Jump to content


Photo

Browser HiJacked by CWS.Iefeadsl


  • Please log in to reply
1 reply to this topic

#1 Smithers

Smithers

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 09:25 AM

Dear Sirs:

First: I have read and followed all of the advice given at this site as well as the advice available at several other sites. Specifically, the Internet Control Panel appears functional. All *.tmp files have been removed. No *.hta files appear infected. No *.js. files were found. I have run (in order) the latest versions of CWShredder, Spybot 1.2, HiJackThis 1.98, and Spyware Nuker 2004. My computer IE settings are and have been as described necessary to minimize infection AND I religiously use Norton Systems Works (including Norton Anti-Virus) on my machine. I have run each of the spyware programs many times, but they are unable to eliminate the source of the adware. However, several interesting registry entries exist (i.e., HKEY_LOCAL_MACHINE\SOFTWARE\HSA, SE, and SW), which are apparently constructed by the infecting program and reappear after each deletion made by Spyware Nuker 2004. Finally, on infection the QuickBooksPro Timer program stopped running and will not restart indicating the loss of "shell.dll". Re-introduction of shell.dll does not allow the program to run and further diagnostics indicates that the QuickBooks Timer exe file was affected (now deleted).

Details: Spyware Nuker 2004 identifies the source as "CWS.Iefeadsl", which points to res://lijtm.dll (unable to locate this file on my computer).

The log file for HiJackThis follows:

Logfile of HijackThis v1.98.0
Scan saved at 8:02:09 AM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\iped.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\appnq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yfexe.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yfexe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yfexe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yfexe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yfexe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yfexe.dll/index.html#37049
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {94A53935-C204-C7E0-8510-27AEF27FEAB9} - C:\WINDOWS\system32\apifo.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [appnq.exe] C:\WINDOWS\system32\appnq.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: QuickBooks Pro Timer (2).lnk = C:\QBTIMER\QBTIMER.EXE

I have eliminated the following previously (different names for the *.dll, none of which I am able to find searching my machine. Furthermore, apifo.dll and appnq.exe reappear after each deletion):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yfexe.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yfexe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yfexe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yfexe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yfexe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yfexe.dll/index.html#37049
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
O2 - BHO: (no name) - {94A53935-C204-C7E0-8510-27AEF27FEAB9} - C:\WINDOWS\system32\apifo.dll
O4 - HKLM\..\Run: [appnq.exe] C:\WINDOWS\system32\appnq.exe


Infection: I believe, but do not know for certain, that I was fooled into downloading a spurious java script from a "fake" Norton Alert Popup Window asking if I wanted to eliminate a potential harmful java script - I said yes and within moments my browser was hijacked.

Any help would be appreciated.

Thanks.

#2 Smithers

Smithers

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 02:06 PM

I have since checked Norton Systems Works and Norton AnitVirus (NAV) for correct operation. Norton AntiVirus is compromised. Following Symantec proceedures for removal of the problem (clean boot, uninstall and then installation of Norton Systems Works) does not result in a working NAV program. Shell.dll seems to be a necessary (although replaced) requirement for proper NAV installation (even though I have replaced it with a clean copy, no program can see it - QuickBooksPro Timer or MAV). Additionally, Symantec Web Site evaluation of my machine for Trojan and Virus contaminantion does not work - listing restrictive Active X Controls even when IE Security settings are "low" or customized to minimum for Active X and Script.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button