Internet Explorer with -Haha?
- Thread starter JasJas
- Start date
- Status
BlameCanada
Posts: 314 +0
howard_hopkinso
Posts: 21,238 +17
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Thanks Howard,
I have followed all the instrcutions from the given link and nothing to be detected by AVG Antispyware and AVG Antirootkit scan. However from combofix, it identified the wscript.exe with haha.js were the culprits, I have attached the log of hijackthis and combofix, so i would be very appreciated if you could have look on it,thanks
p.s: should i delete those registries such as wscript.exe with haha.js that was detected by combofix?
I attached the lastest hijackthis log as i noticed the -haha.js is back again......
I have followed all the instrcutions from the given link and nothing to be detected by AVG Antispyware and AVG Antirootkit scan. However from combofix, it identified the wscript.exe with haha.js were the culprits, I have attached the log of hijackthis and combofix, so i would be very appreciated if you could have look on it,thanks
p.s: should i delete those registries such as wscript.exe with haha.js that was detected by combofix?
I attached the lastest hijackthis log as i noticed the -haha.js is back again......
howard_hopkinso
Posts: 21,238 +17
You haven`t posted an AVG Antispyware log as requested, please do so in your next reply.
We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.
Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Haha
Click on the fix checked button.
Close HJT and reboot your computer.
Reset your homepage to what ever you want.
Re=enable Spybot`s Teatimer protection.
Post a fresh HJT log as well as an AVG Antispyware log.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.
Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Haha
Click on the fix checked button.
Close HJT and reboot your computer.
Reset your homepage to what ever you want.
Re=enable Spybot`s Teatimer protection.
Post a fresh HJT log as well as an AVG Antispyware log.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Dear Howard,
Nothing was detected by AVG anti-spyware so there no log was created, and the hijackthis log was taken when S&D's tea timer was off,
pls refer to the combofix log regarding on the R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Haha, as deleting it alone did not works, i tried that before posting the problem here,they will appear again after awhile it was deleted, so should i delete the infected file and registry which were shown in the combofix log?
It is something like :
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoPlay\command- wscript.exe \Haha.js
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
Explore\command- wscript.exe \Haha.js -Clicked
Open\command- wscript.exe \Haha.js
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01dfdc6a-3eb8-11dc-82dd-00508de7710e}]
AutoPlay\command- wscript.exe \Haha.js
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
Explore\command- wscript.exe \Haha.js -Clicked
Open\command- wscript.exe \Haha.js
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bd77258-4465-11dc-b8ee-00508de7710e}]
AutoPlay\command- wscript.exe \Haha.js
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
Explore\command- wscript.exe \Haha.js -Clicked
Open\command- wscript.exe \Haha.js
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
Nothing was detected by AVG anti-spyware so there no log was created, and the hijackthis log was taken when S&D's tea timer was off,
pls refer to the combofix log regarding on the R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Haha, as deleting it alone did not works, i tried that before posting the problem here,they will appear again after awhile it was deleted, so should i delete the infected file and registry which were shown in the combofix log?
It is something like :
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoPlay\command- wscript.exe \Haha.js
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
Explore\command- wscript.exe \Haha.js -Clicked
Open\command- wscript.exe \Haha.js
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01dfdc6a-3eb8-11dc-82dd-00508de7710e}]
AutoPlay\command- wscript.exe \Haha.js
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
Explore\command- wscript.exe \Haha.js -Clicked
Open\command- wscript.exe \Haha.js
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bd77258-4465-11dc-b8ee-00508de7710e}]
AutoPlay\command- wscript.exe \Haha.js
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
Explore\command- wscript.exe \Haha.js -Clicked
Open\command- wscript.exe \Haha.js
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
howard_hopkinso
Posts: 21,238 +17
Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
here's the result from the FindAWF,
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 16/09/2007
The current time is: 22:32:34,39
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Question - would it be better to delete those registry that shown by the combofix log?
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 16/09/2007
The current time is: 22:32:34,39
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Question - would it be better to delete those registry that shown by the combofix log?
howard_hopkinso
Posts: 21,238 +17
Yes, try deleting them in the registry.
Make sure you make a full reg backup first.
Regards Howard
Make sure you make a full reg backup first.
Regards Howard
Thanks Howard,
it works after the combofix deleted the main cause (autorun.inf) as well as i removed the involved registry.
However this threat is running freely in my campus
One of my friend who is using AVIRA detected them as haha.js (java script) but could not able to delete them while the rest of the anti-virus programs are helpless in it.....I think the only way is to use combofix to fix it for the time being. Something fishy about it, as looking through the combofix log file :
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
would this is how it evade from being detected?
it works after the combofix deleted the main cause (autorun.inf) as well as i removed the involved registry.
However this threat is running freely in my campus
One of my friend who is using AVIRA detected them as haha.js (java script) but could not able to delete them while the rest of the anti-virus programs are helpless in it.....I think the only way is to use combofix to fix it for the time being. Something fishy about it, as looking through the combofix log file :
Scan for Viruses\command- wscript.exe \Haha.js
Scan with AVG\command- wscript.exe \Haha.js
Scan with Norton AntiVirus\command- wscript.exe \Haha.js
would this is how it evade from being detected?
howard_hopkinso
Posts: 21,238 +17
Yes, that does look like the culprit. I wouldn`t be surprised to learn, someone on your campus is doing this deliberately.
The infection is obviously targeting those applications.
Thankfully, Combofix is able to delete the root cause.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
The infection is obviously targeting those applications.
Thankfully, Combofix is able to delete the root cause.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
In order to see all files, you would need to turn off the Windows protected OS file feature, see below.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Regards Howard
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Yes get an AV program.
I recommend this avast! 4 Home Edition (Which is free).
Regards Jase
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I recommend this avast! 4 Home Edition (Which is free).
Regards Jase
This thread is for the use of JasJas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
Latest posts
-
Nvidia GeForce RTX 3050 6GB Review: Quiet Release, Dodgy Name- petalsofpain replied
-
Fallout TV show secures second season after stellar debut- Vulcanproject replied
