****HIJACK THIS *****Please Help NOOB

Discussion in 'adware, spyware & hijack cleaning' started by WaterBase, Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. WaterBase

    WaterBase Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    6
    Here is my HJT log,
    I have about:blank as homepage, pop-ups nightmare
    I've run Ad-aware already. Not sure what to do next.


    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:28 PM, on 6/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\THE NEW CPU\My Documents\Programs\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-websearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D15AA6FA-8DFF-4C83-B5F5-66D758232A74} - C:\WINDOWS\System32\ohbic.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: GhostSurf Privacy Center (HKLM)
    O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
  2. WaterBase

    WaterBase Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    6
    any help at all?
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi WaterBase,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-websearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ohbic.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {D15AA6FA-8DFF-4C83-B5F5-66D758232A74} - C:\WINDOWS\System32\ohbic.dll

    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    Then reboot and download http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    Run start.bat and press option 1. 'output.txt' will be created in the folder

    Please post that report.

    Regards,

    Pieter
     
  4. WaterBase

    WaterBase Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    6
    I think this is what output.txt meant,

    Anyway it's fine now, Homepage is back! Thanks for the help

    This is a fix for the hidden cws dll. buried in
    appinit. You will have this if you keep getting reinfected
    with searchx according to shredder.
    Example these lines with the random dll hijack:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\faip.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\faip.dll/sp.html (obfuscated)


    Redirected to Linklist.cc or Real-Yellow-pages.
    This only fixes the hidden dll and not the Hijack.
    You should use cwshredder for the rest.

    First Menu
    1. FreeatLast's Findall Report for the Hijacker and test for the hidden dll
    that this fixes.
    2. Enter Fix menu
    3. This readme.


    Second menu.
    1. Enter dll manually to Fix. This would be example:
    xxxxx.dll
    Just enter above if you know the actuall name

    2. Let program search for it.
    It will start the fix and search for it own its own.

    It will complete the rest automatically.
    On windows Xp it will reboot in 15 seconds.
    On Windows 2000 it will ask you to reboot.
    Please do so immediatly when asked.
    It will rerun on bootup.
    After its completed on bootup it will
    show a log of what it found.

    No warranties are expressed or implied. Use at your own risk!!

    Follow the approriate instructions from a qualified person on the forums if you are not sure.

    Special Thanks to FreeatLast and Mosaic1 for all the input and ideas.
    Thanks to Option^Explicit for the reboot utilitity.
    Thanks to Mosaic1 for helping me get the timing issues resolved.

    If you would like to send me a donation Or need to contact me i can be reached at:

    spywaresubmit@aol.com

    Please visit the following forums for help.

    www.zerosrealm.com
    www.subratam.org
    www.spywareinfoforum.com
    www.tomcoyote.com
    www.wilderssecurity.com
    www.computercops.biz


    A Special Thanks to Zero and Subratam for Hosting the file!
    Mirrors Available at
    http://downloads.subratam.org/dllfix.exe
    http://www.allsecpros.com/download/dllfix.exe

    Version 1.0.1
    Now can run from any drive in windows.

    Version 1.0.2
    Fixed Timing issue bugs.
    Thanks to Mosaic for sticking with me to resolve them. Should work a lot better.
    removed now.exe and registry files as no longer needed.
    Now use reg.exe to do reg deletions.

    Version 1.0.3
    Updated Find-All to 5.2
    Fixed Directory listing to only list 2004 files.

    Version 1.0.4

    Updated Registry Routines To Improve Accuracy on removing Thanks To Mosaic.
    Added support to Target Main 02 dll shown in hijackthis.
    Added support to unlock locked files to improve Removal.

    Version 1.0.5
    Added some insurance to make sure REgistry keys are reset.
    Thinned out Find-All as most was not needed for this hijack.
    Fix a couple minor Bugs.
    Added Version Info into Log.

    Version 2.0.1

    Redid registry routines to restore the keys after the reboot.
    Some computers would put back the bad entry before rebooting.
    Add two more bat files.
    restorereg.bat restores the registry back if missing windows key from the backup files.
    emerg.bat will setup to run the second.bat if it didnt start after reboot or errored out.

    Version 3.00
    Now installing files for better win2k compatibility.
    Streamlined routines.
    Removing files installed after second.bat completion automatically.

    Version 3.01
    Modified find-all to show wmplayer and visible dll showing md5.
    Added second md5 to main hijacker routine in second.bat
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi WaterBase,

    Could you please reread the instructions in my last post?
    What you posted is the txt file that Shadowwar included with the program and not output.txt
    Output.txt will be created when you run start.bat and press option 1

    Regards,

    Pieter
     
  6. WaterBase

    WaterBase Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    6
    Tried again, this looks like the output.txt


    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Tue 06/08/2004
    08:49 AM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "HP_PAVILION" (4746:10DD) - FS:FAT clusters:32k
    Total: 40 006 156 288 [37G] - Free: 20 867 874 816 [19G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q330994;Q818529;Q828750;Q824145;Q832894;Q837009;



    Locked or 'Suspect' file(s) found...


    Scanning for main Hijacker:


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{A499FE46-8905-49D0-97DE-ADA8404D86E0}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{A499FE46-8905-49D0-97DE-ADA8404D86E0}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    
     
  7. WaterBase

    WaterBase Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    6
    Peter or Admin, am I done? Is this right?
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.