Jump to content


Photo

Possible CWS, Continued Re-infection


  • Please log in to reply
4 replies to this topic

#1 bramalea

bramalea

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 07:25 PM

Hey guys, thanks in advance for looking at my problem.

I am running a PII-233 archaic computer on Windows 98. I have Ad-Aware, SpyBot Search & Destroy and AVG Anti-Virus and none of these can eradicate the error.

When I run CWShredder, it detects and removes CWS.Yexe. However, this does not clear up the problem. If I restart it immediately after it once again removes CWS.Yexe. If I restart the computer, it once again removes CWS.Yexe.

The web page http:// www.casinopalazzo.com / index.php?sourceid=102179 continues to pop up. I use Mozilla Firefox to browse the web and Firefox never gets hijacked. However new IE windows open with that URL in it.

It also continues to create a shortcut on my desktop labeled "XXX". This shortcut is linked to the same URL described above. I can delete this short cut but it will reappear shortly after.

When I run Ad-Aware and remove the bugs, they seem to be gone. But give it about 20 minutes and they're back again. Restart the computer and the processes Utre.exe and Uzpxthw1.exe restarts itself (even though Ad-Aware stops it and deletes it). No matter how many times I try deleting these files they keep coming back.

AVG periodically stops me to tell me that Bridge.dll in C:\Windows\Temp is a trojan and it is trying to copy itself. I click Heal. Then I go to the commandline and deltree everything in Temp, but it seems to fill itself back up at a remarkable rate.

I hope I have provided a decent amount of information that is necessary to help. And once again thanks a lot to everyone on this site for continuing to stand up to these browser-hijackings.

Finally here is my HijackThis logfile:

Logfile of HijackThis v1.97.7
Scan saved at 8:22:38 PM, on 6/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOF~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Uzpxthw1] C:\WINDOWS\TEMP\UZPXTHW1.EXE
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOF~1\Avgserv9.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8156.0528356481

#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 22 June 2004 - 10:47 PM

I will be glad to help you with this issue. Before we get started, please let me know if you have posted this same problem on another page, in another forum, or on another website.
That way we can avoid duplicate posts and replies.

Please move HJT to its own permanent folder:
Rightclick on an empty space on your desktop and choose New > Folder
Name it HijackThis (HJT, or whatever)
Rightclick HijackThis.exe, choose Cut.
Doubleclick (to open) the folder you created.
Rightclick inside and choose Paste.

Make sure your computer is configured to show all folders:
http://www.xtra.co.n...1916458,00.html

Please perform an online virus scan at:
Trend Micro HouseCall:
http://housecall.ant...m/pc_housecall/

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Open Task Manager, and end the following processes IF they are listed:

UZPXTHW1.EXE
DP-HIM.EXE
MSXMIDI.EXE

While in safe mode, run Hijackthis and check to fix the following items:
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [Uzpxthw1] C:\WINDOWS\TEMP\UZPXTHW1.EXE
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
(both of these)

Let HJT fix them.
While still in safemode, look for the following folders and delete the files IF they are found:
C:\WINDOWS\TEMP\UZPXTHW1.EXE
C:\WINDOWS\SYSTEM\DP-HIM.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

Please delete your temporary files by deleting all files and folders that are in those folders (Do not delete the temp folder itself)
For example:
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, being sure to also select delete all offline content.

Then after all this cleaning, please post a fresh HJT log.
Microsoft MVP - Consumer Security

#3 bramalea

bramalea

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 12:41 AM

Hi. Thanks for your quick reply. Sorry I was away for a couple days, busy with work.

I have not posted this on any other forum or in any other thread.

Anyway, I ran Housecall but it doesn't seem to run on this machine without crashing IE. So I ran AVG, which found one dialer, I had AVG delete it. Then I restarted in safe mode, running HijackThis and removing those entries you asked me to remove. Then, I deleted the files.

One thing I thought was weird was the existence of C:\Windows\System\Services. That directory is not part of Windows 98. It would seem to blend in easier with XP. So I DELTREE /Y'd the whole directory. I also DELTREE *.* /Y everything in C:\Windows\Temp and in Temporary Internet Files, and removed all offline content in Internet Explorer.

The problem seems to be cleared up but I don't know for sure as I haven't been running the system long enough. But those processes have not started back up again. Here is my new HijackThis log.

In case you were wondering Enternet.exe is an Internet connection client for ADSL and other than that looks like everthing else belongs there. Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 1:38:46 AM, on 6/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT AVG6\AVGCC32.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOF~1\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOF~1\Avgserv9.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8156.0528356481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#4 bramalea

bramalea

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 12:43 AM

Sorry I just have one more problem. When I open Internet Explorer, my start page is hijacked to www. smartsearch.biz. The URL still displays "about:blank". I use Mozilla all the time, never IE since I don't like it all that much (you know why LOL) but it's still kind of annoying.

edit: This isn't a new problem, it just didn't get cleared up. But the processes are already stopped and I'm happy about that. :)

Edited by bramalea, 25 June 2004 - 12:46 AM.


#5 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 25 June 2004 - 11:18 AM

Try running Adaware and CWShredder again.
If that does not clear up the problem, it means that there is a hidden file that is reinfecting you. We usually can find that on Win98, so let me know. Thanks.
Microsoft MVP - Consumer Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button