Jump to content


Photo

CWS res:// hijacker INVESTIGATION THREAD


  • This topic is locked This topic is locked
67 replies to this topic

#51 elijah6789

elijah6789

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 June 2004 - 06:11 PM

Ok, I read through this entire thread and you guys blow me away. You're frighteningly talented. Anyway, it seems clear that the SOLUTION lies in the post by emXtrix on pg. 1 of this thread. Everyone seems to agree.

His instructions are clear to me accept for the following:
"Delete the appropriate DLL (mine was xothr.dll)"

Could any of you please explain to me specifically how to remove the appropriate DLL? Also, the website http://www.liutilities.com does not have any list on it that I can discern, but seems to be an advertisement for Uniblue Systems, offering programs like WinTasks 4 and WinBackup. Is my url incorrect?

I MUST ELIMINATE THIS NASTY LITTLE SCUMBAG "HOME SEARCH" SPYWARE. PLEASE HELP!

#52 photo11401

photo11401

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 06:17 PM

His instructions are clear to me accept for the following:
"Delete the appropriate DLL (mine was xothr.dll)"

elijah6789 - check out my post on page 3. I listed all the files that I deleted - look carefully at the patterns of the files and you'll have no problem eliminating yours.

#53 elijah6789

elijah6789

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 June 2004 - 06:27 PM

Photo11401,

Thank you,

I will follow emXtrix's instructions and look for your DLL's and associated patterns of them and do everything exactly as you both suggested. Then I will repost here to let you know how it went. I'm a certified newbie, so if I can do this anyone can! Thanks for now.

#54 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 17 June 2004 - 06:47 PM

What I'm really curious about is what are circumstances are common to everyone that triggered the installation of this spyware in the first place? Has any attempt been made to isolate its source? Can it be blocked by using some readily-available tools (SpywareBlaster and SpyBot each have "immunization tools" but I donít know if they would protect against this infection), by changing settings in your browser (it seems like this just affect IE, so ActiveX or scripting controls), or changing browsers altogether (Mozilla)?

Probably a number of different sources. For the record, the machine I'm trying to fix had 5 unpatched Critical Updates when I checked Windows Update. It is patched now. It is vital to keep systems up to date via Windows Update.

When the spyware hit, the first thing I did was run a scan with NOD32, and it detected a dialer trojan. There were also a couple of trojan Javascript files sitting in the Temporary Internet Files folder. These could have come from anywhere. There have been past Windows vulnerabilities involving the Java virtual machine, so like I said, everyone needs to make sure they are always up to date. In my case, one of the Critical Updates listed was a vulnerability with Outlook Express allowing an attacker to execute arbitrary code just by viewing the e-mail, which is where I suspect it came from.

You can tell Automatic Updates to notify you of new patches via right-clicking on My Computer and going to Properties, then the Automatic Updates tab. Along with that, basically all the tools everyone here has been using--a virus scanner, Spybot and Ad-Aware (both of them), Hijack This. I also think Filemon and Regmon are helpful if you feel like seeing the nitty-gritty when something is acting peculiar.

#55 hoyainca

hoyainca

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 07:11 PM

Had all of the same issues as above, funnily enough I didnt think to do a system restore until a couple of hours back...I know when I started having the issues so picked a restore point 2 days prior to that and (fingers crossed) thus far have had no re-emergence of the problems, the HSA no longer appears in my add/remove programs...will update should this change.

#56 beezer101

beezer101

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 17 June 2004 - 07:19 PM

This thread was indeed terrific, and I am still symptom free thank goodness. Anyway, I'd like to offer a couple other suggestions and questions. First of all, when deleting all of your infectious files check your file sizes. Most of my dll files were around 70kb, and my dat files were either 1kb or 12kb, exes were usually 28kb or close to it.

Ok, here is my question. I'm finding obviously connected files to this infection that were created as early as May 20th. My computer all at once was engulfed in popups and homepage hijacks on Monday June 14. How could this be dormant for so long and what could trigger such a viscous onslaught of advertisment?

Thanks everyone.

#57 elijah6789

elijah6789

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 June 2004 - 07:55 PM

Photo 11401 and emXtrix,

I indeed followed your advice on your posts. Didn't work.

It goes without saying that I tried everything else possible beforehand. My Windows XP was fully updated and patched as was my Norton, Ad-Aware and Spybot before infection yesterday. I read the FAQ on this site and did everything.

The awful "mprts.dll" (in my case) keeps installing itself, and after I run Internet Explorer my HijackThis log reverts to the same mess (which includes the same 6 offending lines ending in #96676. In addition, the registry key ending in "HSA" simply reinstalls itself. I made the changes to Windows and Windows32 as photo11401 suggested. However, I undid all of them when I realized it didn't work. I'M DESPERATE! Below I have copied my last log of Hijack This. Please forgive me if I have included it in this long thread. Perhaps it will serve as a good review for those who have read this far! ANY ADVICE WOULD BE APPRECIATED! THANKS TO ALL.

Logfile of HijackThis v1.97.7
Scan saved at 5:50:09 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sysmo.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\javatx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Max Elijah Grossman\My Documents\Anti-virus Tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kaoqt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kaoqt.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kaoqt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kaoqt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kaoqt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kaoqt.dll/sp.html#96676
O2 - BHO: (no name) - {6813A243-6455-01F2-5ABA-4D5390F9C114} - C:\WINDOWS\ipjy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [javatx.exe] C:\WINDOWS\javatx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37888.713287037
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFB0CF6F-5ABD-45C5-9738-B22E708E95BC}: NameServer = 207.69.188.187 207.69.188.186

#58 potstickerfan

potstickerfan

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 08:22 PM

Follow EmX's earlier post- its pretty simple and its worked for me. I've been clean for a day now, even before i deleted the extra DAT files and HSA today. I want to thank everyone for all their helpful postings, especially RD and EmX-if you boys are ever in LA, email me at potstickerfan@yahoo.com and i'll treat you to drinks at my buddy's bar.

#59 potstickerfan

potstickerfan

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 08:39 PM

Hey elijah, I too am not that great at these things but it worked out for me. The easiest way to describe what i did is- follow cattleina's post exactly---http://www.spywareinfoforum.com/index.php?showtopic=7261-- then delete all the extra shit that rd and EmX describe later, as well as the disabling of the Network Security Service that chrisgaltieri talks about in his earlier post. :cool:

#60 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 17 June 2004 - 08:50 PM

I think that you should all be very careful in what you delete. What looks suspicious may not be - I have seen quite a few cases come up where the system suddenly had no modem, no network, no sound etc - All because of incorrect advice.

Please excercise caution in just randomly deleting things - This is not a cure. A cure has been suggested and if any of you are experienceing a Hijack, let the experts handle giving you a solution - Do not rely on guess work - You are doing far more harm than good.

#61 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 17 June 2004 - 09:49 PM

I think that you should all be very careful in what you delete. What looks suspicious may not be - I have seen quite a few cases come up where the system suddenly had no modem, no network, no sound etc - All because of incorrect advice.

Please excercise caution in just randomly deleting things - This is not a cure. A cure has been suggested and if any of you are experienceing a Hijack, let the experts handle giving you a solution - Do not rely on guess work - You are doing far more harm than good.

I personally suggested cross-checking the legitimacy of a DLL on LIUtilities.com in my original solution post, but of course this should all be taken with a grain of salt.

#62 smacica

smacica

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 10:57 PM

I was reading your thread last night hoping for a solution. Today I talked with a tech rep at qwest DSL service and he said he had this bowser hijacker as well. He has windows XP and just restored his system to a date prior to the attack and it worked for him.
I was rather dubious, but I did the same thing and unbelievably, it has worked for me too.
If you have windows XP, just reset to a date before the attack and no more hijacker.
Good luck.
Smacica

#63 garon

garon

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 11:30 PM

I also thought of system restore... bad news, It won't let me restore to a later date. I may have to nuke my computer sometime this week to get rid of it...


-g

#64 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 17 June 2004 - 11:37 PM

Post a log in a new thread as a cure seems to be working in most cases.

#65 IMRavnos

IMRavnos

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 11:57 PM

I also was fooled into beleiving this had fixed it only to have it appear again. I am thinking it is an automatic thing, as in not having anything to do with browsing the net or using a search engine.

Reason being is I had it killed for about 45 seconds, then checked e-mail, then oipened IE6 and BOOM welcome to HELL.

This little hijack is really clever and is starting to get me very steamed.

Whoever solves this Hijack is my new hero or heroine.

what scares me is this. If they can design a self replicating browser hijack, what will they come up with next /cry

#66 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 12:18 AM

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log into a new topic (NOT THIS TOPIC) for analysis.

Thank you.

#67 Mr Anigans

Mr Anigans

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 June 2004 - 12:27 AM

most of you guys are talking over my head, but i'm learning.
unfortunately, i tried all the recommendations so far and nothing seems to be working for me. i've gone back into safe mode three or four times. killed all the files and they keep coming back.
curiously, they are coming back at an earlier date. originally the earliest one was at 5/16. now i have a dat file back in 4/24.

this is what i've done so far....if i misinterpreted something please let me know. I've gone into safe mode about 4 times and have been deleting all the random exe files, dat files and the accursed dll file that keeps popping up after i've either checked with the list at liutilities.com. and google. i've gone through my windows folder, system32 folder, pre-fetch folder and even searched for all the files looking for anything else. I've updated and run HTJ, Ad-aware, spy-bot, CWShredder, A2. I've emptied my cookies folder, my history folder, and deleted all my files in my temp folders. i've gone into the reg and removed the HSA folder. then i've gone back into normal mode and run them all again. 2 minutes later....back to square one.

i've ground through the enamel in my teeth.

#68 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 12:37 AM

Thread locked due to instructions not being followed. Please open a new topic in this forum and post your HijackThis log there for review. We will try to get this issue resolved on a one by one basis.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button