Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS_NS3 Hijacker


  • This topic is locked This topic is locked
9 replies to this topic

#1 Treven711

Treven711

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 15 March 2005 - 01:46 PM

I'm hoping someone has the answer for me. I used Ad-Aware, and Spysweeper to identify. I was using the instructions for "How to remove cws_ns3". The O2 files don't end with 32. The O4 files are my AntiVirus/Spyware exes. Heres what Hijackthis told me (R1-O4):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uxpdq.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swift-mail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uxpdq.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro Trial\winpgi.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro Trial\AVTray.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Download with GetRight - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\GRdownload.htm


Also when I'm trying to identify the file name and name of the malware service (Step 2). There weren't any of the ones listed (Network Security Service, Workstation NetLogon Service, Remote Procedure Call (RPC) Helper).
I do have a few that I thought might be right....NT LM Security Support Provider, RPC, RPC Locator, and workstation. But all of the executable files seem to be system criticals. :thumbsup: Pppplllease help. THanks Treven

BC AdBot (Login to Remove)

 


m

#2 Treven711

Treven711
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 15 March 2005 - 04:24 PM

I think I got the first part figured out. I'm still having problems trying to identify the file name and name of the malware service (Step 2). There weren't any of the ones listed (Network Security Service, Workstation NetLogon Service, Remote Procedure Call (RPC) Helper).
I do have a few that I thought might be right....NT LM Security Support Provider, RPC, RPC Locator, and workstation. But all of the executable files seem to be system criticals. Here is also the new HJT log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Trev\Desktop\Internet\Opera\opera.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Trev\Desktop\cwsns3\hijack\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro Trial\winpgi.dll
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Download with GetRight - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Trev\Desktop\Apps\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSchSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSvc.exe

Thank again

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:42 PM

Posted 16 March 2005 - 11:44 AM

The log you posted is missing the header information. If you are not using v1.99.1 please download and install v1.99.1 from this HijackThis download site.

Then please post a fresh complete -including header- HJT log.
Derfram
~~~~~~

#4 Treven711

Treven711
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 16 March 2005 - 12:17 PM

Heres the new one

Logfile of HijackThis v1.99.1
Scan saved at 11:16:34 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSchSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Trev\Desktop\Apps\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Trev\Desktop\Internet\Opera\opera.exe
C:\Documents and Settings\Trev\Desktop\cwsns3\hijack\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swift-mail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro Trial\winpgi.dll
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Download with GetRight - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Trev\Desktop\Apps\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSchSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSvc.exe

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:42 PM

Posted 16 March 2005 - 02:23 PM

Download the following file and save it to your desktop:
http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'.


Configure Windows to enable viewing of Hidden and System files.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Then post a fresh log.
Derfram
~~~~~~

#6 Treven711

Treven711
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 17 March 2005 - 01:01 PM

File downloaded and installed, hidden files viewable, and heres the new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:41 AM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSchSvc.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Trev\Desktop\Internet\Opera\opera.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Trev\Desktop\cwsns3\hijack\HijackThis.exe

O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro Trial\winpgi.dll
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Download with GetRight - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Documents and Settings\Trev\Desktop\Apps\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Trev\Desktop\Apps\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSchSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro Trial\AVSvc.exe

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:42 PM

Posted 17 March 2005 - 01:25 PM

WinAntiVirus at this time has a questionable reputation. Some comments can be seen here. A google search will turn up more info. I am not making any judgement concerning WinAntiVirus, but just wanted you to be aware.

Otherwise, your log appears clean. Are there any unaddressed issues?
Derfram
~~~~~~

#8 Treven711

Treven711
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 18 March 2005 - 04:05 PM

I really appreciate the help....deleted that antivirus program, and got Norton Systemworks....just one quick question though, there is a file named cidaemon.exe, know anything about this? THanks

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:42 PM

Posted 18 March 2005 - 04:30 PM

That would be Windows indexing. See http://www.liutilities.com/products/wintas...brary/cidaemon/.
Derfram
~~~~~~

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:42 PM

Posted 30 March 2005 - 11:55 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users