Jump to content


Photo

Someone please help! CWS attack


  • Please log in to reply
7 replies to this topic

#1 mwalien

mwalien

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 10:37 AM

This is the 2nd post I've put up, and I haven't gotten any reply for my last post. I have no idea how to eradicate this; I've tried ad-aware and everything. Norton cannot delete this as well, and I have no idea how to use HijackThis and About:Buster.
Someone help please!

Logfile of HijackThis v1.98.0
Scan saved at 11:31:10 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\system32\appoa32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\acer\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fdxvi.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {372F8931-D513-1387-33C0-8D1E94346E23} - C:\WINDOWS\crwo32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Windows Updater] svchostz.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [appoa32.exe] C:\WINDOWS\system32\appoa32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] svchostz.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...367/mcfscan.cab

#2 stockkbroker

stockkbroker

    Advanced Member

  • Helper
  • PipPipPip
  • 102 posts

Posted 09 July 2004 - 12:01 PM

Hi,

Before you begin, please print out the following instructions so that you can follow along as we go.

Download About:Buster from my signature and unzip it to its own folder.


Fixing the HIJACKTHIS log
Please look over the following entries I have listed, check them and Press the "Fix Checked" button with HijackThis.
When you are doing this, make sure you have NO Internet Explorer windows open, including this one.
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fdxvi.dll/index.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049
  • R3 - Default URLSearchHook is missing
  • O2 - BHO: (no name) - {372F8931-D513-1387-33C0-8D1E94346E23} - C:\WINDOWS\crwo32.dll
  • O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKLM\..\Run: [appoa32.exe] C:\WINDOWS\system32\appoa32.exe
  • O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
Clean your computer of useless cookies, temporary files
Navigate to the following folders and delete the contents inside but not the folders
  • Start | Run (type) "%temp%" (no quotes)
  • Completely delete the entire contents of that "temp" folder.
  • Empty your "Recycle Bin"
Run About:Buster
  • Double click About:Buster.
  • Click OK and Start.
  • Let About:buster fix all the entries it finds.
Scanning for viruses and trojans
Due to the number of infections that you have, please consider running a virus and trojan scan. Before you do please turn off system Restore first.Deleting spyware files and folders
You need to show hidden files and boot into safe mode before the deletion process.Once in safe mode, follow the directory listed or use explorer find to search and delete the following .exe's.
  • O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKLM\..\Run: [appoa32.exe] C:\WINDOWS\system32\appoa32.exe
  • O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
Reboot and post a new HijackThis Log.

Learn how to prevent future infectionSpyware preventions
To reduce the likelyhood of future infections, I strongly recommend installing the following antispyware tools.
  • SpywareBlaster<=SpywareBlaster will prevent spyware from being installed and consumes no system resources.
  • Spyware Guard<=SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad<=IE/Spyad is a free tool that places over 4000 websites and domains in the IE Restricted list which will seriously impair attempts to infect your system.
  • Script Defender<=Script Defender is a script blocker that can be used to protect against drive by downloads.
I would also recommend installing any one of the following firewalls if you are not using one yet.
  • Sygate<=Sygate Security Agent incorporates an application-centric firewall that stealths host systems, provides stateful firewalling, applies rule-based security policy, and controls application usage.
  • Agtinum Outpost<=Agnitum Outpost is a full-featured yet light-weight personal firewall product with application scanning and basic intrusion-detection features. It offers a good balance between ease of use and protection.
  • Zone Labs<=Zone Labs is a leading creator of endpoint security solutions and one of the most trusted brands in Internet security, protecting millions of PCs from risks posed by hackers and data theft. The award-winning endpoint security product line is deployed in global enterprises.
  • Kerio Personal Firewall<=Kerio Personal Firewall (KPF) helps users control how their computers exchange data with other computers on the Internet or local network.Necessity for all desktop computers connected to broadband Internet, using DSL, cable, ISDN, WiFi or satellite modems.

Edited by stockkbroker, 09 July 2004 - 12:03 PM.


#3 mwalien

mwalien

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 09:41 PM

Thanks for the help!!!

But there's some problem.
HijackThis detected at least three svchostz.exe, and there are only three MSlti16.exe. But I fixed all of them. Hope it's not a problem.

And I can't find all the files mentioned, except appoa32.exe-0431A95B in C:/Windows/Prefetch

Here's the new log:

Logfile of HijackThis v1.98.0
Scan saved at 10:34:23 AM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\acer\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...367/mcfscan.cab

Also, Pandasoftware and GFI Trojan Scan found none infected files.

Thank you for your help, again. =)

#4 stockkbroker

stockkbroker

    Advanced Member

  • Helper
  • PipPipPip
  • 102 posts

Posted 11 July 2004 - 09:59 AM

Hi,

You log looks clean. Great job. :thumbsup:
Make sure you follow the links on spyware preventions to prevent futher attacks.
:D

Edited by stockkbroker, 11 July 2004 - 10:05 AM.


#5 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 11 July 2004 - 10:06 AM

Additionally I have answered this same log for this person this morning over at Computer Cops - so has really been a waste of my time when I could have been helping someone else. :grrr:

http://computercops....postt58121.html

You know, people, when post your same log numerous times in various forums it really slows us down as many of us frequent the same forums. :grrr:
Microsoft MVP Windows-Security 2003-2009

#6 mwalien

mwalien

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 11 July 2004 - 12:04 PM

I'm really very sorry. I tried both forums. And I waited for 2 weeks at computer cops, and it got really frustrating (though I know all of you are really busy). Over here, someone ignored my last post completely after 1st reply. I won't go into that.

CalamityJane, you happened to be the only one who replied my post just today. I'm really sorry, but thanks for the help. I did saw your post. But stockkbroker replied first.

#7 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 11 July 2004 - 12:52 PM

Some people wait that long here, also (I help in both of these forums). In fact, We work many various forums and it is pretty much the same all over. Too many infected, and too few helpers.

However, the thing to do if you have posted to another forum is to return to the thread where you first post and just let them know you've already been taken care of. The amount of time I spent on that post and getting rid of the dupicates over there, might have given me time for an extra person or two I could help over here, if I had known you were already getting an answer.

I also try to help first those who have been waiting the longest in any forum.

So if you have posted other threads in other forums, it would be help just to leave a note that you no longer need assistance. We all would appreciate it so we can spend our time helping those who haven't gotten any help.

Thanks for your understanding.
Microsoft MVP Windows-Security 2003-2009

#8 mwalien

mwalien

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 03:12 AM

I must seriously apologise for this. I meant to leave a note, but you got to this first.
Anyway, I sincerely thank you for the help, because I did refer to you post, and followed some additional steps.
Sorry for causing you so much inconveniences.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button