Jump to content


Photo

Hijacked by CoolWebSearch (new variant?)


  • Please log in to reply
3 replies to this topic

#1 jessadam

jessadam

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 02:56 PM

Hi there,

My computer (Windows XP with SP1 and all updates current) has been hijacked by CWS. I suspect this is a new variant, as I have done extensive research and cannot find the exact problems or filenames described anywhere. The main symptoms are:

- Home page defaults to res://hcydl.dll/index.html#[nnnn], regardless of the home page listed in IE Settings.

- Pop-Up Killer is disabled.

- Google search (through toolbar or web page) brings up an additional page with links to various CSW search tools and/or several popups advertising removal tools. Most of them have "search-all-fast" somewhere in the page title.

I have read and followed the FAQ and the removal instructions, with no luck. I have run current versions of the following:

- Hijack This (see below)

- Ad-aware (finds a CWS process named "C:\Windows\netnh.exe and 7 CWS registry entries -- it claims to fix them, but they keep reappearing)

- SpyBot S&D (finds 5 "DSO Exploit" entries -- it claims to fix them but they keep reappearing)

- CWShredder (claims my system is clean)

- Antivirus, and various other spyware tools, all of which either find nothing or are incapable of fixing/cleaning what they find.

Following is the HijackThis log. Any help or suggestions will be much appreciated. At this stage, reformatting is looking like an attractive option. Thanks in advance.

Logfile of HijackThis v1.98.0
Scan saved at 10:33:02 AM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\netnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\msxz32.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Documents and Settings\Adam Rovner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hcydl.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcydl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hcydl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hcydl.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hcydl.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcydl.dll/index.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13B849C1-8710-E1DB-94A7-65402EF986A8} - C:\WINDOWS\system32\ipqj32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msxz32.exe] C:\WINDOWS\msxz32.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab

#2 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 30 June 2004 - 03:09 PM

Hello jessadam,

Can you please send me the following files as a zipped package please:

hcydl.dll
ipqj32.dll
msxz32.exe

Please send them to this e-mail address

Once you do that, please follow the instructions below:

First: With all other browsers closed, please fix the following items:

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=


Reboot, and follow the instructions below:

Second: Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button:

O2 - BHO: (no name) - {13B849C1-8710-E1DB-94A7-65402EF986A8} - C:\WINDOWS\system32\ipqj32.dll
O4 - HKLM\..\Run: [msxz32.exe] C:\WINDOWS\msxz32.exe


Download About:Buster from either of the following locations.

http://www.atribune....AboutBuster.zip
http://tools.zerosre...AboutBuster.zip

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!! Run AboutBuster.exe, click OK, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log. Reboot, and post a new HijackThis log along with the two reports from About:Buster.

Good Luck :)

Edited by splintercell990, 30 June 2004 - 03:23 PM.


#3 jessadam

jessadam

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 05:00 PM

Hi,

I followed your instructions precisely, but it does not seem to have helped (except the file names are different now). The "R3 - Default URLSearchHook is missing" and "FO - system.ini: Shell=" entries were right back in HijackThis as soon as I ran it again after fixing them. Was I supposed to fix them again after the reboot?

Here are the logs:

New HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 2:59:00 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\netwf.exe
C:\WINDOWS\system32\crpu.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Adam Rovner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epzpi.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epzpi.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epzpi.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\epzpi.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epzpi.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epzpi.dll/index.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {84A6699D-3390-E792-6F21-462788E62709} - C:\WINDOWS\apiss.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crpu.exe] C:\WINDOWS\system32\crpu.exe
O4 - HKLM\..\RunOnce: [netwf.exe] C:\WINDOWS\netwf.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab


First About:Buster log:

About:Buster Version 1.23
Removed! : C:\WINDOWS\basdqb.dat
Removed! : C:\WINDOWS\caxaaj.dat
Removed! : C:\WINDOWS\hcydl.dll
Removed! : C:\WINDOWS\ipzy.exe
Removed! : C:\WINDOWS\ldkorp.dat
Removed! : C:\WINDOWS\mqvnw.dat
Removed! : C:\WINDOWS\msxz32.exe
Removed! : C:\WINDOWS\mvpqb.dat
Removed! : C:\WINDOWS\nctpid.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


Second About:Buster log:

About:Buster Version 1.23
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 05:11 PM

Hey can you send C:\WINDOWS\apiss.dll to submit@zerosrealm.com so that i can see if About:Buster removes it.

:) DuckY
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button