• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Guest Pmiller196

Infected with a variant of CWS

4 posts in this topic

Hello! I recently acquired a variant of the CWS browser hijacker. Everytime my browser begins, it directs my to one of their many search sites. I also continue to get their pop up ads as well. I have updated all of my Ad-Aware software and followed instructions posted on here as to how to remove it. I came up with 70 different objects associated with CWS and removed all of them. I then restarted my computer only to find it was still hanging around. So, I scanned with the CWShredder and nothing appeared. I am at a loss as to what to do at this point and ANY help would be greatly appreciated!! Below is my log file from Hijack This.

 

Thanks!

-Paul

______________________

 

Logfile of HijackThis v1.98.0

Scan saved at 4:38:36 PM, on 7/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\winul.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\wintp.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\wuauclt.exe

C:\CWS\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Norton AntiVirus\OPScan.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trtgv.dll/sp.html#37680

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://trtgv.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://trtgv.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\trtgv.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trtgv.dll/sp.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://trtgv.dll/index.html#37680

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {DAA0C15D-0C3B-5FF6-7BB5-B86285276180} - C:\WINDOWS\system32\javauy.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [wintp.exe] C:\WINDOWS\wintp.exe

O4 - HKLM\..\RunOnce: [mfcvv.exe] C:\WINDOWS\mfcvv.exe

O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/052ec27eec39c25d7905/netzip/RdxIE2.cab

O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab

O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

Share this post


Link to post
Share on other sites

Download About:Buster by RubbeR DuckY from

 

http://www.atribune.org/downloads/AboutBuster.zip

 

Then Unzip it to your desktop. Do not run it yet. Print these directions or paste them into a text document as you will be running with your internet explorer closed. Restarting internet explorer may cause a reinfection.

 

Run another hijackthis scan place a check next to the following entries.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {DAA0C15D-0C3B-5FF6-7BB5-B86285276180} - C:\WINDOWS\system32\javauy.dll

O4 - HKLM\..\Run: [wintp.exe] C:\WINDOWS\wintp.exe

O4 - HKLM\..\RunOnce: [mfcvv.exe] C:\WINDOWS\mfcvv.exe

O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

Then close all windows and click the fix checked button. Now startup About:Buster. Hit ok on the first prompt and then hit start. Next hit ok. Wait till the scan completes and copy the report and save it somewhere. Rerun About:Buster to make sure everything was deleted. Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

Share this post


Link to post
Share on other sites

Well, I ran the directions exactly as you said and it looks like a few of the "checks" that I put next to the problems reappeared. This is the latest HijackThis log report. Below that is also the About:Buster log. Guess there was a ton of files on here! One thing I thought was worth noting was after I ran the AboutBuster the first time, I re-ran it and something appeared by the name of "LEGACY___NS_Service_3 Key". I re-ran it 4 times and it kept appearing.

 

I also noticed that "Google" first popped up when I Re-Opened Internet Explorer and then changed right back to "res://cgxox.dll/index.html#37680"

 

Please let me know what to do next! Thanks SO much for your help!

 

 

Logfile of HijackThis v1.98.0

Scan saved at 10:32:47 PM, on 7/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\addrd.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\wintp.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\CWS\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4278452E-D132-1F34-AEAD-E8CA3AE5AC44} - C:\WINDOWS\system32\cryg.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [wintp.exe] C:\WINDOWS\wintp.exe

O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/052ec27eec39c25d7905/netzip/RdxIE2.cab

O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab

O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

 

_________________________

 

 

About:Buster Version 1.24

Removed! : C:\WINDOWS\ahdmpv.dat

Removed! : C:\WINDOWS\bknobu.dat

Removed! : C:\WINDOWS\brzrdf.dat

Removed! : C:\WINDOWS\cgsmbq.dat

Removed! : C:\WINDOWS\cifdzd.dat

Removed! : C:\WINDOWS\drgskz.dat

Removed! : C:\WINDOWS\duphyo.dat

Removed! : C:\WINDOWS\falfzc.dat

Removed! : C:\WINDOWS\idthbz.dat

Removed! : C:\WINDOWS\ipub32.dll

Removed! : C:\WINDOWS\ivxila.dat

Removed! : C:\WINDOWS\lzwoxj.dat

Removed! : C:\WINDOWS\mfcvv.exe

Removed! : C:\WINDOWS\mfcyo32.exe

Removed! : C:\WINDOWS\mrvqcd.dat

Removed! : C:\WINDOWS\nkmvro.dat

Removed! : C:\WINDOWS\ntus32.exe

Removed! : C:\WINDOWS\ponpek.dat

Removed! : C:\WINDOWS\sdyibz.dat

Removed! : C:\WINDOWS\tjzaf.dat

Removed! : C:\WINDOWS\uuecq.dat

Removed! : C:\WINDOWS\vyhnwa.dat

Removed! : C:\WINDOWS\wcgtkr.dat

Removed! : C:\WINDOWS\winul.exe

Removed! : C:\WINDOWS\yjwipn.dat

Removed! : C:\WINDOWS\zobkiv.dat

Removed! : C:\WINDOWS\System32\javauy.dll

Removed! : C:\WINDOWS\System32\sdkol.exe

Removed! : C:\WINDOWS\System32\winee.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

About:Buster has recently been updated, so I want you to download it again to make sure you have the newest version.

 

Then boot into safe mode and run about:buster again.

 

Then boot back into normal mode and post another hijackthis log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0