Jump to content


Photo

CWS.Searchx Infestatino


  • Please log in to reply
12 replies to this topic

#1 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 28 May 2004 - 08:45 PM

I have read the FAQ (I think it said to mention that..)

I've got Ad-Aware, SpyBot, and CWShredder, all the latest versions, as well as the current version of Hijack This! I also have Zone Alarm running, prompting me for all incoming/outgoing internet connections, as well as current def files for Norton AV 2004

I can remove the hijacker, scan with Ad-Aware, SpyBot, Norton, and everything is "clean". If I shut down and reboot, then just launch IE a few times - even if I never go to a website, the hijacker eventually returns. I've cleaned it off my box 40 times.. at least. I've gone into registry settings, looking through Run, run-once, Appinit_dlls, services, and anything else I can think of...

Below are two logs - one with the infection actively taking over my start page, and one after running a clean-up on my box...


Dirty Log:
-------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 8:14:42 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2ECF37D8-0564-42D8-BBB9-62DDA762F8FB} - C:\WINDOWS\System32\jlp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab





Clean Log(After CWShredder, then Ad-Aware, SpyBot, and Norton full scans):
---------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 8:42:47 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Had this window open in Firefox while posting. Didn't think it would adversely effect an IE-specific scan..

#2 Kuth

Kuth

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 May 2004 - 09:21 PM

I had the same problem, but I was able to fix it by following the general guide given in this thread: http://www.spywarein...?showtopic=1747

Keep in mind the offending file will be named different for everyone.

#3 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 28 May 2004 - 09:29 PM

No good. Went down that route already. Even when infected, there is no value within AppInit_DLLs in my registry. It remains empty.

#4 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 May 2004 - 08:57 AM

*bump* Still need help please.

#5 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 09:00 AM

ok.. please download this:

tools.zerosrealm.com/dllfix.exe

Install it to the desktop.

go into the dllfix folder. Double click start.bat
run an option1 and post the report here.



#6 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 May 2004 - 02:02 PM

Tried that and this is what I get. Any idea what I need to change in the Batch file to make it work properly?

C:\Documents and Settings\tom\Desktop\dllfix>start.bat
The system cannot find the file specified.

#7 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 07:22 PM

are you running it from inside the dllfix folder?
you just need to double click the file from windows.



#8 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 May 2004 - 10:36 PM

extracting files to my desktop.. Double-clicking or opening command window and running it from there (only way to actually see the error message the file produces) both give the same results.

#9 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 31 May 2004 - 06:25 AM

ok just for testing purposes. Double click the second.bat and see if it runs. IT should say it cant be run manually.



#10 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 05:38 PM

Again, one can't see the error message when double-clicking, so I ran it from a command window...

C:\Documents and Settings\tom\Desktop\dllfix>second.bat
The system cannot find the file specified.

#11 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 02 June 2004 - 08:13 PM

*bump*

#12 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 03 June 2004 - 08:36 AM

ok rename the start.bat to start.cmd

See if it will run then.



#13 LunaPneumatic

LunaPneumatic

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 03 June 2004 - 09:36 PM

If I go via a cmd.exe window, and explicitly run it from the prompt, I get this:

C:\Documents and Settings\tom\Desktop\dllfix>start.cmd
The system cannot find the file specified.

same thing as when it was a batch file. *shrug* Dunno what's going on.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button