• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rd_syringe

CWS res:// hijacker INVESTIGATION THREAD

68 posts in this topic

Ok, I read through this entire thread and you guys blow me away. You're frighteningly talented. Anyway, it seems clear that the SOLUTION lies in the post by emXtrix on pg. 1 of this thread. Everyone seems to agree.

 

His instructions are clear to me accept for the following:

"Delete the appropriate DLL (mine was xothr.dll)"

 

Could any of you please explain to me specifically how to remove the appropriate DLL? Also, the website http://www.liutilities.com does not have any list on it that I can discern, but seems to be an advertisement for Uniblue Systems, offering programs like WinTasks 4 and WinBackup. Is my url incorrect?

 

I MUST ELIMINATE THIS NASTY LITTLE SCUMBAG "HOME SEARCH" SPYWARE. PLEASE HELP!

Share this post


Link to post
Share on other sites
His instructions are clear to me accept for the following:

"Delete the appropriate DLL (mine was xothr.dll)"

elijah6789 - check out my post on page 3. I listed all the files that I deleted - look carefully at the patterns of the files and you'll have no problem eliminating yours.

Share this post


Link to post
Share on other sites

Photo11401,

 

Thank you,

 

I will follow emXtrix's instructions and look for your DLL's and associated patterns of them and do everything exactly as you both suggested. Then I will repost here to let you know how it went. I'm a certified newbie, so if I can do this anyone can! Thanks for now.

Share this post


Link to post
Share on other sites
What I'm really curious about is what are circumstances are common to everyone that triggered the installation of this spyware in the first place? Has any attempt been made to isolate its source? Can it be blocked by using some readily-available tools (SpywareBlaster and SpyBot each have "immunization tools" but I don’t know if they would protect against this infection), by changing settings in your browser (it seems like this just affect IE, so ActiveX or scripting controls), or changing browsers altogether (Mozilla)?

Probably a number of different sources. For the record, the machine I'm trying to fix had 5 unpatched Critical Updates when I checked Windows Update. It is patched now. It is vital to keep systems up to date via Windows Update.

 

When the spyware hit, the first thing I did was run a scan with NOD32, and it detected a dialer trojan. There were also a couple of trojan Javascript files sitting in the Temporary Internet Files folder. These could have come from anywhere. There have been past Windows vulnerabilities involving the Java virtual machine, so like I said, everyone needs to make sure they are always up to date. In my case, one of the Critical Updates listed was a vulnerability with Outlook Express allowing an attacker to execute arbitrary code just by viewing the e-mail, which is where I suspect it came from.

 

You can tell Automatic Updates to notify you of new patches via right-clicking on My Computer and going to Properties, then the Automatic Updates tab. Along with that, basically all the tools everyone here has been using--a virus scanner, Spybot and Ad-Aware (both of them), Hijack This. I also think Filemon and Regmon are helpful if you feel like seeing the nitty-gritty when something is acting peculiar.

Share this post


Link to post
Share on other sites

Had all of the same issues as above, funnily enough I didnt think to do a system restore until a couple of hours back...I know when I started having the issues so picked a restore point 2 days prior to that and (fingers crossed) thus far have had no re-emergence of the problems, the HSA no longer appears in my add/remove programs...will update should this change.

Share this post


Link to post
Share on other sites

This thread was indeed terrific, and I am still symptom free thank goodness. Anyway, I'd like to offer a couple other suggestions and questions. First of all, when deleting all of your infectious files check your file sizes. Most of my dll files were around 70kb, and my dat files were either 1kb or 12kb, exes were usually 28kb or close to it.

 

Ok, here is my question. I'm finding obviously connected files to this infection that were created as early as May 20th. My computer all at once was engulfed in popups and homepage hijacks on Monday June 14. How could this be dormant for so long and what could trigger such a viscous onslaught of advertisment?

 

Thanks everyone.

Share this post


Link to post
Share on other sites

Photo 11401 and emXtrix,

 

I indeed followed your advice on your posts. Didn't work.

 

It goes without saying that I tried everything else possible beforehand. My Windows XP was fully updated and patched as was my Norton, Ad-Aware and Spybot before infection yesterday. I read the FAQ on this site and did everything.

 

The awful "mprts.dll" (in my case) keeps installing itself, and after I run Internet Explorer my HijackThis log reverts to the same mess (which includes the same 6 offending lines ending in #96676. In addition, the registry key ending in "HSA" simply reinstalls itself. I made the changes to Windows and Windows32 as photo11401 suggested. However, I undid all of them when I realized it didn't work. I'M DESPERATE! Below I have copied my last log of Hijack This. Please forgive me if I have included it in this long thread. Perhaps it will serve as a good review for those who have read this far! ANY ADVICE WOULD BE APPRECIATED! THANKS TO ALL.

 

Logfile of HijackThis v1.97.7

Scan saved at 5:50:09 PM, on 6/17/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\sysmo.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\WINDOWS\javatx.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\WINDOWS\System32\BacsTray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Max Elijah Grossman\My Documents\Anti-virus Tools\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kaoqt.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kaoqt.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kaoqt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kaoqt.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kaoqt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kaoqt.dll/sp.html#96676

O2 - BHO: (no name) - {6813A243-6455-01F2-5ABA-4D5390F9C114} - C:\WINDOWS\ipjy.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [javatx.exe] C:\WINDOWS\javatx.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37888.713287037

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{AFB0CF6F-5ABD-45C5-9738-B22E708E95BC}: NameServer = 207.69.188.187 207.69.188.186

Share this post


Link to post
Share on other sites

Follow EmX's earlier post- its pretty simple and its worked for me. I've been clean for a day now, even before i deleted the extra DAT files and HSA today. I want to thank everyone for all their helpful postings, especially RD and EmX-if you boys are ever in LA, email me at potstickerfan@yahoo.com and i'll treat you to drinks at my buddy's bar.

Share this post


Link to post
Share on other sites

Hey elijah, I too am not that great at these things but it worked out for me. The easiest way to describe what i did is- follow cattleina's post exactly---http://www.spywareinfoforum.com/index.php?showtopic=7261-- then delete all the extra shit that rd and EmX describe later, as well as the disabling of the Network Security Service that chrisgaltieri talks about in his earlier post. :cool:

Share this post


Link to post
Share on other sites

I think that you should all be very careful in what you delete. What looks suspicious may not be - I have seen quite a few cases come up where the system suddenly had no modem, no network, no sound etc - All because of incorrect advice.

 

Please excercise caution in just randomly deleting things - This is not a cure. A cure has been suggested and if any of you are experienceing a Hijack, let the experts handle giving you a solution - Do not rely on guess work - You are doing far more harm than good.

Share this post


Link to post
Share on other sites
I think that you should all be very careful in what you delete. What looks suspicious may not be - I have seen quite a few cases come up where the system suddenly had no modem, no network, no sound etc - All because of incorrect advice.

 

Please excercise caution in just randomly deleting things - This is not a cure. A cure has been suggested and if any of you are experienceing a Hijack, let the experts handle giving you a solution - Do not rely on guess work - You are doing far more harm than good.

I personally suggested cross-checking the legitimacy of a DLL on LIUtilities.com in my original solution post, but of course this should all be taken with a grain of salt.

Share this post


Link to post
Share on other sites

I was reading your thread last night hoping for a solution. Today I talked with a tech rep at qwest DSL service and he said he had this bowser hijacker as well. He has windows XP and just restored his system to a date prior to the attack and it worked for him.

I was rather dubious, but I did the same thing and unbelievably, it has worked for me too.

If you have windows XP, just reset to a date before the attack and no more hijacker.

Good luck.

Smacica

Share this post


Link to post
Share on other sites

I also thought of system restore... bad news, It won't let me restore to a later date. I may have to nuke my computer sometime this week to get rid of it...

 

 

-g

Share this post


Link to post
Share on other sites

I also was fooled into beleiving this had fixed it only to have it appear again. I am thinking it is an automatic thing, as in not having anything to do with browsing the net or using a search engine.

 

Reason being is I had it killed for about 45 seconds, then checked e-mail, then oipened IE6 and BOOM welcome to HELL.

 

This little hijack is really clever and is starting to get me very steamed.

 

Whoever solves this Hijack is my new hero or heroine.

 

what scares me is this. If they can design a self replicating browser hijack, what will they come up with next /cry

Share this post


Link to post
Share on other sites

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log into a new topic (NOT THIS TOPIC) for analysis.

 

Thank you.

Share this post


Link to post
Share on other sites

most of you guys are talking over my head, but i'm learning.

unfortunately, i tried all the recommendations so far and nothing seems to be working for me. i've gone back into safe mode three or four times. killed all the files and they keep coming back.

curiously, they are coming back at an earlier date. originally the earliest one was at 5/16. now i have a dat file back in 4/24.

 

this is what i've done so far....if i misinterpreted something please let me know. I've gone into safe mode about 4 times and have been deleting all the random exe files, dat files and the accursed dll file that keeps popping up after i've either checked with the list at liutilities.com. and google. i've gone through my windows folder, system32 folder, pre-fetch folder and even searched for all the files looking for anything else. I've updated and run HTJ, Ad-aware, spy-bot, CWShredder, A2. I've emptied my cookies folder, my history folder, and deleted all my files in my temp folders. i've gone into the reg and removed the HSA folder. then i've gone back into normal mode and run them all again. 2 minutes later....back to square one.

 

i've ground through the enamel in my teeth.

Share this post


Link to post
Share on other sites

Thread locked due to instructions not being followed. Please open a new topic in this forum and post your HijackThis log there for review. We will try to get this issue resolved on a one by one basis.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0