• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mwalien

Someone please help! CWS attack

8 posts in this topic

This is the 2nd post I've put up, and I haven't gotten any reply for my last post. I have no idea how to eradicate this; I've tried ad-aware and everything. Norton cannot delete this as well, and I have no idea how to use HijackThis and About:Buster.

Someone help please!

 

Logfile of HijackThis v1.98.0

Scan saved at 11:31:10 PM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\WINDOWS\system32\appoa32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Documents and Settings\acer\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fdxvi.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {372F8931-D513-1387-33C0-8D1E94346E23} - C:\WINDOWS\crwo32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Microsoft Windows Updater] svchostz.exe

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [appoa32.exe] C:\WINDOWS\system32\appoa32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\RunServices: [Microsoft Windows Updater] svchostz.exe

O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe

O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe

O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab

Share this post


Link to post
Share on other sites

Hi,

 

Before you begin, please print out the following instructions so that you can follow along as we go.

 

Download About:Buster from my signature and unzip it to its own folder.

 

Fixing the HIJACKTHIS log

Please look over the following entries I have listed, check them and Press the "Fix Checked" button with HijackThis.

When you are doing this, make sure you have NO Internet Explorer windows open, including this one.

  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fdxvi.dll/index.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdxvi.dll/sp.html#37049
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdxvi.dll/index.html#37049
  • R3 - Default URLSearchHook is missing
  • O2 - BHO: (no name) - {372F8931-D513-1387-33C0-8D1E94346E23} - C:\WINDOWS\crwo32.dll
  • O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKLM\..\Run: [appoa32.exe] C:\WINDOWS\system32\appoa32.exe
  • O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe

Clean your computer of useless cookies, temporary files

Navigate to the following folders and delete the contents inside but not the folders

  • Start | Run (type) "%temp%" (no quotes)
  • Completely delete the entire contents of that "temp" folder.
  • Empty your "Recycle Bin"

Run About:Buster

  • Double click About:Buster.
  • Click OK and Start.
  • Let About:buster fix all the entries it finds.

Scanning for viruses and trojans

Due to the number of infections that you have, please consider running a virus and trojan scan. Before you do please turn off system Restore first.

Deleting spyware files and folders

You need to show hidden files and boot into safe mode before the deletion process.

Once in safe mode, follow the directory listed or use explorer find to search and delete the following .exe's.

  • O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKLM\..\Run: [appoa32.exe] C:\WINDOWS\system32\appoa32.exe
  • O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
  • O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
  • O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe

Reboot and post a new HijackThis Log.

 

Learn how to prevent future infection

Spyware preventions

To reduce the likelyhood of future infections, I strongly recommend installing the following antispyware tools.

  • SpywareBlaster<=SpywareBlaster will prevent spyware from being installed and consumes no system resources.
  • Spyware Guard<=SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad<=IE/Spyad is a free tool that places over 4000 websites and domains in the IE Restricted list which will seriously impair attempts to infect your system.
  • Script Defender<=Script Defender is a script blocker that can be used to protect against drive by downloads.

I would also recommend installing any one of the following firewalls if you are not using one yet.

  • Sygate<=Sygate Security Agent incorporates an application-centric firewall that stealths host systems, provides stateful firewalling, applies rule-based security policy, and controls application usage.
  • Agtinum Outpost<=Agnitum Outpost is a full-featured yet light-weight personal firewall product with application scanning and basic intrusion-detection features. It offers a good balance between ease of use and protection.
  • Zone Labs<=Zone Labs is a leading creator of endpoint security solutions and one of the most trusted brands in Internet security, protecting millions of PCs from risks posed by hackers and data theft. The award-winning endpoint security product line is deployed in global enterprises.
  • Kerio Personal Firewall<=Kerio Personal Firewall (KPF) helps users control how their computers exchange data with other computers on the Internet or local network.Necessity for all desktop computers connected to broadband Internet, using DSL, cable, ISDN, WiFi or satellite modems.

Edited by stockkbroker

Share this post


Link to post
Share on other sites

Thanks for the help!!!

 

But there's some problem.

HijackThis detected at least three svchostz.exe, and there are only three MSlti16.exe. But I fixed all of them. Hope it's not a problem.

 

And I can't find all the files mentioned, except appoa32.exe-0431A95B in C:/Windows/Prefetch

 

Here's the new log:

 

Logfile of HijackThis v1.98.0

Scan saved at 10:34:23 AM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\acer\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab

 

Also, Pandasoftware and GFI Trojan Scan found none infected files.

 

Thank you for your help, again. =)

Share this post


Link to post
Share on other sites

Hi,

 

You log looks clean. Great job. :thumbsup:

Make sure you follow the links on spyware preventions to prevent futher attacks.

:D

Edited by stockkbroker

Share this post


Link to post
Share on other sites

Additionally I have answered this same log for this person this morning over at Computer Cops - so has really been a waste of my time when I could have been helping someone else. :grrr:

 

http://computercops.biz/postt58121.html

 

You know, people, when post your same log numerous times in various forums it really slows us down as many of us frequent the same forums. :grrr:

Share this post


Link to post
Share on other sites

I'm really very sorry. I tried both forums. And I waited for 2 weeks at computer cops, and it got really frustrating (though I know all of you are really busy). Over here, someone ignored my last post completely after 1st reply. I won't go into that.

 

CalamityJane, you happened to be the only one who replied my post just today. I'm really sorry, but thanks for the help. I did saw your post. But stockkbroker replied first.

Share this post


Link to post
Share on other sites

Some people wait that long here, also (I help in both of these forums). In fact, We work many various forums and it is pretty much the same all over. Too many infected, and too few helpers.

 

However, the thing to do if you have posted to another forum is to return to the thread where you first post and just let them know you've already been taken care of. The amount of time I spent on that post and getting rid of the dupicates over there, might have given me time for an extra person or two I could help over here, if I had known you were already getting an answer.

 

I also try to help first those who have been waiting the longest in any forum.

 

So if you have posted other threads in other forums, it would be help just to leave a note that you no longer need assistance. We all would appreciate it so we can spend our time helping those who haven't gotten any help.

 

Thanks for your understanding.

Share this post


Link to post
Share on other sites

I must seriously apologise for this. I meant to leave a note, but you got to this first.

Anyway, I sincerely thank you for the help, because I did refer to you post, and followed some additional steps.

Sorry for causing you so much inconveniences.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0