Jump to content


Photo

CWS and Slotch Toolbar(XXX) keep coming back


  • Please log in to reply
4 replies to this topic

#1 fdell

fdell

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 08:28 AM

As per your request to note this, I have read the article and guidelines. I have a recurring hijack that I cannot seem to remove. I initially tried using spynuker. Since I found this site. I downloaded, updated and ran Spybot Search and Destroy. It fixed all but one problem and prompted me to allow it to control the next start-up at which time it tried to fix it. I got no error mesages, but after the next start up the problem was still there. I have downloaded and run Hijack this. I am unsure of what to do with the results but have saved the log.

Symptoms:
When I launch IE (my machine uses the XP pro OS) the homepage is changed to about:blank, even if I change it in control panel/Internet options just before launching the browser. Before I started digging around to try to kill it, I would also always get a pop-up that linked to a list of spyware killing software. At one point, my Symantic (antivirus) software also detected some .dll files that it identified as spyware. Since then, I have found that if I restart in safe mode and remove new .dlls that were generated before shutdown (they usually appear as four or 5 unrealted letters followed by .dll) , the hijack is postponed for a while, I can be on the net for a half hour or so before something triggers it.

Two registry entries (marked by Spynuker as hijackers) for Slotch Toolbar(XXX) keep showing up. If I don't clean-up the spyware for a couple of hours, CWS shows up in Spynuker scans also, and ocasionally a cookie will be detected. I haven't used Spybot S&D often enough yet to see any pattern with it.

Residual stuff:
Also Nortons detected and "failed" at deleting elements of Adware.MainSearch I followed their instructions to do the scan in safemode and then delete it and that seems to be gone. When I was still using Spynuker, it detected a program called IEengine. I think that is gone but the check box is still in the startup list in msconfig.

Steps tried:
Scans with Spynuker (in safe mode and normal)
Scans with Norton's (in safe mode and normal)
Repeated removal of new .dll's that seem to be generated by the adware in safe mode.
Searches for files containing; IEengine, Slotch, XXX, Toolbar, and all files modified since the problem started (I did remove some that were obvioulsy spyware related)
Dumped my trashbin often and turned off Widows XP auto restore.
Scans with Spybot S&D and Hijack this.

Help! Thanks

Edited by fdell, 09 June 2004 - 08:34 AM.


#2 fdell

fdell

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 09:22 AM

I ran another scan with Spybot S&D

It found;
DSO exploit (5 entries)
Common Hijacker (2 entries)
Webdialer (1entry)

and fixed them - this time without restart


Additional Info;
ran CWSshredder and it removed several files
homepage hijack persisted
changed homepage from about:blank to yahoo BEFORE running CWSshredder
ran shredder again and removed several more files
launched IE a couple of times and got the right home page
ran shredder and got a message that the system was clean
ran spybot and removed the same items listed above
System seems to be running clean so far but I have not rebooted
(Will try running it a while to see if te hijacker reemerges)

Edited by fdell, 09 June 2004 - 10:13 AM.


#3 fdell

fdell

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 10:21 AM

Still good so far on the homepage issue.


Here is my current "Hijack This" log

gfile of HijackThis v1.97.7
Scan saved at 11:17:29 AM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26B351D7-23F3-4FF9-85E4-5ED75F675E3C} - C:\WINDOWS\System32\ook.dll (file missing)
O2 - BHO: (no name) - {31BDF300-487B-4FE8-B5B1-5242CDCC6A1C} - C:\WINDOWS\System32\njkfla.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67367255-4A0B-414A-A114-5E5D03522EE0} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {C570EF68-E2AC-484E-B4DA-EF92F30B6369} - (no file)
O2 - BHO: (no name) - {E65B2008-8530-48D4-A807-4A9E3F553AB0} - (no file)
O2 - BHO: (no name) - {FA0085C0-144C-4DA1-8EAE-07E818B8B6E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwa...eanup3Proj1.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8035.3452662037
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?315
O17 - HKLM\System\CCS\Services\Tcpip\..\{22434D08-F7EB-4824-9A23-3D156185B370}: NameServer = 207.69.188.187 207.69.188.186

#4 fdell

fdell

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 04:01 PM

So far so good with homepage hijack

Spybot still keeps detecting

DSO exploit (5 entries)
Common Hijacker (2 entries)

when I run it. They keep coming back. What should I do next?

#5 fdell

fdell

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 June 2004 - 06:04 AM

IT'S BAAACK

shredder detects it as CWS:search X, what next folks?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button