Jump to content


Infected with a variant of CWS


  • Please log in to reply
3 replies to this topic

#1 Guest_Pmiller196_*

Guest_Pmiller196_*
  • Guests

Posted 02 July 2004 - 03:40 PM

Hello! I recently acquired a variant of the CWS browser hijacker. Everytime my browser begins, it directs my to one of their many search sites. I also continue to get their pop up ads as well. I have updated all of my Ad-Aware software and followed instructions posted on here as to how to remove it. I came up with 70 different objects associated with CWS and removed all of them. I then restarted my computer only to find it was still hanging around. So, I scanned with the CWShredder and nothing appeared. I am at a loss as to what to do at this point and ANY help would be greatly appreciated!! Below is my log file from Hijack This.

Thanks!
-Paul
______________________

Logfile of HijackThis v1.98.0
Scan saved at 4:38:36 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\winul.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\wintp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\CWS\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trtgv.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://trtgv.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://trtgv.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\trtgv.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trtgv.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://trtgv.dll/index.html#37680
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DAA0C15D-0C3B-5FF6-7BB5-B86285276180} - C:\WINDOWS\system32\javauy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [wintp.exe] C:\WINDOWS\wintp.exe
O4 - HKLM\..\RunOnce: [mfcvv.exe] C:\WINDOWS\mfcvv.exe
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 03 July 2004 - 12:03 AM

Download About:Buster by RubbeR DuckY from

http://www.atribune....AboutBuster.zip

Then Unzip it to your desktop. Do not run it yet. Print these directions or paste them into a text document as you will be running with your internet explorer closed. Restarting internet explorer may cause a reinfection.

Run another hijackthis scan place a check next to the following entries.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DAA0C15D-0C3B-5FF6-7BB5-B86285276180} - C:\WINDOWS\system32\javauy.dll
O4 - HKLM\..\Run: [wintp.exe] C:\WINDOWS\wintp.exe
O4 - HKLM\..\RunOnce: [mfcvv.exe] C:\WINDOWS\mfcvv.exe
O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

Then close all windows and click the fix checked button. Now startup About:Buster. Hit ok on the first prompt and then hit start. Next hit ok. Wait till the scan completes and copy the report and save it somewhere. Rerun About:Buster to make sure everything was deleted. Then restart your computer.

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.
Posted Image

#3 Guest_Pmiller196_*

Guest_Pmiller196_*
  • Guests

Posted 03 July 2004 - 09:42 PM

Well, I ran the directions exactly as you said and it looks like a few of the "checks" that I put next to the problems reappeared. This is the latest HijackThis log report. Below that is also the About:Buster log. Guess there was a ton of files on here! One thing I thought was worth noting was after I ran the AboutBuster the first time, I re-ran it and something appeared by the name of "LEGACY___NS_Service_3 Key". I re-ran it 4 times and it kept appearing.

I also noticed that "Google" first popped up when I Re-Opened Internet Explorer and then changed right back to "res://cgxox.dll/index.html#37680"

Please let me know what to do next! Thanks SO much for your help!


Logfile of HijackThis v1.98.0
Scan saved at 10:32:47 PM, on 7/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\addrd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\wintp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\CWS\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4278452E-D132-1F34-AEAD-E8CA3AE5AC44} - C:\WINDOWS\system32\cryg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [wintp.exe] C:\WINDOWS\wintp.exe
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

_________________________


About:Buster Version 1.24
Removed! : C:\WINDOWS\ahdmpv.dat
Removed! : C:\WINDOWS\bknobu.dat
Removed! : C:\WINDOWS\brzrdf.dat
Removed! : C:\WINDOWS\cgsmbq.dat
Removed! : C:\WINDOWS\cifdzd.dat
Removed! : C:\WINDOWS\drgskz.dat
Removed! : C:\WINDOWS\duphyo.dat
Removed! : C:\WINDOWS\falfzc.dat
Removed! : C:\WINDOWS\idthbz.dat
Removed! : C:\WINDOWS\ipub32.dll
Removed! : C:\WINDOWS\ivxila.dat
Removed! : C:\WINDOWS\lzwoxj.dat
Removed! : C:\WINDOWS\mfcvv.exe
Removed! : C:\WINDOWS\mfcyo32.exe
Removed! : C:\WINDOWS\mrvqcd.dat
Removed! : C:\WINDOWS\nkmvro.dat
Removed! : C:\WINDOWS\ntus32.exe
Removed! : C:\WINDOWS\ponpek.dat
Removed! : C:\WINDOWS\sdyibz.dat
Removed! : C:\WINDOWS\tjzaf.dat
Removed! : C:\WINDOWS\uuecq.dat
Removed! : C:\WINDOWS\vyhnwa.dat
Removed! : C:\WINDOWS\wcgtkr.dat
Removed! : C:\WINDOWS\winul.exe
Removed! : C:\WINDOWS\yjwipn.dat
Removed! : C:\WINDOWS\zobkiv.dat
Removed! : C:\WINDOWS\System32\javauy.dll
Removed! : C:\WINDOWS\System32\sdkol.exe
Removed! : C:\WINDOWS\System32\winee.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#4 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 04 July 2004 - 01:15 PM

About:Buster has recently been updated, so I want you to download it again to make sure you have the newest version.

Then boot into safe mode and run about:buster again.

Then boot back into normal mode and post another hijackthis log.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button