TechSpot

Internet Explorer with -Haha?

By JasJas
Sep 15, 2007
  1. Heya,

    I just saw that my taskbar that the Internet Explorer box comes with the website name and ends with "-Haha".....is my pc infected? i would be very appreciated if someone could help me out with this matter...

    thanks
     
  2. BlameCanada

    BlameCanada TS Rookie Posts: 320

    Go HERE follow all the steps,then post the HJT,Combofix,and AVG logs.

    Somebody will tell you what to remove.
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. JasJas

    JasJas TS Rookie Topic Starter Posts: 25

    Thanks Howard,

    I have followed all the instrcutions from the given link and nothing to be detected by AVG Antispyware and AVG Antirootkit scan. However from combofix, it identified the wscript.exe with haha.js were the culprits, I have attached the log of hijackthis and combofix, so i would be very appreciated if you could have look on it,thanks

    p.s: should i delete those registries such as wscript.exe with haha.js that was detected by combofix?

    I attached the lastest hijackthis log as i noticed the -haha.js is back again......
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You haven`t posted an AVG Antispyware log as requested, please do so in your next reply.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Haha

    Click on the fix checked button.

    Close HJT and reboot your computer.

    Reset your homepage to what ever you want.

    Re=enable Spybot`s Teatimer protection.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. JasJas

    JasJas TS Rookie Topic Starter Posts: 25

    Dear Howard,

    Nothing was detected by AVG anti-spyware so there no log was created, and the hijackthis log was taken when S&D's tea timer was off,

    pls refer to the combofix log regarding on the R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Haha, as deleting it alone did not works, i tried that before posting the problem here,they will appear again after awhile it was deleted, so should i delete the infected file and registry which were shown in the combofix log?

    It is something like :

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
    AutoPlay\command- wscript.exe \Haha.js
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
    Explore\command- wscript.exe \Haha.js -Clicked
    Open\command- wscript.exe \Haha.js
    Scan for Viruses\command- wscript.exe \Haha.js
    Scan with AVG\command- wscript.exe \Haha.js
    Scan with Norton AntiVirus\command- wscript.exe \Haha.js

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    AutoRun\command- E:\autoplay.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01dfdc6a-3eb8-11dc-82dd-00508de7710e}]
    AutoPlay\command- wscript.exe \Haha.js
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
    Explore\command- wscript.exe \Haha.js -Clicked
    Open\command- wscript.exe \Haha.js
    Scan for Viruses\command- wscript.exe \Haha.js
    Scan with AVG\command- wscript.exe \Haha.js
    Scan with Norton AntiVirus\command- wscript.exe \Haha.js

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bd77258-4465-11dc-b8ee-00508de7710e}]
    AutoPlay\command- wscript.exe \Haha.js
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
    Explore\command- wscript.exe \Haha.js -Clicked
    Open\command- wscript.exe \Haha.js
    Scan for Viruses\command- wscript.exe \Haha.js
    Scan with AVG\command- wscript.exe \Haha.js
    Scan with Norton AntiVirus\command- wscript.exe \Haha.js
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Regards Howard :)

    This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. JasJas

    JasJas TS Rookie Topic Starter Posts: 25

    here's the result from the FindAWF,


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: 16/09/2007
    The current time is: 22:32:34,39


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report

    Question - would it be better to delete those registry that shown by the combofix log?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, try deleting them in the registry.

    Make sure you make a full reg backup first.

    Regards Howard :)
     
  10. JasJas

    JasJas TS Rookie Topic Starter Posts: 25

    Thanks Howard,
    it works after the combofix deleted the main cause (autorun.inf) as well as i removed the involved registry.

    However this threat is running freely in my campus :(
    One of my friend who is using AVIRA detected them as haha.js (java script) but could not able to delete them while the rest of the anti-virus programs are helpless in it.....I think the only way is to use combofix to fix it for the time being. Something fishy about it, as looking through the combofix log file :

    Scan for Viruses\command- wscript.exe \Haha.js
    Scan with AVG\command- wscript.exe \Haha.js
    Scan with Norton AntiVirus\command- wscript.exe \Haha.js

    would this is how it evade from being detected?
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, that does look like the culprit. I wouldn`t be surprised to learn, someone on your campus is doing this deliberately.

    The infection is obviously targeting those applications.

    Thankfully, Combofix is able to delete the root cause.

    Regards Howard :)

    This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. JasJas

    JasJas TS Rookie Topic Starter Posts: 25

    but still i wonder why the autorun.inf (the roof of the haha.js) is not visible in the c drive eventough turning on all the invisble file....anyway to detect/see them direct as visible file?
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In order to see all files, you would need to turn off the Windows protected OS file feature, see below.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Regards Howard

    This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. JasJas

    JasJas TS Rookie Topic Starter Posts: 25

    ok thanks howard now i saw those infected file d....

    by any chance would any software will protect my pc from these infection beside runining combofix every day?
     
  15. Jase123

    Jase123 Banned Posts: 1,012

    Yes get an AV program.

    I recommend this avast! 4 Home Edition (Which is free).

    Regards Jase :)

    This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. JasJas

    JasJas TS Rookie Topic Starter Posts: 25

    well the av cant detect it as well because in the infected registry....

    Scan for Viruses\command- wscript.exe \Haha.js
    Scan with AVG\command- wscript.exe \Haha.js
    Scan with Norton AntiVirus\command- wscript.exe \Haha.js

    This threat is really a tough one....
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...