Recurring searchx infection and trojan?

Discussion in 'adware, spyware & hijack cleaning' started by dsomick, Apr 30, 2004.

Thread Status:
Not open for further replies.
  1. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    ran ad-aware, currently running webroot's spy-sweeper. and the latest version of Mcafee... and sygate personal firewall to see if i can catch any traffic...

    I cleaned a few trojans after DL'ing an mpeg
    but spy sweeper keeps poping up that my home page wants to change.
    I run cwshredder and it cleans the virus.. but I pops back and I notice some odd things on my IE address bar. I've upgraded all the MS service packs and acutally removed my IE jvm in favor of the Sun one.

    I ran hijack this and when I try to save the log, note pad pops up and Mcafee says it has this trojan: Exploit-MhtRedir.gen and kills the hijack log before I can see it... It must be seeing a reg key in the log...
    SO I did this in safe mode to get the log...
    here is my hijack dump: Thanks for taking a look!

    Logfile of HijackThis v1.97.7
    Scan saved at 1:23:33 PM, on 4/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Documents and Settings\dsomick1\Desktop\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://mww.metlife.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
    O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EDMNTUSER.lnk = C:\EDMNT\EDMNTUSR.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Start HTML Search Server.lnk = C:\Program Files\SQLLIB\bin\db2nq.exe
    O4 - Global Startup: starteam.cmd
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O11 - Options group: [JAVA_MSJVM_VM] Microsoft VM
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://mww.metlife.com
    O16 - DPF: JavaConnect - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\JavaConnect.cab
    O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STBroadcastClient.cab
    O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STDirectoryApplet.cab
    O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STMeetingRoomClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its :mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STJNILoader.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {64A6114F-2976-4634-BE36-134BF84D369C} (eWebEditProLibCtl4.eWebEditPro) - http://www.ektron.com/ewebeditpro4/ewebeditpro4.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.ektron.com/ewebeditpro4/msxml4.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.8294212963
    O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\InstallSTConnAgent.cab
    O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://testdirector.metlife.com/Spider.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ahdweb.webmeeting.att.com/client/webex/ieatgpc.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
    O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{562EC8E3-A85E-4B56-B460-8310FF8DC490}: Domain = metlife.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8D2EB51-122F-4195-A8B7-09FAAFD9C278}: Domain = metlife.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metlife.com
     
    Last edited by a moderator: May 2, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi dsomick,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its :mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

    Then reboot.
    The one listed under O16 would be the one that set off your AV and was trying to change your settings: I added a apce so it won't set off any alarms for anyone reading or caching this thread.

    Regards,

    Pieter
     
  3. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Thanks for the help! Pieter,

    Is that the only problem picked up by HJT ? o_O :doubt:

    my spySweeper continues to catch a home page change to "about:blank"?
    and then I run cwsShreader and it removes the searchX virus. and it recurres at least once a day

    this time ran HJT and dumped the log any thoughts?
    thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 9:21:51 AM, on 5/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\Program Files\Sygate\smc.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\SQLLIB\bin\db2jds.exe
    C:\Program Files\SQLLIB\bin\db2licd.exe
    C:\Program Files\SQLLIB\bin\db2sec.exe
    C:\EDMNT\EDMEXECD.exe
    C:\WINNT\System32\gearsec.exe
    C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\PROGRA~1\SQLLIB\bin\IWH2SERV.EXE
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\System32\RunDll32.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
    C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\IBM\IMNNQ\HTTPDL.exe
    C:\PROGRA~1\IBM\IMNNQ\imnsvdem.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lotus\Sametime Client\Connect.exe
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Lotus\Notes\ntaskldr.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\mdm.exe
    C:\Documents and Settings\dsomick1\Desktop\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jkeg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jkeg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jkeg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jkeg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jkeg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jkeg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://mww.metlife.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2D272531-E4EA-44F9-86D9-9AF25CF31258} - C:\WINNT\System32\jkeg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
    O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EDMNTUSER.lnk = C:\EDMNT\EDMNTUSR.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Start HTML Search Server.lnk = C:\Program Files\SQLLIB\bin\db2nq.exe
    O4 - Global Startup: starteam.cmd
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O11 - Options group: [JAVA_MSJVM_VM] Microsoft VM
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://mww.metlife.com
    O16 - DPF: JavaConnect - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\JavaConnect.cab
    O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STBroadcastClient.cab
    O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STDirectoryApplet.cab
    O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STMeetingRoomClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STJNILoader.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {64A6114F-2976-4634-BE36-134BF84D369C} (eWebEditProLibCtl4.eWebEditPro) - http://www.ektron.com/ewebeditpro4/ewebeditpro4.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.ektron.com/ewebeditpro4/msxml4.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.8294212963
    O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\InstallSTConnAgent.cab
    O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://testdirector.metlife.com/Spider.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ahdweb.webmeeting.att.com/client/webex/ieatgpc.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
    O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{562EC8E3-A85E-4B56-B460-8310FF8DC490}: Domain = metlife.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8D2EB51-122F-4195-A8B7-09FAAFD9C278}: Domain = metlife.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metlife.com


    After I ran cwsshreader, it looks to have Restored 6 IE pages and removed searchX again the file is jkeg.dll...
    so and here is the HJT dump after running cwsshreader:
    Logfile of HijackThis v1.97.7
    Scan saved at 9:35:44 AM, on 5/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\Program Files\Sygate\smc.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\SQLLIB\bin\db2jds.exe
    C:\Program Files\SQLLIB\bin\db2licd.exe
    C:\Program Files\SQLLIB\bin\db2sec.exe
    C:\EDMNT\EDMEXECD.exe
    C:\WINNT\System32\gearsec.exe
    C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\PROGRA~1\SQLLIB\bin\IWH2SERV.EXE
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\System32\RunDll32.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
    C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\IBM\IMNNQ\HTTPDL.exe
    C:\PROGRA~1\IBM\IMNNQ\imnsvdem.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lotus\Sametime Client\Connect.exe
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Lotus\Notes\ntaskldr.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\mdm.exe
    C:\Documents and Settings\dsomick1\Desktop\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://mww.metlife.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
    O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EDMNTUSER.lnk = C:\EDMNT\EDMNTUSR.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Start HTML Search Server.lnk = C:\Program Files\SQLLIB\bin\db2nq.exe
    O4 - Global Startup: starteam.cmd
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O11 - Options group: [JAVA_MSJVM_VM] Microsoft VM
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://mww.metlife.com
    O16 - DPF: JavaConnect - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\JavaConnect.cab
    O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STBroadcastClient.cab
    O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STDirectoryApplet.cab
    O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STMeetingRoomClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\STJNILoader.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {64A6114F-2976-4634-BE36-134BF84D369C} (eWebEditProLibCtl4.eWebEditPro) - http://www.ektron.com/ewebeditpro4/ewebeditpro4.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.ektron.com/ewebeditpro4/msxml4.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.8294212963
    O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\tkaminski\Local Settings\Temp\SISD\InstallSTConnAgent.cab
    O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://testdirector.metlife.com/Spider.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ahdweb.webmeeting.att.com/client/webex/ieatgpc.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
    O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{562EC8E3-A85E-4B56-B460-8310FF8DC490}: Domain = metlife.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8D2EB51-122F-4195-A8B7-09FAAFD9C278}: Domain = metlife.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metlife.com
     
    Last edited: May 3, 2004
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  5. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Thanks
    earlier I was reading other threads and they recommended running xfind, I ran that and it it said C:\WINNT\System32\WINECJJ.DLL +++ File read error

    running find-all interestingly shows the same file...

    again thanks for your help

    here is the output.txt from find-all:
    Possible bad file(s) found... (locked)
    \\?\C:\WINNT\System32\WINECJJ.DLL +++ File read error
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"=""

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    
     
  6. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Just a quick note here
    I ran "C:\>dir WINECJJ.dll /a /s" and that file doesn't seem to exist... I dont know what findall is looking at...
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi dsomick,

    That is why we use it, because other programs can't see the file.

    Download: "CopyLock" and unzip:
    http://www10.brinkster.com/expl0iter/freeatlast/CopyLock.zip

    set up these options:
    -Check- 'Show Source paths'
    -Check: 'Allow Downgrade'

    Click the 'Add' tab->'Files to rename'
    In the 'Look in..' Dialogue box navigate to your
    C:\WINDOWS\System32 directory and stop there!
    (*you will not see the file!)
    Copy and paste into the 'File name' field:
    WINECJJ.DLL
    Hit ->Add.
    In the result (destination) erase entire output (copy of...) and
    paste this, instead:
    WINECJJ.DLX
    Hit 'ok' (On warning of different extension as well)
    and on the main box hit the->'Apply' tab
    **You will be asked to restart computer!
    Do so right away, next--
    navigate to System32 and delete the "WINECJJ.DLX"
    file, as it'll be visible!

    ***ATTENTION***
    If you get "file not found" error during the process, that
    means it will not work.

    Regards,

    Pieter
     
  8. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Argh!
    I am getting a file not found from copylock :mad:
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Download "moveex" from the same page:
    http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm

    Unzip, and put the "moveex.exe" file itself directly
    in your sytem32 folder.

    Copy and paste the following command into the Start/run box:
    moveex.exe %Windir%\system32\WINKDHG.dll %WinDir%\WINECJJ.dlx

    Restart computer,
    and search for WINECJJ.dlx and try to delete.

    Regards,

    Pieter
     
  10. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Hey, unfortunately I don't see this link on that page
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  12. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Ok, got moveex.exe and put it in system32. Not too sure if what you sent as the dll name was a typo or if you had some new insights so I ran both the following in regular and safe mode and got this reply
    C:\WINNT\system32>moveex WINECJJ.DLL WINECJJ.DLX
    File not found: WINECJJ.DLL.

    C:\WINNT\system32>moveex.exe %Windir%\system32\WINKDHG.dll %WinDir%\WINECJJ.dlx
    File not found: C:\WINNT\system32\WINKDHG.dll.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    OK I am starting to believe the about:blank is a coincidence and you are not infected with CWS at all.
    Is the about:blank page really a blank i.o.w. empty?
    In that case we have been chasing our shadow.

    Regards,

    Pieter
     
  14. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    it is not blank, it is some search page my spysweeper software keeps noting that it is being changed. and then I run cwsShreader and it kills a CWS.searchx and fixes the IE registry keys.... I guess your hinting that I may need to wait until a searchx update comes for McAfee ?
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I am saying that I don't expect a definite answer to this one. Not anytime soon from anyone anyway.

    Truly sorry we couldn't help,

    Pieter
     
  16. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Dont be, I am very greatful for your help!
    Do you know how findx works or have or know where I can get the source?
    because it strikes me funny that findX sees this file while cpylock and move doesnt.
    I wonder if findx is finding a spoofed entry in the directory or FAT and that file doesn't really exist at all under that name which is why the other progs cant find it.

    but, if findx is truly finding the locked file and then not being able to read it properly... then I would really like to see what find is doing versus move ( I would think findfile and movefile would have the same API permissions
    thanks for you generous help

    Dave
     
  17. dsomick

    dsomick Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    10
    Hi Pieter,
    Just wanted to follow up...
    I reran find-all and somehow another browser helper object popped up (possibly being obscured by this JKEG.DLL spoof... )
    then I found BHODemon and disabled this new bho... and I havent had hijackings in a couple days now... so I think I am good
    BTW the browser helper file that was in question is "ndknepa.dll"
     
Thread Status:
Not open for further replies.