Jump to content


Photo

Hijacked to CWS 213.159.117.132


  • Please log in to reply
9 replies to this topic

#1 gotjacked

gotjacked

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 June 2004 - 10:02 PM

We have had THE MOST FRUSTRATING two weeks in the history of owning computors...now going on 15 years!!

My son's computer has apparently had something downloaded in the form of trojan/worm/whatever related to the CoolWebSearch problem I have been reading about constantly for the past several days (including a major number of postings to this site - at least I'm not alone!).

It first became apparent after we had several calls charged to our phone bill to Sao Tome and, after a bit of investigation, noted the change in behaviour of IE Explorer on his machine. The home page constantly reverted away from his selected home page to another (in the browser showing as "http://213.159.117.132/index.php") web page. In addition, trying to use the computer's explorer function was impossible as the system froze after expanding the tree in the left pane beyond the second level of folders resulting in the need for cntrl-alt-del every minute or two.

To sum up:
1. Dial-up modem is redirected from default provider to some site that cause per-minute long distance calls (Sao Tome)
2. Home page is redirected to "http://213.159.117.132/index.php"
3. Windows explorer function is rendered useless
4. None of this is evident when running in Safe Mode

I have run every suggested piece of downloadable CW-related removal software that I can find, including the latest versions of CW Shredder, Spy Hunter, Spy Ferret, Hijack This, Ad-Aware, Spybot S&D, Spy Sweeper, and probably a couple others but this problem persists.

From what I have read - I suspect there is a hidden .dll that I have not been able to reveal as the culprit (or a style sheet tucked away somewhere) that resets the web page at each start-up but as you can see I have run out of options and seek help from the experts here.

Also, from below you can see that IE Explorer is rather old and probably full of security holes and, no, we don't have antivirus software running, which will change shortly, but in the meantime I have to get rid of this plague before anything else happens.

I have included below the usual stuff from HJT, both the scan log and the start-up log for all to peruse. The scan was done after logging onto the net for about 30 seconds when my modem took off to some other web-provider and the home pages were altered from that set manually while in SafeMode. Deleting the R0 and R1 entries in the log below makes no difference on subsequent start-ups, so although that would be a good starting suggestion, so far it seems to be pointless. All the other entries in the log appear to make sense as far as the other software running on start-up....so....what's next?? I should mention that I had previously cleaned out the Temp folder (and the Hosts file in Windows), as I see below that something was reset into the Temp folder on the latest net log-on:

***********************************
Logfile of HijackThis v1.97.7
Scan saved at 9:57:07 PM, on 18-06-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Program Files\Netscape\Users\r_kbr\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~2\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\Accessories\AbsoluteStartUp\ASMon.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [CookieCop] C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Net Buddy] "C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Accessories\SpyWareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

*************************


StartupList report, 18-06-04, 10:33:06 AM
StartupList version: 1.52
Started from : C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.50 SP1 (5.50.4522.1800)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ACCESSORIES\ABSOLUTESTARTUP\ASMON.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\PROGRAM FILES\COOKIE COP\COOKIECOP.EXE
C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\XWXLOAD.EXE
C:\WINDOWS\TEMP\MSLDF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
SpywareGuard.lnk = C:\Program Files\Accessories\SpyWareGuard\sgmain.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Absolute StartUp monitor = C:\Program Files\Accessories\AbsoluteStartUp\ASMon.exe
anvshell = anvshell.exe
CookieCop = C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Net Buddy = "C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE"
Run StartupMonitor = StartupMonitor.exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
WinTime = C:\WINDOWS\system32\wintime.exe
SpyHunter = C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=EXPLORER.EXE
SCRNSAVE.EXE=
drivers=MMSYSTEM.DLL POWER.DRV

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 7/6/2004, 22:55:2)

[rename]
C:\WINDOWS\SYSTEM\IoSubSys\SmartVSD.VxD=C:\WINDOWS\SYSTEM\SmartVSD.VxD

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET TEMP=C:\TEMP

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\ACCESS~1\SPYBOT~2\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
SpywareGuard Download Protection - C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Liquid Audio Auto Update Agent.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
System: C:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 4,388 bytes
Report generated in 0.059 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

**********************************************

PLEASE - SOMEONE out there must have the cure!!!!!!! - thanks to anyone with a hint at an answer to this.....gotjacked

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 10:46 AM

Please, next time before escelating the issue - Read the pinned posts and perform the procedures as suggested.Please post another HijackThis log when you have completed these procedures.

#3 gotjacked

gotjacked

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 June 2004 - 11:18 AM

I've run Spybot S&D, CWShredder, and Ad-Aware a number of times with no success - but will try again. I haven't tried to scan with HouseCall via Trend Micro because of the redirection problem - although I can try to connect while in Safe Mode(?). I have just located TrojanHunter this am and will try it this evening and repost another HJT log when completed.

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 11:25 AM

Please be sure to update the programs if you already have them. Some, especially CW Shredder are updated frequently to combat new infections - CWS is at vresion 1.59.0.

#5 gotjacked

gotjacked

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 26 June 2004 - 01:21 PM

The latest update of CW Shredder and AVG caught the malware - both the homepage hijacking and the dialer....many thanks for suggesting sticking with the most recent versions. Adding revised HOSTS file and restricted sites to reduce risk of reinfection.

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 26 June 2004 - 01:25 PM

Please post an updated HijackThis log and I will verify that all your infections have been erradicated.

#7 gotjacked

gotjacked

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 26 June 2004 - 02:34 PM

Will do after work this evening.

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 01:15 AM

Don't forget the log :) We need to make sure that you are all clear...

#9 gotjacked

gotjacked

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 June 2004 - 08:52 AM

My latest log from HJT as requested - and all still seems to be running well:

Logfile of HijackThis v1.97.7
Scan saved at 9:45:19 AM, on 27-06-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ACCESSORIES\ABSOLUTESTARTUP\ASMON.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\PROGRAM FILES\ACCESSORIES\AVGFREE\AVGCC32.EXE
C:\PROGRAM FILES\COOKIE COP\COOKIECOP.EXE
C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ACCESSORIES\TROJANHUNTER\THGUARD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Program Files\Netscape\Users\ron_koob\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~2\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\Accessories\AbsoluteStartUp\ASMon.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\ACCESS~1\AVGFREE\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CookieCop] C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Net Buddy] "C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\ACCESSORIES\TROJANHUNTER\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Accessories\SpyWareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab


Let me know if anything else should be fixed - thanks again.

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 11:06 AM

Your log is looking clean but ...

Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative - Especially updating IE to v6.0 SP1.

Also ...
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button