Jump to content


Photo

CWS.Yexe refuses to leave


  • Please log in to reply
1 reply to this topic

#1 Helltore

Helltore

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 July 2004 - 05:34 PM

Hi all,

I have bee trying for two days to get this variant off my PC. I've ran SpyBot, Ad-Aware CWS Shredder and HijackThis. CWS shredder says he removes it, but fiteen seconds later it pops back up in BHODaemon. In BHODaemon it appears as:

File Name {Not found} -Malware 1.00.07.dll,*.**.**.dll(*=digit) - CoolWebSearch parasite variant

After I run CWS shredder this entry disappears but then reappears a little later. Below is my Hijack this log. Any help would be appreciated!!

Logfile of HijackThis v1.98.0
Scan saved at 3:17:00 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\Program Files\WebSpy Live\Live.exe
C:\WINDOWS\SYSTEM32\etlitr50.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\WINDOWS\System32\WsReportBho.dll
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\navnt\vptray.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [Live.exe] "C:\Program Files\WebSpy Live\Live.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Entrust.lnk = C:\WINDOWS\SYSTEM32\etlitr50.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...0e1e2729109a237
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F003C883-CFAE-4346-B47D-DA1A75FA64E2}: NameServer = 10.128.24.254,10.128.26.254

#2 TandemFixation

TandemFixation

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 August 2004 - 01:18 AM

have you tried using the new Key Permissions Function of 2k And Xp?
2k u need to use - Regedt32 and Xp - Regedit.

Goto The HKLM\Software\Microsoft\Windows\Current Version\Run*

Mark Each of those Keys as Read only.

Then Find Those Guids' [Superlong number] and Lock them After Removing the
Path to the .exe .dll or what ever it is.
And Also LOCK THE FILE ITS SELF :) Make it Not Readable.

Remove all Permissions from it. Wich should help you remove it.

Dispite Windows Flaws It Does have the utils to Do More than most think.
I Dislike M$ Software But it Runs the market.

Hope this helps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button