004 - 10:28 AM

Oops, scratch that, now your sig is ok.

#16 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 25 June 2004 - 01:12 PM

For an expert, you'll just have to wait... They're at least several days behind due to the new hijackers coming out (i.e. the new about:blank hijacker that I mentioned earlier...).
The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#17 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 26 June 2004 - 09:41 PM

:whistle: Silly me, I've seen this hijacker before.... :ugh:

http://www.computerc...nt-1-43426.html

Sorry I didn't think of it sooner. My computer, and thus my mind, has been :weee: lately... :gah:
Let me know if you have any questions about those instructions.

Edited by Otter, 26 June 2004 - 09:51 PM.

The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#18 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 June 2004 - 01:17 PM

I followed the directions, including using the console, etc. and the process worked fine up until step "4) Edit registry to remove the second file." My hijackthis results don't display the "obvious.dll" so I don't know what to delete.
I only get results in the temp folder. See below:

Logfile of HijackThis v1.97.7
Scan saved at 2:11:00 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Anti-Spyware\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Anti-Spyware\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8BAC18E4-F4F6-4104-BBD9-A5C34C89CFD0} - C:\WINDOWS\System32\bidjfja.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4FFB-8758-209B6AD74ACC} - C:\PROGRA~1\MICROS~4\System\MNYVIE~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8031.7278819444

#19 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 June 2004 - 02:03 PM

Otter -

I did some reading on a link off the thread you linked me too. What do you make of this? Start reading around Response #12

http://www.computing...rum/158464.html

I'm not about to try it; I'm just curious.

#20 Otter

Otter

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 June 2004 - 04:53 PM

You'll want to fix these then delete this file(C:\WINDOWS\System32\bidjfja.dll).
As to that post, I wouldn't try it. If they are unscrupulous enough to install the thing just by your visiting a web page, then I wouldn't be at all surprised if they also send you something to fix it (with a trojan attached, of course...)!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rich\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {8BAC18E4-F4F6-4104-BBD9-A5C34C89CFD0} - C:\WINDOWS\System32\bidjfja.dll

Edited by Otter, 27 June 2004 - 04:55 PM.

The Wereotter
Posted Image
Disabling System Restore (for XP)
Online Virus Scanners
Spybot Search & Destroy
Lavasoft Adaware
CWShredder
Javacool's SpywareBlaster
Javacool's SpywareGuard
Malware-Blocking HOSTS File
HijackThis
If you encounter any broken links, please inform me of them (virusmagnet1@viruswatch.ath.cx). Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info.

#21 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 June 2004 - 06:47 PM

It looks like that did it.

I'll reply again tomorrow when I'm sure it's really gone.

Thanks again,
Rich

#22 ssgt_easton

ssgt_easton

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 June 2004 - 05:08 PM

It did fix the problem. My computer is finally cured.

Thanks again,
Rich




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button