Jump to content


Photo

spyware - cws


  • This topic is locked This topic is locked
3 replies to this topic

#1 cheryl12

cheryl12

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 July 2004 - 10:12 AM

This is my first time participating so I hope I'm doing this right. I've read the FAQ for the boards and spyware and have run adware, spybot S&D and CWS shredder. I've successfully stopped it from re-routing my home page, but with a few still existing problems.
First, as part of downloading the spyware software to get rid of CWS I downloaded a program, I think called teatimer, that warns me whenever something is changed in my registry. Now at each turn on of the computer I have to go through about 4 clicks of that screen where I'm told the "old data" is find-online.net, and the new data is something else, and I have to click on allow change or deny change. I always allow the change since the findonline and sex stuff is the old data.
Second, my typical homepage is www.my.yahoo.com. That's what's shown in my internet options, but instead the browser address is shown as http://my.yahoo.com/p/d.html?v. This concerns me. I can manually go to just plain my.yahoo.com without a problem but if I click "home" I go to this variant of the address that looks exactly the same. Is this a problem.
Lastly, now even when online and not doing anything my internet connection appears to be running. Both my little blue screens at the bottom are constantly blue. In the past they only been blue when loading a page, etc. Otherwise they'd be black. Now they're constantly blue and when I click on them to see my online status I seem to have a lot of data being received. This also concerns me that somethings going on.
I've run hijack this and will post my log below.
Sorry for being a novice at this but any help will be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 10:11:38 AM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\csifcsvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\lotus\123\123w.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\cws\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.my.yahoo.com
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kenneth\Application Data\Mozilla\Profiles\default\sytmt1g3.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) - http://channel.bridg...c3_bridge_i.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://204.248.19.35...sCamControl.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7985.8705555556
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76C41CFB-0A5F-4319-820C-6BA31BC649D4}: NameServer = 204.248.18.2 204.248.18.10

#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 18 July 2004 - 12:43 PM

Cheryl,

The main problem that I see in your log is Sysupd.exe
In order to remove sysupd.exe you will need to work in the registry.
Make a backup according to instructions for your operating system:
http://service1.syma...c_nam#_Section2

or here: http://www.annoyance...c/show/registry

Make sure your computer is configured to show all folders/files:
Enable the "Show Hidden Folders" option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Reboot into Safemode this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

See if you can close Sysupd.exe if it is listed in Task Manager (Alt+Ctrl+Delete).

How to Remove Sysupd.exe:
(You might want to print this so you can refer to it.):
The file is very persistent and might reopen even after stopping the process from Task Manager.

a) Click on Start, Run, and type REGEDIT and press Enter to open the Registry Editor

b) Click the pluses (+) next to the following items:
HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS
CURRENTVERSION
RUN

c) In the right-hand column, highlight and delete the entry for SYSUPD

d) Close the Registry Editor

e) With Windows Explorer find and delete the infected file in bold:

C:\WINDOWS\sysupd.exe

REBOOT

Empty your Temporary Internet Files and history in Internet Options. And clean out your
%Userprofile%\Local Settings\Temp

OR: Use the Disk Cleanup Utility to empty all your Temp folders

Reboot.

Download the updated version of HJT (v.1.98):
Download HijackThis to its own permanent folder.
http://www.spywarein.../HijackThis.exe
Here's how:
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.
Double-click on the .exe to scan.
Please post a HijackThis log. After Scan, the Scan button changes to Save Log. Click that, save it somewhere. Do Ctrl-A to Select all, and then copy and paste it here.
Let me know if the problem has cleared up. Thanks.
Microsoft MVP - Consumer Security

#3 cheryl12

cheryl12

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 July 2004 - 02:49 PM

Thanks for the help. I've done everything you mentioned so far with no new problems.
I'm attaching below my new Hijack This log for your review.
Do you happen to know any reason why I'm getting that slight variant on the my.yahoo.com page name or any particular thoughts on the constant downloading my computer seems to be doing. For example, typically as I'm typing this I would have 2 black screens on the little internet icon in the lower right since at this moment I'm not sending or receiving, but they're constantly blue and when I click on them to check the internet status it shows info being received at a pretty fast clip.
I'm a bit of a novice so please bear with me if these are stupid questions but I don't want to have someone tapping into my computer and using it as a storage place for who knows what. By the way I just use 56k dialup.
Thanks in advance for all your help.
Cheryl



Logfile of HijackThis v1.98.0
Scan saved at 2:42:49 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\csifcsvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\cws\hijackthis\HijackThisNew.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.my.yahoo.com
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kenneth\Application Data\Mozilla\Profiles\default\sytmt1g3.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) - http://channel.bridg...c3_bridge_i.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://204.248.19.35...sCamControl.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76C41CFB-0A5F-4319-820C-6BA31BC649D4}: NameServer = 204.248.18.2 204.248.18.10
O18 - Protocol hijack: ct - {774E529C-2458-48A2-8F57-3ED3105D8612}
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\caseware\cwproto.dll

#4 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 18 July 2004 - 08:12 PM

Let's keep working and see if things clear up.

Enable the "Show Hidden Folders" option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Look in Task Manager (Ctrl+Alt+Delete) and see if this is listed. If so, end the process.
csifcsvc.exe
Close Task Manager.

Reboot into Safemode.
Look for this file and delete it:
C:\WINDOWS\csifcsvc.exe <--just this file

Your updated HJT reveals a few things.

Run HJT and check to fix these:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} -
O18 - Protocol hijack: ct - {774E529C-2458-48A2-8F57-3ED3105D8612}
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\caseware\cwproto.dl

Reboot.

Scan with these two programs:

Ad-aware *
Download Ad-aware from here: http://www.computerc...s-file-292.html
Install by double-clicking on the downloaded file.
After installing but before running, update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to the next step below.

Spybot S&D*
You already have this. Just be sure it is updated:
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in RED by pressing "Fix selected problems".
Close Spybot S&D, reboot your system.

Run an online scan: Housecall: http://www.trendmicr.../enterprise.htm
Or Panda: http://www.pandasoft...n_principal.htm
Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself

Clean your temp files and temporary internet files as you did before.

Open IE. Go to your desired homepage,and SET it in IE (Tools>Internet Options>General Tab>Homepage>Use Current).

IF the problem has cleared up, flush System Restore and create a new Restore Point.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore on. A new Restore Point will be created.

Please run HJT and post a fresh log. Thanks.

Edited by Bugbatter, 18 July 2004 - 08:14 PM.

Microsoft MVP - Consumer Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button