Splash "access denied" & serach results hijack

[umtutsut]

Part 26 (last!) -- THANX to anyone who can help!!!

C:\Documents and Settings\Rachel\Cookies\rachel@cz8.clickzs[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@intellisrv[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@insightexpressai[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@ads.adbrite[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@trafficmp[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@adopt.specificclick[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@optimost[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@ad.yieldmanager[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@tremor.adbureau[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@www.burstbeacon[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@qnsr[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@questionmarket[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@nextag[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@adrevolver[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@ad.admarketplace[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@revsci[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@insightfirst[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@ads.monster[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@specificclick[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@media.adrevolver[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@server.cpmstar[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@icc.intellisrv[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@media.adrevolver[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@adbrite[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@adopt.euroclick[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@advertising[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@doubleclick[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@e-2dj6wjkoeocpefq.stats.esomniture[1].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@e-2dj6wjmiukdpsbo.stats.esomniture[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@e-2dj6wjny-1pazih.stats.esomniture[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@friendfinder[2].txt
   C:\Documents and Settings\Rachel\Cookies\rachel@onlinerewardcenter[1].txt
   C:\Documents and Settings\Rachel\Local Settings\Temp\Cookies\rachel@partner2profit[1].txt

Trojan.Downloader-Gen/A
   C:\DOCUMENTS AND SETTINGS\RACHEL\LOCAL SETTINGS\TEMP\A.EXE

Adware.Vundo/Variant-Trace
   C:\WINDOWS\SYSTEM32\EBOROPUG.INI
   C:\WINDOWS\SYSTEM32\OGEREVUH.INI

[micky77]

Run HJT again,choose scan only, then fix, O20 - AppInit_DLLs: cnfwha.dll C:\WINDOWS\system32\yeneseje.dll c:\windows\system32\wiwisoho.dll

Reboot

You could run rootrepeal, and post a log http://rootrepeal.googlepages.com/

Then try a couple of online scanners

http://www.eset.com/onlinescan/

http://www.bitdefender.com/scanner/online/free.html

Then post the results

[umtutsut]

OK, that didn't go well at all.

Rootrepeal would not initialize on my machine. I repeatedly had to stop the "busy" dialog from running. NOW...my machine won't pick up my internet connection thru the router! (I'm writing on a different machine.) Another wireless machine connects fine, so it's something in my computer.

UGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!!

Les

[umtutsut]

Run HJT again,choose scan only, then fix, O20 - AppInit_DLLs: cnfwha.dll C:\WINDOWS\system32\yeneseje.dll c:\windows\system32\wiwisoho.dll

Reboot

You could run rootrepeal, and post a log http://rootrepeal.googlepages.com/

Then try a couple of online scanners

http://www.eset.com/onlinescan/

http://www.bitdefender.com/scanner/online/free.html

Then post the results

Micky77:

OK, that's didn't work at all!
Eset froze scanning one of my son's files and Bitdefender couldn't update the virus signatures.

Would it be advisable to simply uninstall and then reinstall Avast???

Les

[micky77]

IMO i don't think reinstalling will help. I think you have something lurking that is interfering with Avast,rootrepeal, the online scanners, etc
Two of files in the entry you fixed yeneseje.dll  wiwisoho.dll are malicious. I can find nothing on cnfwha.dll. Can you find that file ? If so send it to virustotal for analysis
http://www.virustotal.com/

http://www.prevx.com/filenames/2179966988013054252-X1/WIWISOHO.DLL.html
http://www.prevx.com/filenames/3665299136872958320-X1/YENESEJE.DLL.html

The only thing I can suggest is you try SDfix, which runs in safe mode,( print the instructions off ) and a rescue disc,which scans without booting windows.
http://www.bleepingcomputer.com/forums/topic131299.html
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

I find it strange MBAM and SAS did not find more, have you already removed malware, before posting here ?

[umtutsut]

IMO i don't think reinstalling will help. I think you have something lurking that is interfering with Avast,rootrepeal, the online scanners, etc
Two of files in the entry you fixed yeneseje.dll  wiwisoho.dll are malicious. I can find nothing on cnfwha.dll. Can you find that file ? If so send it to virustotal for analysis
http://www.virustotal.com/

http://www.prevx.com/filenames/2179966988013054252-X1/WIWISOHO.DLL.html
http://www.prevx.com/filenames/3665299136872958320-X1/YENESEJE.DLL.html

The only thing I can suggest is you try SDfix, which runs in safe mode,( print the instructions off ) and a rescue disc,which scans without booting windows.
http://www.bleepingcomputer.com/forums/topic131299.html
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

I find it strange MBAM and SAS did not find more, have you already removed malware, before posting here ?

I'm running the search for that mystery .dll file now, but it's gonna take awhile.
I ran numerous MBAM and Avast scans before posting, yes. I only posted here after Avast refused to run.

Strange that something would not interfere with MBAM and SAS but DOES interfere with the others, no?

Les

[micky77]

Strange that something would not interfere with MBAM and SAS but DOES interfere with the others, no?

Yes I suppose so, if you run the rescue disk,do so first,it sometimes finds other security tools, like combofix, etc as threats and wrecks them
Can you check your hosts file and see if there are any entries there, its at c:\windows\system32\drivers\etc\hosts  open the last file with notepad

[YoKenny]

You can stop all those tracking cookies by installing a HOSTS file:
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

A more comprehensive HOSTS file is provided by hpHosts and I manage them with HostsMan and its browser speedup proxy HostsServer:
http://www.abelhadigital.com <== I use 3.2.71 Beta7

[umtutsut]

Then try a couple of online scanners

http://www.eset.com/onlinescan/

http://www.bitdefender.com/scanner/online/free.html

Then post the results

OK, got ESET to do a thorough scan. 7 hits. Results:
C:\Documents and Settings\Lynn\Local Settings\Temporary Internet Files\Content.IE5\N6FLO0GX\wbk109.tmp   HTML/Phishing.gen trojan   cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1935655697-838170752-839522115-1006\Dc135\WeatherBug\MiniBugTransporter.dll   Win32/Adware.WBug.A application   cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1935655697-838170752-839522115-1006\Dc144\MyPointsPointAlert1.exe   probably a variant of Win32/Adware.Agent application   cleaned by deleting - quarantined
C:\WINDOWS\system32\aropepem.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\WINDOWS\system32\avayirom.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\WINDOWS\system32\elejobeg.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\WINDOWS\system32\opipimew.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined

Standing by....

Les

[umtutsut]

Woo hoo! The ESET scan killed whatever was hijacking my search results!

Les

[umtutsut]

I can find nothing on cnfwha.dll. Can you find that file ? If so send it to virustotal for analysis

Quick update: No such .dll was found via search. While my serach results are no longer hijacked, Avast still won't run a scan.

I'm concerned that some of the stuff you guys are suggesting -- much appreciated, of course -- may be beyond my level of computer expertise.

Les

[John2009]

A good Idea would be to stay of the porn sites, your computer is loaded with cookies from them! Porn sites naturally contain viruses.

[micky77]

I'm concerned that some of the stuff you guys are suggesting -- much appreciated, of course -- may be beyond my level of computer expertise.

Well the rescue cd, is fairly straight forward.  You simply download the file,then double click on it.You will then be prompted to insert a blank cd, the program is then automatically burnt onto the cd.
Then insert the cd into the infected machine, and reboot. Most pc's are set to boot from cd first.

Then from the on screen options, choose 1 ( boot from rescue system ) then enter.

The menu then appears, click on the english flag ( for english )

Then click on configuration, and choose, scan all files, try to repair, rename if repair is not possible.
Tick the boxes for diallers,spyware etc

Then click on virus scanner, and start scanner.
All instructions were in the link.


At the end of the scan, write down anything found and report back

[umtutsut]

A good Idea would be to stay of the porn sites, your computer is loaded with cookies from them! Porn sites naturally contain viruses.

Um, yes, well...those cookies seem to have been generated by my 20-year-old son, whose computer this was ubntil a couple months ago! 

Les (Friendly Airplane Asylum flack)

[umtutsut]

Well the rescue cd, is fairly straight forward.  You simply download the file,then double click on it.You will then be prompted to insert a blank cd, the program is then automatically burnt onto the cd.

I appreciate your help, Micky. This would be a good idea...but neither of the CD drives on that computer are operational -- one reason why my son was willing to abandon it. I've tried downloading new drivers, but still no joy....

Les (Friendly Airplane Asylum flack)