Unsolved
This post is more than 5 years old
14 Posts
0
17112
May 1st, 2004 04:00
I've been hijacked..Please help
I was hijacked by CoolWebSite about:blank. It will not go away. I've used CWShredder about 4 times and it works for a while, but then the hijack comes back. here's a copy of the hijack this log. Any help is appreciated. This Dell is only 2 weeks old and my wife is about ready to shoot me! Thanks!
Logfile of HijackThis v1.97.7
Scan saved at 9:22:14 PM, on 4/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tim Donahue.DONAHUE1\Local Settings\Temporary Internet Files\Content.IE5\45GR4BG7\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
0 events found
Navin kurian
526 Posts
0
May 1st, 2004 05:00
Which version of cwshredder are you using rescan with the lastest cwshredder http://www.spywareinfo.com/~merijn/downloads.html
How to guard against CoolWebSearch
http://www.spywareinfo.com/~merijn/cwschronicles.html
http://www.mvps.org/sramesh2k/Defend_CWS.htm
http://www.mvps.org/inetexplorer/data/coolwebsearch.htm
I would suggest keeping another browser handy(and cant be hijacked so easily) so you aint stuck if "IE" goes down
get opera www.opera.com
http://www.mozilla.org/products/firefox/
Resetting Internet Explorer Web settings
If you installed another Web browser after installing Internet Explorer
and Internet Tools, some of your Internet Explorer settings may have
changed. You can reset your Internet Explorer settings to their
original defaults, including your home page and search pages, and
choice of default browser, without changing your other browser's
settings.
On the Tools menu, click Internet Options.
Click the Programs tab.
Click the Reset Web Settings button.
How to Reset the Internet Explorer 6.0 Security Settings and Verify the Encryption Settings
http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/browsers/ie_6.0/8455.psc.html
Yellowhammer
725 Posts
0
May 1st, 2004 18:00
tigger5,
There are two malicious .dll files on you computer. One is visible and can be easily deleted. The other is HIDDEN. The hidden .dll regenerates the viewable .dll if it is deleted or changed. The hidden file is the problem.
To rid your self of the hidden .dll, which is the core of the problem, do the following.
Download two free programs and install them.
1. Taskinfo
2. CWSShredder
http://www.iarsn.com/taskinfo.html (trial version works for this)
http://www.spywareinfo.com/~merijn/downloads.html
Open Internet Explorer with the about:blank page.
Then open taskinfo program.
Look for “Internet Explorer” on the left side and highlight it.
On the right side, open the “Modules” tab.
You will see a list of .dll files.
Sort the files by Company.
You should see a few .dll files that don't belong to any company or don’t have any description. In the list should be both the malicious secondary .dll (you may not have this one if you just ran cwshredder to remove it) that is generated by the malicious core .dll AND the malicious core dll. Again, they should not have any legitimate company name or description.
Copy the file names down for your reply.
Run CWSShredder. It will delete the secondary .dll that is generated by the hidden core .dll and all associated registry entries.
Post back with the name of the suspect files from Taskinfo and the path.
After posting, Please install the recovery console for your PC. Instructions follow:
If you have your windows cd put it in the cd drive and go to start/run paste this on the line:
d:\i386\winnt32.exe /cmdcons
change d if necessary to your cd rom drive.
If you only have recovery cds from your computer manufacturer, then search for winnt32.exe on your system.
Then write down the path that you find in the search results.
Example If you find the winnt32.exe file in this location -> C:\WINDOWS\I386\WINNT32.EXE
Then you go to start/run and paste this line C:\WINDOWS\I386\WINNT32.EXE /cmdcons in the run box and click OK to start the install
In either case Walk through that and that will install the recovery console.
Thereafter, you'll see an option for the RC on the startup menu.
Instructions if needed are here: http://www.winnetmag.com/Windows/Article/A...1538/21538.html
I will review the information that you posted and have further instructions for you.
After you have posted back with that info I will give you some further instructions.
tigger5
14 Posts
0
May 3rd, 2004 13:00
tigger5
14 Posts
0
May 3rd, 2004 21:00
i downloaded taskinfo. found IE on left bottom side and highlighted, there was no "module"tab on right side. opened "driver" tab and found the following dll files:
bootvid.dll
hal.dll
ialmdd5.dll
ialmdev5.dll
ialmdnt5.dll
ialmrnt5.dll
ntdll.dll
KDCOM.dll
Is this correct?
Yellowhammer
725 Posts
0
May 3rd, 2004 21:00
Lets try another method of identifying the file.
Go here and download Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Extract it.
Double click on Find-All.bat. It will produce a file named output.txt.
Copy and paste the contents of output.txt in your next reply.
After Posting that reply please do the following: (Note that you may have done this part already from the previous instructions)
Install the recovery console for your PC. Instructions follow:
If you have your windows cd put it in the cd drive and go to start/run paste this on the line:
d:\i386\winnt32.exe /cmdcons change d if necessary to your cd rom drive.
If you only have recovery cds from your computer manufacturer, then search for winnt32.exe on your system.
Then write down the path that you find in the search results.
Example If you find the winnt32.exe file in this location -> C:\WINDOWS\I386\WINNT32.EXE
Then you go to start/run and paste this line C:\WINDOWS\I386\WINNT32.EXE /cmdcons in the run box and click OK to start the install
The important thing is to find the location of the Winnt32.exe file on your system so you put the correct command in the run box.
In either case it will install the recovery console.
Thereafter, you'll see an option for the RC on the startup menu.
Instructions if needed are here: http://www.winnetmag.com/Windows/Article/A...1538/21538.html
After I have seen the results of the output.txt file I will give you further directions. You will be deleting the hidden file using the recovery console (I hope)
Yellowhammer
725 Posts
0
May 4th, 2004 02:00
tigger5
14 Posts
0
May 4th, 2004 02:00
Yellowhammer
725 Posts
0
May 4th, 2004 02:00
Copy the contents between the lines to Notepad. Name the file fix.reg
-----------------------------------------------------------------------Save as type All Files. Save on the desktop.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
----------------------------------------------------------------------------------
After you have The Recovery Console installed, Reboot. You will get a menu. Choose Recovery Console. To do that use the arrow keys to move through the menu and when Recovery Console is highlighted, press enter. You'll be asked which Install you want to repair. Select your Windows XP. You will be asked for a password. Press enter if you didn't set up an Administrator Password when you installed. That will get you in.
If you did set up a password type it in and press enter.
Once the Recovery Console has loaded you are going to delete one file.
Here are those directions:
Type this and press enter: attrib -s -h -r C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between each command until you reach the path name.
Type this and press enter: Del C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between DEL and the Pathname.
Let it do the delete.
Type Exit to restart.
---------------------------------
When you get back into Windows
Double click on fix.reg to remove extra registry entries.
Run CWShredder and Ad-Aware.
Run HijackThs and post you new log here in your next reply.
Also run Double click on Find-All.bat again. See if there is a mention of a file error again. If not you are in good shape.
tigger5
14 Posts
0
May 4th, 2004 02:00
Here is the output.txt file:
Possible bad file(s) found... (locked)
\\?\C:\WINDOWS\System32\RESCBFJ.DLL +++ File read error
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
REGEDIT4
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/hta]
"CLSID"="{D962EF38-5FB0-4761-8638-C86F085E25E6}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{6585E5B4-4D2A-4A1D-A219-4102C64BA999}"
"CLSID_"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
tigger5
14 Posts
0
May 4th, 2004 12:00
I will do this tonite when I get home from work. Since I have not inserted the Windows operating CD yet, Do I still need to do this step from yesterday's post:
Install the recovery console for your PC. Instructions follow:
If you have your windows cd put it in the cd drive and go to start/run paste this on the line:
d:\i386\winnt32.exe /cmdcons change d if necessary to your cd rom drive.
If you only have recovery cds from your computer manufacturer, then search for winnt32.exe on your system.
Then write down the path that you find in the search results.
Example If you find the winnt32.exe file in this location -> C:\WINDOWS\I386\WINNT32.EXE
Then you go to start/run and paste this line C:\WINDOWS\I386\WINNT32.EXE /cmdcons in the run box and click OK to start the install
The important thing is to find the location of the Winnt32.exe file on your system so you put the correct command in the run box.
In either case it will install the recovery console.
Thereafter, you'll see an option for the RC on the startup menu.
Instructions if needed are here: http://www.winnetmag.com/Windows/Article/A...1538/21538.html
After I have seen the results of the output.txt file I will give you further directions. You will be deleting the hidden file using the recovery console (I hope)
Or should I skip this and go to your latest instructions? Also, the link you provided at winnetmag is no longer active, is there anywhere else I can preview instructions before I start this? Sorry to be tentative, but I am not an expert by any means. Once again, I do appreciate your help and patience with me on this!
Yellowhammer
725 Posts
0
May 4th, 2004 16:00
Once you have finished installing the recovery console you can do my last set of instructions.
I am repeating them again below.
Copy the contents between the lines to Notepad. Name the file fix.reg
-----------------------------------------------------------------------Save as type All Files. Save on the desktop.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
----------------------------------------------------------------------------------
After you have The Recovery Console installed, Reboot. You will get a menu. Choose Recovery Console. To do that use the arrow keys to move through the menu and when Recovery Console is highlighted, press enter. You'll be asked which Install you want to repair. Select your Windows XP. You will be asked for a password. Press enter if you didn't set up an Administrator Password when you installed. That will get you in.
If you did set up a password type it in and press enter.
Once the Recovery Console has loaded you are going to delete one file.
Here are those directions:
Type this and press enter: attrib -s -h -r C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between each command until you reach the path name.
Type this and press enter: Del C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between DEL and the Pathname.
Let it do the delete.
Type Exit to restart.
---------------------------------
When you get back into Windows
Double click on fix.reg to remove extra registry entries.
Run CWShredder and Ad-Aware.
Run HijackThs and post you new log here in your next reply.
Also run Double click on Find-All.bat again. See if there is a mention of a file error again. If not you are in good shape.
Yellowhammer
725 Posts
0
May 5th, 2004 02:00
Lets get the attributes one at a time:
Type this and press enter: attrib -s C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between each command until you reach the path name.
Type this and press enter: attrib -r C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between each command until you reach the path name.
Type this and press enter: attrib -h C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between each command until you reach the path name.
Type this and press enter: Del C:\WINDOWS\System32\RESCBFJ.DLL Note that there is a space between DEL and the Pathname.
Let it do the delete.
tigger5
14 Posts
0
May 5th, 2004 02:00
tigger5
14 Posts
0
May 5th, 2004 11:00
Yellowhammer
725 Posts
0
May 5th, 2004 21:00
It looks clean except for this one. I am hoping it is only a remnant.
Close your browser and have hijackthis fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
Open and close your browser a couple of times and run another hijackthis log. Hopefully it won't return.
Please let me know.