Jump to content


Photo

New variant of CWS on the loose!


  • Please log in to reply
6 replies to this topic

#1 gampell

gampell

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 May 2004 - 03:44 PM

I've spent several hours working on this one - without success. I seem to have gotten rid of the rogue processes that were causing Windows to run very slowly, but I still have the browser hijack. See Hijack This log below.

Others have posted with roughly a similar problem but the fixes suggested don't seem to have worked. I wonder if this variant is a little ahead of the curve?

If I remove the 213.159.*.* entries using Hijack This, they come back after less than one minute.

All help appreciated!

Logfile of HijackThis v1.97.7
Scan saved at 1:31:41 PM, on 5/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\HP\IDA\IDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Agilent\adci\adcist.exe
C:\HP\IDA\IDASched.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Agilent Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cos.agilent.com;*.it.agilent.com;be.agilent.com;erp*.corporate.agilent.com;vic
or*.europe.agilent.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://be.agilent.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IDA] C:\HP\IDA\IDA.EXE
O4 - HKLM\..\Run: [adcius.exe] c:\Agilent\adci\adcius.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ACU_QSB] C:\Program Files\Atheros\ACU\Utility\ACU.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKCU\..\Run: [adcist.exe] c:\Agilent\adci\adcist.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SideStep (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://be.agilent.com
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8110.5386805556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate....bex/ieatgpc.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://teamspace.ag...etup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agilent.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agilent.com

#2 code9t1

code9t1

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 May 2004 - 04:19 PM

Hi ive got the same 1. And guess what.. it dials premium rate numbers when your internet connection is idle. C my post "cool web search that wont go :(" posted 2day.

jas

#3 gampell

gampell

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 May 2004 - 10:21 PM

Managed to get rid of my infection by using Hijack This and eliminating all weird things it reported. Hijack This kicks ass!

BUT ... it didn't report one important thing. There was a DLL in C:\winnt\system32 called system32.dll that was causing the IE redirects to keep reappearing. This DLL is bogus.

I booted into Safe Mode and removed this DLL, then cleaned out the registry for the final time, and it seems to have worked so far (about 30 mins.)

#4 bjp3

bjp3

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 May 2004 - 10:42 PM

what constitutes "weird things" i have my log in a thread titled CWS, i believe the IP numbers are the same for that address http://213.159.117.132/redir.php, but when i deleted those from the hijack this log they just came back.

#5 thops

thops

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 30 May 2004 - 10:55 PM

My machine also was infected by this . First the autostart program is WinTime.exe
which was in startup .
I could delete that.
But browser hijack is still there .

The web site IP is : 213.159.117.132

hijacked home page is 213.159.117.132 /index.php

Yes, Hijack This is not able to remove this .

Other symptoms include , Windows Explorer was not opening . After few minutes
machine would hang.

Latest Ad-Aware and SpyBot 1.3 also were unsuccessful.

Worst is , the malware is not allowing to goto spyware related sites.

Any solution is welcome.

== thops

#6 glowfish

glowfish

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 May 2004 - 11:01 PM

Try going here

http://www.techimo.c...um/t110963.html

#7 thops

thops

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 03 June 2004 - 10:26 PM

Finally I solved this problem .
Ad-aware update on 2nd June 2004 was able to detect this but could not remove
completely.

After some study , I found the culprit was system32.dll file stored in

c:\windows\system32\

Just I renamed this file and restarted the machine.
Ran once again Ad-aware .

The home page hijack is completely gone .

But the Registry link for this file was still existing.

I ran Norton Windoctor , which detected this missing link and I repaired
that problem.

Problem is completely solved.

==============================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button