• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
*Spyware_Sucks

CWS Variant reloading itself.

32 posts in this topic

Hello Everyone, I have a problem with what I believe to be a CWS variant coming right back after i run CWShredder. I have ran the coolwebsearch smartkiller and it turns up nothing, but when I try to run Norton Anti-Virus, Spybot Search And Destroy, or HijackThis they all close after a few seconds. Also I don't know if it is this problem or another, but something messed up my Internet Connection on the infected computer so I am using a laptop connected to a wireless network. I ran HijackThis and quickly scanned and made a screenshot of the scan results but I'm not sure if that helps any. Well here is the shot..

 

HJT_Scan_Results.jpg

 

Any help would be greatly appreciated.

 

-edit

Also I have read the FAQ and I have tried the things mentioned.

Edited by *Spyware_Sucks

Share this post


Link to post
Share on other sites

I have the same problem too. I can't get Hijackthis to run for more than a few seconds. I also can't even find the Hijackthis file in the directory where it used to be, or when I insert a CD where I also have the file. The only way I can run Hijackthis when computer is in safe mode, and only from the RUN command.

One suspect thing I see in your log is the "svhost.exe-sr -0" line. I have it also, and can't remove it; even if I do it with regedit, I erase it but it comes right back.

Good Luck, and let me know of any progress.

 

Tim

Share this post


Link to post
Share on other sites

Okay, I have gone into safe mode and used HijackThis (which works :D) to remove wind.exe and svhost.exe. I do not know what to do next if someone could give me some more advice.

 

 

Thank you for time out of your day.

Share this post


Link to post
Share on other sites

It would help a whole lot to fix this internet thing soon if possible. I ran LSP-Fix but it did not put anything in the remove section and it had only two things in the keep section. I'm wondering if that is relevant?

 

Thanks

Share this post


Link to post
Share on other sites

You have to delete the file too.

 

In safe mode, command prompt; type:

 

delete c:\winnt\system32\wind.exe

 

AND

 

delete c:\winnt\system\blank.html

 

AND

 

delete c:\winnt\svhost.exe

 

Then, run pest patrol, since you have that on your comp already.

 

Make sure that you've used hijackthis to remove the R0 and R1 entries.

 

Do all of the following, and reboot TWICE....

 

You want to reboot several times so that you can be sure to initiate whatever reinfection method is going on.

 

Then give me your new hijackthis log, even if everything is okay.

 

Hopefully this will work.

Share this post


Link to post
Share on other sites

Ok I booted up into 'Safe Mode With Command Prompt' and i typed in

"delete c:\winnt\system32\wind.exe" and it came up with a problem saying "'delete' is not recognized as an internal or external command, operable program or batch file."

 

What should I do about this?

Share this post


Link to post
Share on other sites

Also I had Spybot Search And Destroy but the trojan seemed to have uninstalled it from the computer along with hijackthis but luckily Hijackthis is small enough to transfer with a floppy disk. The trojan didn't touch Ad-Aware or PestPatrol though.

Share this post


Link to post
Share on other sites

Ok it seemed to delete wind.exe and then it said that it "Could not find c:\winnt\system\blank.htm" or c:\winnt\svhost.exe, so i am guessing that HijackThis deleted svhost? I don't know about blank.htm

Share this post


Link to post
Share on other sites

post a hijackthislog. Do not use a screenshot. Hit scan. The scan button will turn to save log. save the log and notepad will open. Copy and paste the contents here.

Share this post


Link to post
Share on other sites

I found that when HijackThis is named HijackThis then the program dissapears from where it was previously. So I had to retransfer the prgram with a floppy and renamed it HJT12.

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 2:17:00 PM, on 5/21/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\SYSTEM32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.exe

C:\New Folder\HJT12.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~3\dpps2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [bIRDSTOP] C:\PROGRA~1\PROGRA~1\Option deaf.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - Startup: PeerGuardian_1.99b_pr7.lnk = C:\Program Files\PeerGuardian_1.99pr7\PeerGuardian_1.99b_pr7.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: FlashKeeper (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/247966bc6aaf7801d502/...ip/RdxIE601.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

Share this post


Link to post
Share on other sites

I scanned the computer with PestPatrol which probably is not completely up-to-date but not far behind. It did not find anything! :D

 

-edit

 

whoops I forgot to restart twice before posting the hijackthis log. Tell me if I should post a fresh one.

Edited by *Spyware_Sucks

Share this post


Link to post
Share on other sites

Well here is my hijackthis log after i rebooted a couple of times.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 4:23:33 PM, on 5/21/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\SYSTEM32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINNT\System32\hphmon04.exe

C:\PROGRA~1\PANICW~1\POP-UP~3\dpps2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\PROGRA~1\Option deaf.exe

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\WINNT\System32\HPHipm11.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\PeerGuardian_1.99pr7\PeerGuardian_1.99b_pr7.exe

C:\New Folder\HJT12.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~3\dpps2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [bIRDSTOP] C:\PROGRA~1\PROGRA~1\Option deaf.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - Startup: PeerGuardian_1.99b_pr7.lnk = C:\Program Files\PeerGuardian_1.99pr7\PeerGuardian_1.99b_pr7.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: FlashKeeper (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/247966bc6aaf7801d502/...ip/RdxIE601.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

 

 

Any help will be GREATLY appreciated.

Share this post


Link to post
Share on other sites

Sorry for the delay, but I was out of town . Anyway, I fix my problem by using the System Restore function of XP; and I restored my computer to 3 days before I was getting the problem. Now I can run Hijacktis and all other programs with no problem; and there is no sing of "svhost.exe" file anywhere on my computer. But

if you can't use System Restore, here is a fix I've got from someone else:

 

Start | Run (type) cmd (click Ok)

From The "Command Prompt" (type)

 

NET STOP HACKERDEFENDER100 (press Enter)

 

Note: (that's) NET<space>STOP<space>HACKERDEFENDER100

 

If successful you should see: (wait 30 sec.)

 

"The service is not responding to the control function."

 

 

See if "winunins.ini" exists and open in Notepad

Paste the contents of "winunins.ini" in your next post.

 

Good Luck

Share this post


Link to post
Share on other sites

Okay, I am using Windows 2000 so I do not have the system restore option.

 

When I tried to stop hackerdefender100 through those methods it showed an error that said "System Error 1060 occured. The specified service does not exist as an installed service."

 

Also when I went to Start\Search\For Files Or Folders in normal mode the computer froze up but I could still use ctrl + alt+ delete to restart. I found the .ini with safe mode so here is the contents.

 

[Hidden Table]

inatjoy.dll

motkrtin.dll

witadr.dll

winunins.exe

winunins.ini

svhost.exe

CWShredder*

HijackThis*

ProceXP*

Spybot*

msconfig*

 

[Root Processes]

svhost.exe

trj4j6js.exe

winunins.exe

 

[Hidden Services]

HackerDefender*

 

[Hidden RegKeys]

HackerDefender100

LEGACY_HACKERDEFENDER100

HackerDefenderDrv100

LEGACY_HACKERDEFENDERDRV100

 

[Hidden RegValues]

 

[startup Run]

C:\WINNT\svhost.exe -sr -0

 

[Free Space]

 

[Hidden Ports]

 

[settings]

Password=qweqwe

BackdoorShell=ddd.exe

FileMappingName=_.-=[PokuS]=-._

ServiceName=HackerDefender100

ServiceDisplayName=Windows System Uninstaller

ServiceDescription=Microsoft System Service

DriverName=HackerDefenderDrv100

DriverFileName=hxdefdrv.sys

 

[Comments]

Share this post


Link to post
Share on other sites

WOW After i made the post above in safe mode, when I rebooted in normal mode Spybot Search And Destroy And Hijack this appeared on the desktop again! When this malware infected my machine it hid Spybot and HJT from the desktop and Program files folder. So I wonder if the stop hackerdefender worked?

Share this post


Link to post
Share on other sites

Help please? An error comes up usually about 30 mins after I have been using the infected computer saying explorer.exe has performed an illegal operation and will be shut down. Then it crashes the dektop and takes away the start button, dektop icons, everything except the open window. I have to log off then back on to restore them. Help please..

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0