Jump to content


Photo

I would appreciate any help with my CWS problem.


  • This topic is locked This topic is locked
15 replies to this topic

#1 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 01:38 PM

well i dont know what variant this cws is but the website it sends me to is

http://solongas.com/hp.htm?id=80

i have used spybot s&d, ad-aware, cwshredder, and hijack this and its still a problem.

heres my log file from hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 9:02:25 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\ORGANI~1\SmartSync.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\i4k2h2m549h8ib.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SmartSync] C:\PROGRA~1\ORGANI~1\SmartSync.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...dir_Alt_Pub.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7967.6182638889
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

#2 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 01:44 PM

also i did this earlier but i deleted one file from cws that i thought was suspicious i still have the backup tho

#3 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 02:08 PM

Also i would like to know how to prevent this from happening again without getting a new browser

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 June 2004 - 02:12 PM

Hi newb who needs help

Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste the following, clicking 'Kill File' after pasting each one:

C:\WINDOWS\image.dll
C:\WINDOWS\System32\sysstartup.exe
C:\WINDOWS\System32\i4k2h2m549h8ib.dll

Click 'Exit' when done. Open TheKillbox again, click File, Open!Submit and you will see a folder bearing the date that you used TheKillbox - zip it up and send to this e-mail address including a link to this thread in the body of the email.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Go back to TheKillbox. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe listing should show up in the window. Then in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=80
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\i4k2h2m549h8ib.dll
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O15 - Trusted Zone: *.greg-search.com

Reboot when done. Rescan with HJT and post a new log
Posted Image

#5 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 02:20 PM

should i get off my browser when i do this

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 June 2004 - 02:22 PM

Yes when doing the HJT bit - download everything you need and print this page.
Posted Image

#7 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 02:25 PM

it wont let me delete C:\WINDOWS\System32\i4k2h2m549h8ib.dll

#8 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 02:29 PM

also when i tried to delete the file my whole desktop except for the background dissapeared

#9 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 02:42 PM

bump

#10 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 02:50 PM

also thx for replying to my post

#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 June 2004 - 02:52 PM

Do that file when you get to the winlogin part (delete on reboot)
Posted Image

#12 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 03:23 PM

Logfile of HijackThis v1.97.7
Scan saved at 1:17:25 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\ORGANI~1\SmartSync.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SmartSync] C:\PROGRA~1\ORGANI~1\SmartSync.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...dir_Alt_Pub.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7967.6182638889
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10


Also if this is clean how do i prevent this from happening again and thx for all your help

#13 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 03:29 PM

can i delete the backup files too?

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 June 2004 - 03:43 PM

That looks good now - how is it running?

You can delete the backups - I usually recommend holding back for a day or two until you are happy with it. To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?
Posted Image

#15 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 04 June 2004 - 03:45 PM

its working great and i think i may just get mozilla instead so it wont be so confusing

#16 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 June 2004 - 03:49 PM

If you prefer. IE can be OK if you are careful with security.

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button