Jump to content


Photo

CWS.Searchx


  • Please log in to reply
12 replies to this topic

#1 mag00

mag00

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 10:56 PM

first, my apollogies for my horrible english. please, forget my errors in words and my write.

i will try to explain this
i'm with this problem for a week yet.

my configuration is:
windows xp professional (all atualizations made in windowsupdate, except for directx 9.0)
servicepack 1a
blackICE 3.5 firewall
norton systemworks
ad-aware 6.0

i've used CWShredder 1.59 and it removed this stupid malicious code, but, it always return.

my log generated by hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 00:28:36, on 23/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\f@h2\fah4console.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Program Files\f@h\fah4console.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\Program Files\f@h\FahCore_79.exe
D:\Program Files\f@h2\FahCore_78.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FBEE2F9-65E5-4AB8-B2D9-0A493FB66EE7} - D:\WINDOWS\System32\ejopdha.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10

i'm going crazy with this! :grrr:

please, if someone helpme i'll be very tankfull.

#2 theXplore

theXplore

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 June 2004 - 11:15 PM

[Restart the Machine]

As a first thing run Hijack this and fix the following:
Make sure that you dont open any other application window

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10

[Clean the Temporary files]

Start > Run > type cleanmgr
Select C: drive and clean all the temporary files


I suspect the following one:

O2 - BHO: (no name) - {3FBEE2F9-65E5-4AB8-B2D9-0A493FB66EE7} - D:\WINDOWS\System32\ejopdha.dll

Goto D:\WINDOWS\System32 select the file ejopdha.dll
right click and Properties > Version Tab.

Check the Company Name and Description and all, if it does look like legitimate for you take a back up of the file and fix the same in Hijack this and also
delete the file from D:\WINDOWS\System32\

Except for the above your log file is pretty clean.

#3 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 22 June 2004 - 11:32 PM

theXplore, Please see The various helper groups here. Do join the team if you want to post help, we'd love to have you with us. :)

The fix suggested above will get rid of it for a while, but it will come back. There's a hidden file that will make it come back.

Mag00,

Download Registrar Lite:
http://www.resplendence.com/reglite


Setting up:
Install Registrar Lite.



Start:
Copy and paste this line to reglite's address bar. Then press 'Go':
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And hit the "go" tab .
Find: "Appinit_Dlls" value on the right side
panel, DoubleClick, copy and post here
the following fields:
-Size:
-Value:

Post the above results and a new HiJackThis log in this thread.

Edited by Archon_Wing, 22 June 2004 - 11:33 PM.

Rights are never important until you don't have them.

#4 mag00

mag00

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 June 2004 - 08:30 PM

hello!! new log file here and other two informations that you asked:

on register -> Size: 32
-> Value: D:\WINDOWS\System32\d3deiil.dll

new log file:
Logfile of HijackThis v1.97.7
Scan saved at 22:23:54, on 23/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\f@h2\fah4console.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Program Files\f@h\fah4console.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\Program Files\f@h2\FahCore_78.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\Program Files\HLSW\hlsw.exe
D:\Program Files\f@h\FahCore_78.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Registrar Lite\rl.exe
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FBEE2F9-65E5-4AB8-B2D9-0A493FB66EE7} - D:\WINDOWS\System32\ejopdha.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10


just to remember, i don't know if it's important.. i have dual boot in this machine. local C: with W2KServer and local D: with WXPProf. the spy is just in WXP.

thank's

#5 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 23 June 2004 - 09:15 PM

First download Winfile. http://www10.brinkst...last/pvtool.htm (Second one)
Unzip this file to its own folder.

Now we are going to get rid of the hidden DLL that is causing all the problems.
In Registar Lite:
=====================================
First we need to make it visible:
Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Rename the Folder Windows to NotWindows
(the folder is highlighted as a purple folder in the left hand pane of reglite)

Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\d3deiil.dll < -- delete this line ,
'Apply' and 'ok' to set.

Rename the NotWindows folder back to its original name Windows
========================================
Restart your computer.

After restart, try to locate the d3deiil.dll in System32 folder but Don't attempt to delete it yet.

Go to your root drive: C:\ And create new folder.
Name it: "junk"
===============================

Run the 'Winfile' you previously downloaded and unzipped.
Expand and navigate to System32 folder.
You need to navigate by Double clicking to expand.

When in System32 click top menu: File --> Select files
Copy and paste to the box: d3deiil.dll hit select-
Find and highlite that file.
Next in top menu>Security>permissions, tell us what is listed there for that file.
Also check the 'owner' tab

Lastly, try this: Menu -File --> move...
In From: Copy/paste:
C:\WINDOWS\System32\d3deiil.dll

In To: Copy and paste:
C:\junk\d3deiil.dll

Then hit ok.

Close Winfile and check in C:\junk for that file.

No further action is needed yet...

Post back results for now.
Rights are never important until you don't have them.

#6 mag00

mag00

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 June 2004 - 11:14 PM

i'm think that it solved my problem :)
thank you for help :)

Logfile of HijackThis v1.97.7
Scan saved at 01:11:28, on 24/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\f@h2\fah4console.exe
D:\Program Files\f@h\fah4console.exe
D:\Program Files\f@h2\FahCore_78.exe
D:\Program Files\f@h\FahCore_78.exe
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10


#7 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 24 June 2004 - 12:51 AM

Just a bit more
Go ahead and use the security tab on the file (in Winfile) and take ownership.
Change the permissions to 'you --> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename it first to different name+ext.
You can do it all in Winfile.
Ex:
d3deiil.dll.dll >bleh.txt
bleh.txt > badfile.111
Few times... Etc.
Or you can try deleting the entire junk folder.


After that,
Run Cwshredder and adaware again with the latest updates.
Then,
Restart and Post a new HiJackThis log in this thread.

Edited by Archon_Wing, 24 June 2004 - 06:27 PM.

Rights are never important until you don't have them.

#8 scratch

scratch

    Member

  • New Member
  • Pip
  • 1 posts

Posted 24 June 2004 - 02:16 AM

Hello, I'm having the same problem. Should I start a new post?
Scratch

#9 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 24 June 2004 - 06:27 PM

Yes, and post your Hijack This log too there.
Rights are never important until you don't have them.

#10 mag00

mag00

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 10:54 PM

without a restart

Logfile of HijackThis v1.97.7
Scan saved at 00:53:03, on 25/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\f@h\fah4console.exe
D:\Program Files\f@h2\fah4console.exe
D:\Program Files\f@h2\FahCore_79.exe
D:\Program Files\f@h\FahCore_78.exe
D:\Program Files\HLSW\hlsw.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Kazaa Lite Resurrection\kazaalite.kpp
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10


#11 taupokiwi

taupokiwi

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 25 June 2004 - 01:04 AM

I used these instructions and they removed CWS.Searchx. Nothing else did. My about:blank is now gone. FANTASTIC!!! Hugely grateful to Archon Wing. :lol:

#12 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 25 June 2004 - 06:39 PM

Select the following, close all browser windows including this one and fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Edited by Archon_Wing, 25 June 2004 - 06:39 PM.

Rights are never important until you don't have them.

#13 kingmickey

kingmickey

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 June 2004 - 12:38 AM

thank you guys for figuring out this solution to the aboutblank problem. It plagued me for two days...I think this thread should be featured and locked somewhere so as to make it easier for hijacked homepage sufferers to find.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button