Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
AOSClay
Hey its Dave. The hijack is back , i have no idea how, i havent been on the internet at all except to play FF11 and to check hotmail. So it must have reloaded itself from within my computer. What should i do ?
Should i post my log this time? I keep running the spyware killer programs (TDS-3, Ad-aware, CWShredder, Spybot) and they keep coming up with the same thing.
Please help, im getting really frusterated.
-Dave
in my best pirate voice:
Arrgh...the scourge of the hijack!
LOL...
Sure, DAVE (and I mean Dave this time) go ahead and post your log. I'll be in and out this weekend, but I'll give it a look as soon as I can.
AOSCLAY
0 
Since you have Win xp (or Me) did you clear your system restorer? They will hide in there and jump back. In Me it goes:
start> settings > control panel > system icon > performance tab > Files System > trouble shooting tab > check "disable system restore" > close to control panel > restart if indicated > (I restart anyway), repeat above and uncheck "disable system restore" > restart if indicated (do it anyway, won't hurt), and then go to start > settings > programs > accessories > system tools > system restore and create a new restoration date--HOWEVER--DO NOT do this part until you are 100% sure you have cleaned it ALL out.
Also, Wilder Sec has a cure for the startpage virus at:
http://www.wilderssecurity.com/showthread.php?t=29589
Thresher
0
Ok here it is:
---------------
Logfile of HijackThis v1.97.7
Scan saved at 12:13:51 PM, on 5/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.exe
C:\WINDOWS\System32\CTHELPER.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Schave\Desktop\antihack\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FB93A881-0C12-470A-B468-13EBF7187AA8} - C:\WINDOWS\System32\mepce.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.exe /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37925.5432291667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab---------------
Im sure it is all the "sp.html" stuff , but i have tried ( and i thought suceeded ) twice to kill it and it keeps coming back. How do i kill this thing permanently?
Thanks for the advice Thresher, i will try that link when i get home from work, and re-do my system restore when i kill this bad boy.
On a side note- i had said before that i cant seem to update some of my anti-hack software ... are these versions the most up-to-date?
Ad-Aware 6.0
Spybot 1.2
CWShredder 1.52.1
Hijackthis 1.97.7
TDS-3Thanks again.
-Dave
0
Dave: #1 I would go to the individual panel of each spyware service and click for updates, unless of course you bought automatic updates from the paying kind. I have Adaware 6.0, and SB 1.2 but there are updates every so often. I check once per week. If it tells you 'no updates available' then you have the latest. #2 I would disable/re-enable the system restore, no problem, but do not create a NEW restoration point until clean, and before doing that disable/re-enable finally, then run all your scans AV, spyware, etc., from Safe Mode, #3 You may want to down load and apply Script Sentry (Jason's Tool Box), Spywareblaster, Spywareguard (auto-update = $$) , and MRU Blaster and keep them updated. They are all free, but you must update them manually. They all use bare minimum resource users, and they all run backstage, #4 if you are not already--do your scans from Safe Mode. I do not have the confidence to direct others to fix an HJT log yet. You can also get an HJT log read at:
http://forums.tomcoyote.com/
the 'Open Forum'ktic--
Thresher
0
You have a new variant of the CoolWebSearch, a browser hijacker. Follow the directions below. MrC
The following *updated* manual fix should work:
Download this zip: FIX, unzip it to the desktop.
Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
Notepad will open with a log in it Look for a line with this file, size and beginning to it. The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dllThis part indicates the bad file:
61c00000 61440
It will always start with that header.
Write down the filename behind it.Now download KillBox:
KillBox
Unzip and run it.
Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot".
On the next screen, click on the File menu and choose "Add File". The file you copied earlier should now show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.
After rebooting, make sure the file is gone.
0
LOL...Now that I think about it, I don't think we ever got around to addressing your problem in your first post. Anyway, here we go.
These all need to go. Have HijackThis fix them:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mepce.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {FB93A881-0C12-470A-B468-13EBF7187AA8} - C:\WINDOWS\System32\mepce.dll
Though not inherently evil (especially if you're home page is set to blank) you might as well go ahead and kill these too. (Yes you're browser should still work just fine with no R0-R1 "items" present in your log. If it doesn't, you can add items back from HijackThis back-ups.)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
When you are done with this part, please go into your internet options and reset your homepage.
Now, on with other items...
You asked:
"On a side note- i had said before that i cant seem to update some of my anti-hack software ... are these versions the most up-to-date?"Ad-Aware 6.0
I can't tell by this. You can download the latest reflist and install it manually if the built-in update is not working. Check this site to download the latest update: Ad-Aware 6 You might have to navigate back to their homepage to find it.Spybot 1.2
I can't tell by this. You can download the latest Includes file and install it manually if the built-in update is not working. Same thing here: SpyBot S&D Again, you might have to do some browsing to find it.CWShredder 1.52.1
Your CWShredder is VERY out of date. Update and use it if you can.
CWShredder Download, Unzip, Run, “Fix” -Be sure to get the latest version of CWShredder and USE IT.
Hijackthis 1.97.7
Your HijackThis is up-to-dateTDS-3
Sorry, again, I can't tell by this. You can download the latest radius.td3 and install it manually. (Sorry, don't have my TDS-3 Radius update link handy, but I'm sure you can find it on their site.)
Try this first...If you the problem persists, let me know.GOOD LUCK!
AOSCLAY
0
Question for Mr. Charlie:
hey, MrC.
Good to meet you. You seem well-informed, so I'll pose this question your way.
I'm not seeing the correlation between Dave's problem above and the CWS variant you pointed out on Merijn's March 24 info update.
Merijn's info points out a very specific indicator (<random>.dll 61c00000 61440 c:\windows\system32\<random>.dll). I'm not seeing it in Dave's log (if I am just overlooking it, I'm gonna have a good laugh at myself).
Anyway, if you see another indicator that points to this CWS variant, let me know. I have to do this everyday in the field. New info is good for me. Especially if this variant is Shredder resistant.
I'd love to talk this over with you. I looked at your reply on Tom Coyote. You have a sharp eye.
PS: When I said "I don't think we ever got around to addressing your problem in your first post" I didn't mean this thread.
Dave had posted before at an earlier time and some other user scabbed in on his thread to get his log read (cutting Dave off).
Look forward to hearing back from you Mr.C
AOSCLAY
0
It's not in the HJT log, you have to download the program (FIX), unzip it and then run it as described. The log it creates is where you will find the file in question.
Then use the Killbox to nuke it.
You always see this one:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank in the HJT log.
You can use HJT to fix it but the next time you reboot it comes back. That's my info on it anyway and it does work as per my example. MrC
0
hey MrC,
As I promised above...I am now in the process of having a good laugh at myself. :)
"The log it creates is where you will find the file in question."
LOL...I should have read the Merijn March 24 info more closely. It's right there in black and white.
Anyway...Point there being, the removal of the offending entries with HijackThis does not represent a permanent fix? (As I outlined for Dave in Response #6) We had not tried this in Dave's original posting. Somebody else jumped in and got their log read instead. Makes sense, though.
Good to know.
Have you tried CWShredder v 1.57.0 against it yet? I assume if it was effective against this variant it would have been noted at Merijn.org. I'll have to go back and look when I have a chance.
Anyway, Thanks for the info.
Well played, MrC
LATER
AOSCLAY
0
I love you guys.
I got kinda confused by all the different ideas, so i did them all =P .
Im not 100% sure i did the manual fix correctly, but the hijacker is gone (as far as i can tell).
I'll let you know.
i REALLY appreciate all of this help guys, you're a credit to our species to help your fellow man for nothing but a "thank you."
Thank you [haha =)]
-Dave
0
Dave:
After you ran SpyBot Adaware and AVG did you remember to delete their quarentine and vault files? Check to see that the clean files they quarentined are backed up first.
Thresher
0
If you want to play at this hijack thing forever, you can keep trying the witches' brew of free software like I did, but it NEVER works for very long.
Here is a reprint of a post which should help....
If you really want to get rid of Zestyfnd, CoolWWW, LopDotCom, Zedo, TribalFusion, Cool Web Search, Home OldSP, DOOM VIRUS WARNING popups, and ALL of the other hijackers, spyware, adware, popups, go to
http://bubdaddy.blogspot.com/Read the April 21, 2004 post. I've tried all of the "fixes" everyone in this and many other forums suggested, but nothing worked PERMANENTLY until I bought GhostSurf Pro.
The stuff like Cool Web Shredder, Spy Blaster, and all of the others, worked temporarily, but 4-5 hours later, my home page had been hijacked again!
I still use Lavasoft's Ad-aware, but have now gotten rid of all of the other defense programs. I can go into the Ghost Surf Privacy Center and see who has placed what on my PC and if I don't want them to have any info about me, I block them. It's that simple...and they remain blocked forever.
It enables you to shred your browsing history, and even enables you to surf via anonymous hubs, should you want to do that. You can mask your IP address, and just disappear from the home page hijackers.
Even if you visit the occasional "naughty site" you can do so anonymously, and remove all traces of your naughtiness, and more importantly, you cn block all of the crap they will dump on your computer.
You can fool around forever with free software (like I did), or you can spend $30.00 and be done with all of the bother.
There is a link on the BUBDADDY'S site above which takes you to the publisher of GhostSurf. If you order it from someone other than the publisher, OR, if you find it for less on the internet, you may be purchasing software with malicious code embedded in it.
It's been over a week and I haven't seen any Zestyfind, or CoolWWW or any other pests, and I haven't updated anything...GhostSurf does it all for me.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
