Hijacked! by searchx - random .dll namer one

Discussion in 'adware, spyware & hijack cleaning' started by zark, May 4, 2004.

Thread Status:
Not open for further replies.
  1. zark

    zark Guest

    wow - this cws is killing me - help pls!

    my ht log

    Logfile of HijackThis v1.97.7
    Scan saved at 9:47:05 AM, on 5/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\SETUP\UTILS\adaware\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {C514AC6F-3F21-4AAF-95E4-59A5A1FCF613} - C:\WINNT\system32\ajdkdd.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38105.0593171296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    The jaunty little fellow has named himself ajdkdd.dll this time around. I've clean this out, killed the .dll in safe mode, and with things like killbox etc. It ALWAYS comes back maybe an hour later. I cannot seem to get rid of this one once and for all. Any help GREATLY appreciated.
     
  2. zark

    zark Guest

    Re: wow - this cws is killing me - help pls!

    Did I do something wrong or something?

    Lots of folks with similar problems have been helped - maybe I stink? Oh well - I guess it's format/reinstall for me.
     
  3. Zark00

    Zark00 Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Hi - I've run Adaware, Spybot and HJT - can seemingly get rid of it but it comes back.

    Her is my HJT log - thanks for any help.

    my ht log

    Logfile of HijackThis v1.97.7
    Scan saved at 9:47:05 AM, on 5/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\SETUP\UTILS\adaware\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {C514AC6F-3F21-4AAF-95E4-59A5A1FCF613} - C:\WINNT\system32\ajdkdd.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pu...ector/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_41.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8105.0593171296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re: wow - this cws is killing me - help pls!

    Hi zark :)

    Welcome to Wilders.

    Just be patient as most of the experts live in different timezones.

    Your log will be read. Just check back periodically for new posts and recommendations.


    snowbound
     
  5. Zark00

    Zark00 Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Re: wow - this cws is killing me - help pls!

    ok, thank you.
    I will be patient.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Zarkoo, I have merged your two threads together. Please stay in this thread for all replies until your computer is clean. Thank you.

    Regards,

    snap
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    to see if we can prevent the cws hijackers reinfecting you try this
    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm if you haven't already got one and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255 and 213.159.117.0-213.159.118.255
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked

    First download CWshredder from http://www.thespykiller.co.uk

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ajdkdd.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {C514AC6F-3F21-4AAF-95E4-59A5A1FCF613} - C:\WINNT\system32\ajdkdd.dll


    I don't see any running antivirus, that is a bit like standing in downtown Baghdad stark naked with a bulls eye on your chest waving an American Flag. Definitely not recommended

    Download and install & run an antivirus immediately

    lists here
    http://www.wilders.org/anti_viruses.htm

    one free one that many users of this forum use successfully is
    AVG from http://www.grisoft.com/us/us_dwnl_free.php
     
  8. Zark00

    Zark00 Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Yes, understood, and thank you.
    I have now installed and run AVG - thanks.
    I run anti-virus on work machines, etc. just have for some reason held out on this system and have always been able to get it 'seemingly' clean with the spyware tools.
    Thank you very much for the reality check, of course as you could guess, several - 15+ I believe - infected files found. Incidentally, several had to be quarantined rather than removed.

    I should have also stated in my first that I do run and am familiar with HJT, Spybot, adaware, etc.

    I have not run HJT in safe mode yet, I am working on that now.
    As well as the rest of the instructions.

    Thank you so much, I truly appreciate the help.

    One question, can I block those IPs at my router rather than install a software firewall? same thing for these purposes eh?
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    if your router is configurable then yes that is a better solution as it will protect the entire network you are on
     
  10. Zark00

    Zark00 Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    k, that took me a bit - but I thank you because I think it's finally gone!

    new hjt log

    Logfile of HijackThis v1.97.7
    Scan saved at 8:34:40 PM, on 5/6/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\SETUP\UTILS\adaware\hijackthis\HijackThis.exe

    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38105.0593171296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    (note the AVG running now ;) )
    It's been since this morning that it's been 'clean' and still no hijack.
    Thanks again.
     
  11. Zark00

    Zark00 Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    dang, spoke too soon - came back from dinner and it's back

    hjt log

    Logfile of HijackThis v1.97.7
    Scan saved at 12:19:04 AM, on 5/7/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\SETUP\UTILS\adaware\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\eifap.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\eifap.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\eifap.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\eifap.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\eifap.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\eifap.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {E37F74F9-FB06-4526-B09C-76447C587585} - C:\WINNT\system32\eifap.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38105.0593171296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I think the router probably only blocks incoming, and if an outgoing one has gone it will automatically allow the reply back in.

    if your router has a way of blocking outgoing TCP & UDP as well as incoming try it, otherwise you might like to try the software firewall and see if that helps

    also let's try this as well

    Go here:
    http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
    And download "Xfind.zip" from there.
    Unzip, run the 'find.bat' inside.
    Wait till it terminates and find 'log.txt' inside which
    you'd need to attach into your next reply.
     
  13. Zark00

    Zark00 Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Edit -

    I found a direct link to xfind on another thread - and found the correct find.bat to run - here is the result:

    C:\WINNT\System32\KBDI.DLL +++ File read error

    ***********
    I left this up in case you need it later

    OK, I think this is the log
    No 'xfind.zip' at that url - but there was find-all.zip with a find all.bat.

    Possible bad file(s) found... (locked)
    \\?\C:\WINNT\System32\KBDI.DLL +++ File read error
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"=""

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3758C638-3EE0-441B-8BE7-580FF1CB6066}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{92B0171D-980E-40B0-AA6D-4B53EE464161}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{92B0171D-980E-40B0-AA6D-4B53EE464161}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    
     
    Last edited: May 7, 2004
  14. Zark00

    Zark00 Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    I've seen the other posts with explainations on renaming and deleting the .dll - filter stuff i don't really understand.

    I'm betting that's exactly my next step - but I wanted to see if that's what you guys would actually direct as well.

    I blocked everything both ways, and still got reinfected.

    So i finally just unplugged the network - and STILL got reinfected - so there's got to be something hidden in my system that's putting this back on.

    Isn't this spyware stuff illegal btw? Like spam laws or something? Or are the spywarers ahead of legislation.

    Thansk for the help btw.
     
Thread Status:
Not open for further replies.