Weird Hijack, Please Help!

Discussion in 'adware, spyware & hijack cleaning' started by illusionzzz, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. illusionzzz

    illusionzzz Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Hey everyone,
    I was hoping someone on here could give me a hand, it would be really appreciated.

    I have been getting porn popups(different site everytime) roughly every 5 mins, it's quite annoying. I deleted what i thought was the culprit (last thing in my log) but about 5mins after fixing it my internet goes dead, i can't access any sites, or make any sort of connections even though i am still on the net (when i type in an address it says cannot open search page, no matter the website). When i restart the thing is back in my log and my interent works but i continue to get popups, please could someone take a look at this and give me a hand.

    I have used ad-aware, spybot and even CwShredder. My antivirus (AVG) is also up to date and i recently finished downloading all XP critical updates.

    heres my log

    Logfile of HijackThis v1.97.7
    Scan saved at 7:01:12 PM, on 24/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\htpatch.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\WINDOWS\System32\mcc.exe
    C:\WINDOWS\System32\windll32.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\DAP\DAP.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Harley1\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fordforums.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.fordforums.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
    O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38158.9703356481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5BAA4036-8A78-4624-AF39-46DAE00AE37D}: NameServer = 203.134.64.66 203.134.65.66

    any help would be great, thanks.
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    That last line (you did mean the O17 ? ) is nc1.syd.iprimus.net.au
    If you are with iprimus in sydney or thereabouts - that line is probably fine

    These lines

    O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
    O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe

    are evil however

    The second one is likely either
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.astef.html
    or
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.repsan.html

    The first one is a CoolWebSearch variant

    Download CWShredder by Merijn Bellekom
    Unzip it to somewhere you can easily find it later

    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\System32\mcc.exe
    C:\WINDOWS\System32\windll32.exe


    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
    O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe


    Run the CWShredder file, press 'Fix', and allow it to fix all it finds.

    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following files:
    C:\WINDOWS\System32\windll32.exe
    C:\WINDOWS\System32\mcc.exe


    Run CWShredder again while still in SAFE mode

    Reboot to normal mode

    Download Spybot - Search and Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer windows, hit 'Check for Problems', and after SpyBotSD has completed it's scan push the 'Fix checked' button for all that it has automatically selected.

    Get a good online virus scan at HouseCall as a second opinion

    ----
    Let's hope that gets it - this one can be difficult.
     
  3. illusionzzz

    illusionzzz Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Firstly thank you soooo much for your speedy reply. Thank you even more for going to the trouble of helping me out. I did everything you said and so far so good, the popups have gone!!!!! I have no viruses and everything seems to be working sweet.

    If you dont mind i will post my hijack log again and it would be great if you could have one final quick look. Finallly do you have any advice/websites i can visit to try and stop this from happening again.

    Again thank you so very much, i really appreciate you going to the trouble of helping a complete stranger.

    Heres my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:03:26 AM, on 25/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\htpatch.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Documents and Settings\Harley1\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fordforums.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.fordforums.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38158.9703356481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5BAA4036-8A78-4624-AF39-46DAE00AE37D}: NameServer = 203.134.64.66 203.134.65.66

    Kind Regards
    Harley
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  5. illusionzzz

    illusionzzz Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Again thanks so much!!
     
Thread Status:
Not open for further replies.