Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

About:Blank &-? CWS.Homepage


  • Please log in to reply
3 replies to this topic

#1 rcnet

rcnet

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 30 March 2005 - 11:27 AM

Hello,

Read some other posts - yikes!. Willing to have a go at it...
PS. Is there any forces out there that acts like the most aggressive members of GreenPeace to go after these clowns who create these destructive software bundles? Heck in my state the fine is $500.00 for littering per incident.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 2:15:29 PM, on 3/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\rconsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINNT\System32\ALGU.EXE
C:\WINNT\System32\SPOOLSV32.EXE
C:\Program Files\LINKSYS\Configuration Utility\Config.exe
C:\Program Files\LINKSYS\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\Admin\LOCALS~1\Temp\HijackThis.exe
C:\Program Files\PowerArchiver\POWERARC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blizzard.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-big.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: ATDP Class - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINNT\atlass.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-big.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\stlbd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [ALGU] C:\WINNT\System32\ALGU.EXE
O4 - HKCU\..\Run: [SPOOLSV32] C:\WINNT\System32\SPOOLSV32.EXE
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\LINKSYS\WPC11 Config Utility\WPC11Cfg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {5031C7DE-2850-46B3-8055-A92536DA66E0} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5031C7DE-2850-46B3-8055-A92536DA66E0} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blizzard.com
O15 - Trusted Zone: *.battle.net
O15 - Trusted Zone: *.blizzard.com
O15 - Trusted Zone: *.battle.net (HKLM)
O15 - Trusted Zone: *.blizzard.com (HKLM)
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0EE6E9-3461-4428-988B-FD8E3D06086B}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Console (RCONSVC) - Unknown owner - C:\WINNT\System32\rconsvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:44 PM

Posted 30 March 2005 - 04:06 PM

Hello rcnet and welcom to the BC forums. After reviewing your log I see a few items that require our attention. Please proceed with the following steps in order.

Step #1

Important
Your copy of HijackThis needs to be in a folder of it's own. If it is run from Temporary folders the backups and HijackThis itself could be accidentally deleted if the Temporary folders are cleaned.* Please open My Computer
* Double-click on Local Disk (C:)
* Click on the File menu, point to New and then click on Folder. Name the folder 'HijackThis' or 'HJT'.
* Unzip to or copy and paste HijackThis.exe to the new folder. If you have the HijackThis_sfx.exe file then double-click on it and click the Unzip button to install the program properly.
Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blizzard.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: ATDP Class - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINNT\atlass.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\stlbd.dll
O4 - HKCU\..\Run: [ALGU] C:\WINNT\System32\ALGU.EXE
O4 - HKCU\..\Run: [SPOOLSV32] C:\WINNT\System32\SPOOLSV32.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {5031C7DE-2850-46B3-8055-A92536DA66E0} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5031C7DE-2850-46B3-8055-A92536DA66E0} - (no file) (HKCU)
O15 - Trusted Zone: *.battle.net
O15 - Trusted Zone: *.blizzard.com
O15 - Trusted Zone: *.battle.net (HKLM)
O15 - Trusted Zone: *.blizzard.com (HKLM)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINNT\atlass.dll
C:\WINNT\stlbd.dll
C:\WINNT\System32\ALGU.EXE
C:\WINNT\System32\SPOOLSV32.EXE

Next, let's clean up the temporary folders:
  • Click Start
  • Point to Programs
  • Point to Accessories
  • Point to System Tools
  • Click Disk Cleanup
  • Select the following items and then click the OK button.
  • Temp Setup Files
  • Downloaded Program Files
  • Temp Internet Files
  • Debug Dump Files
  • Office Setup Files
  • Old chkdsk files
  • Recycle Bin
  • Temp Remote Desktop Files
  • Setup Log Files
  • Temp Files
  • WebClient temp files
Step #4

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 rcnet

rcnet
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 31 March 2005 - 06:07 AM

Hello OT,

Thank you for your response and advice.

Couple questions if you know, off course.

Why did not the latest of ad-aware and spybot deal with this circumstance.

CWSshredder did not pick up any Coolwebsearch, yet during ad-aware scans after each reboot it would find reg keys and values of coolwebsearch.

Last, when I rebooted to send this response after following your instructions and steps. When I connected and selected IE, in the address line was - About: blank.
No redirect.

Thought the window stayed blank... I inserted www.msn.com... hit go and moved on to internet funtionality, thus I am here now.

Thanks,

Below is the latest HJT Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:53:00 AM, on 3/31/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\rconsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\LINKSYS\Configuration Utility\Config.exe
C:\Program Files\LINKSYS\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\HJT-2\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-big.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-big.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\LINKSYS\WPC11 Config Utility\WPC11Cfg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blizzard.com
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Console (RCONSVC) - Unknown owner - C:\WINNT\System32\rconsvc.exe


RC

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:44 PM

Posted 31 March 2005 - 10:06 PM

Hi rcnet. Your log looks clean. Congratulations! We have a couple of steps to perform yet but before we do that I'll try and answer some of your questions.

One of the problems with malware today is that it changes so quickly it's virtually impossible for any product to stay up to date. Take CWS for example, I don't even know how many variants there are of that anymore. And then there is the problem of different vendors calling the same infection by different names. There is no standardization between the companies for the exact same piece of malware. So to have CWShredder not find any problems but have AdAware find some indications is not unnormal today. That is why we use multiple tools to make sure that computers are clean. They each have their own strengths and weaknesses. And when we clean computers with HijackThis we are usually picking up things that none of the current applications are finding. If a product would come out that could find every piece of malware out there and clean it effectively then all of us volunteers would be able to spend our time more productively. :thumbsup:

The about:blank that you saw when you started your Internet Explorer was not bad. It was caused by the fact that we removed the entries for a start page and so IE did not know what to do and displayed a blank page. That is a programmed response and is as it should be and is in no way related to the About:Blank infection that is prevalent today. Once you set a new Home Page you will no longer see that.

I would also like to mention that your operating system is extremely out of date and I strongly recommend that you update it as quickly as possible. In its current state you are vulnerable to a wide range of security exploits that Service Pack 2 has patched. To update your operating system see the link below for Microsoft Updates and apply the SP2 update. Once that has been done go back to the MS Update site and apply all of the Critical Updates that are available. Applying Critical Updates should be done every month since new updates come out every month to close newly discovered security holes in IE and the operating system.

Now we have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster, SpywareGuard and IESpy-Ad. They will add 1000's of sites to your resticted zone and block some hijacks from happening.

You should also have a good firewall and anti-virus application like the ones you are currently using. It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your system up to date and clean visit Windows Update monthly, run AdAware SE and Spybot Search & Destroy weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users