Jump to content


Photo

Do I have a new variant of CWS?


  • Please log in to reply
9 replies to this topic

#1 rjohnson107

rjohnson107

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 June 2004 - 05:23 PM

I am just about ready to blow me dang PC up. I tried CWS shredder and Hijack this (the latest version) but the damn url's keep popping back up..even tried to manually delete them. ANy suggestions?
Much love for any help to you all.
Here's the log file.

:alarm: Logfile of HijackThis v1.97.7
Scan saved at 5:11:37 PM, on 6/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

#2 Encomium

Encomium

    Member

  • New Member
  • Pip
  • 2 posts

Posted 02 June 2004 - 06:51 PM

I think I have the same thing, help here would be appreciated by me too.

#3 rjohnson107

rjohnson107

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 June 2004 - 02:28 PM

BUMP

#4 rjohnson107

rjohnson107

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 June 2004 - 03:38 PM

BUMP
ANy help out there?

#5 bvr3

bvr3

    Member

  • Helper Trainee
  • Pip
  • 30 posts

Posted 03 June 2004 - 04:17 PM

Hey, I have the same problem too, my homepage keeps getting redirected to 213.159.117.132/Index.php, and i tried all the spyware removers out there today and they didn't solve the problem and i don't know how to remove it so Im waiting for help too. Make sure you never go to that site because they will put porn dialers and they also tried to steal my internet settings!

#6 rjohnson107

rjohnson107

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 June 2004 - 06:44 PM

Bump
Here's the latest startup list as well.

StartupList report, 6/3/2004, 3:42:31 PM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\SPYWARE STUFF\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\SPYWARE STUFF\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
Adaptec DirectCD = C:\Program Files\DirectCD\DIRECTCD.EXE
PCHealth = c:\windows\PCHealth\Support\PCHSchd.exe -s
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Vshwin32EXE = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
VsStatEXE = C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
VsecomrEXE = C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
Vshwin32EXE = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
ares = "C:\PROGRAM FILES\ARES\ARES.EXE" -h
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 18/5/2004, 12:43:28)

[Rename]
NUL=c:\windows\cookies\s j@servedby.advertising[2].txt
NUL=c:\windows\cookies\s j@zedo[1].txt
NUL=c:\windows\cookies\s j@advertising[1].txt
NUL=c:\windows\cookies\s j@mediaplex[1].txt
NUL=c:\windows\cookies\s j@z1.adserver[1].txt
NUL=c:\windows\cookies\s j@atdmt[2].txt
NUL=c:\windows\cookies\s j@doubleclick[1].txt

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\windows\TEMP
SET TMP=c:\windows\TEMP
SET PATH=c:\windows;c:\windows\COMMAND

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL
System: C:\WINDOWS\system32\system32.dll
OLE Automation Module: C:\WINDOWS\SYSTEM\child.dll

--------------------------------------------------
End of report, 5,921 bytes
Report generated in 0.328 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#7 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 03 June 2004 - 07:26 PM

Did you leave a piece off you hijackthis log?



#8 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 03 June 2004 - 07:31 PM

Copy the contents of the quote box to notepad.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]






Click File>Save As, give it the name clear.reg and under the filename set file types to All Files. Save it to the desktop. When done double click the clear.reg when asked to merge say yes.

Reboot. Delete these files if there:

C:\WINDOWS\system32\system32.dll

than fix the infected r1 r0's with hijackthis.



#9 rjohnson107

rjohnson107

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 June 2004 - 02:09 PM

THANK YOU THANK YOU THANK YOU!!!
That did the trick.
Some of my desktop icons are washed out/screwed up, but i think it's cause I deleted another file as well. But I can live w/ it.
Thanks again!!
:D
Gig'Em

#10 Encomium

Encomium

    Member

  • New Member
  • Pip
  • 2 posts

Posted 04 June 2004 - 02:47 PM

Thank you shadowwar, it also fixed my problem :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button