Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS removal


  • This topic is locked This topic is locked
13 replies to this topic

#1 Colins

Colins

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 19 August 2005 - 10:27 AM

Hi,
I've found CWS.Homepage on my computer using Xoftspy V4.15 but after removal the same infections came back. I downloaded and ran CWShredder V2.15 and they came back again after removal. I have a copy of Hijack this. Which options should I select and who should I send the output to?
Looking forward to your assistance!
Colins.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:06 AM

Posted 19 August 2005 - 09:01 PM

Hello Colins,

You should only be creating a HijackThis log after you have ran Spybot - Search and Destory and Ad-Aware SE and you are still having problems.

Please follow the instructions and guidelines contained in the follow post:

How to submit a Hijackthis Log

After you have posted your HijackThis log, please be patient.

Everyone who helps you here does it as a volunteer and will try to help you as soon as possible.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Colins

Colins
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 20 August 2005 - 07:34 AM

Hi,
Below are the posts previously made:
I've found CWS.Homepage on my computer using Xoftspy V4.15 but after removal the same infections came back. I downloaded and ran CWShredder V2.15 and they came back again after removal. I have a copy of Hijack this. Which options should I select and who should I send the output to?
Looking forward to your assistance!
Colins.

This from sifuMike:
Hello Colins,

You should only be creating a HijackThis log after you have ran Spybot - Search and Destory and Ad-Aware SE and you are still having problems.

Please follow the instructions and guidelines contained in the follow post:

How to submit a Hijackthis Log

After you have posted your HijackThis log, please be patient.

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 13:31:29, on 20/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system\driver\csrss.exe
C:\Program Files\Remote Disconnection Utility\RDClient.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mass Downloader\massdown.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Setup\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1035
F3 - REG:win.ini: load= D:\APPS\NDW\SCHEDULE.EXE
O2 - BHO: (no name) - {03D78915-B1AC-16AD-2260-68633245C48D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /runonce
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Remote Disconnection Client.lnk = C:\Program Files\Remote Disconnection Utility\RDClient.exe
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: Download &All using Mass Downloader - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using &Mass Downloader - C:\Program Files\Mass Downloader\Add_Url.htm
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 Colins

Colins
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 20 August 2005 - 10:02 AM

When I ran HijackThis, it suggested that I delete c:\windows\system32\drivers\etc\hosts After doing this the CWS.Homepage items listed in Xoftspy were gone! So I presume the HijackThis log I attached is clean!??
My next question is this - why doesn't SpybotSD or Ad_aware or Xoftspy delete this file? Can I delete it anytime in the future, as it hasn't come back?
Colins.

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 23 August 2005 - 12:20 AM

Hello Colins,

I merged your second topic with your original thread (Topic). Please stick to the same thread. Just click the reply button to the original Topic. Do not create a new topic for your reply. This will cause confusion and a delay in the help you are receiving.

If you have problems finding your original thread, check your email for a link to it or click on My Topics at the top right of any bleepingcomputer forum page. Thanks!

SifuMike will help you when he is available.

The thing about people

is they change

when they walk away.--Mipso


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:06 AM

Posted 23 August 2005 - 02:07 AM

Hello Colins,

it suggested that I delete c:\windows\system32\drivers\etc\hosts After doing this the CWS.Homepage items listed in Xoftspy were gone!


You should not delete the Hosts file completely, as you need to this 127.0.0.1 localhost entry in it.

Lets rebuild it so it has that 127.0.0.1 localhost entry. :thumbsup:

Download the HOSTER from here:
http://www.funkytoad.com/download/hoster.zip

Press 'Restore Original Hosts'and press 'OK'
Exit Program.

****************************************


My next question is this - why doesn't SpybotSD or Ad_aware or Xoftspy delete this file? Can I delete it anytime in the future, as it hasn't come back?

Spybot, Adware and Xoftspy delete many variants of CWS, but you may have had a new CWS variant. Several years ago there were about 50 known CWS variants, but now there are over 1300 variants.
Each spyware removing tool has different reference files, so one might find and remove it while another one bypasses it. That is the reason it is better to run two spyware removal programs.

I recommend you install SpywareBlaster, as that will prevent spyware from getting on your computer. It prevents over 1300 variants of CWS from running.

Here is a SpywareBlaster tutorial

****************************************

Can I delete it anytime in the future, as it hasn't come back?


It all depends on the CWS variant you have. Some are easier to remove than others.
You should first run Spybot 1.4, Adaware SE, and TrendMicro Online virus scan and see it that removes it. If that does not work, then submit a Hijackthis log to this forum for analysis and we will advise you how to remove it. :flowers:

****************************************

You have some suspicious files we need to check.
Go to
Jotti's malware scan copy and paste C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe to the upload and scan it.

then do the same for the following files:
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\system\driver\csrss.exe

Let me know the results.
Copy and paste the outputs to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


Edited by SifuMike, 23 August 2005 - 03:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:06 AM

Posted 28 August 2005 - 12:20 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:06 AM

Posted 30 August 2005 - 12:38 PM

topic reopened
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Colins

Colins
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 30 August 2005 - 01:45 PM

Hi,
Thanks for your help so far, I've done what you asked and here is the output:
(By the way, I renamed the 'DRIVER' directory to 'DRIVER_' rebooted with seemingly no ill effects. I did this because my other XP machine does not have this directory so thought it would be safe). So Whats next? !!! java script:emoticon(':wacko:')
smilie
Colins.


File: ntuser.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 80858f87275634946eed13b514222cdb
Packers detected:
ASPACK
Scanner results
AntiVir
Found BDS/Iroffer.14b2.B
ArcaVir
Found Trojan.Small.Wp.A16
Avast
Found Win32:Trojano-1333
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found Backdoor.Noer
VBA32
Found BackDoor.Noer



File: services.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 e6ff5cd0591ca1f9fcebfb11d75494e9
Packers detected:
ASPACK
Scanner results
AntiVir
Found BDS/Iroffer.14b2
ArcaVir
Found Trojan.Iroffer.14b2
Avast
Found Win32:Iroffer-006
AVG Antivirus
Found BackDoor.Iroffer.3.AG
BitDefender
Found Backdoor.Iroffer.14b2.B
ClamAV
Found nothing
Dr.Web
Found BackDoor.Iroffer.14
F-Prot Antivirus
Found security risk or a "backdoor" program
Fortinet
Found W32/Iroffer
Kaspersky Anti-Virus
Found Backdoor.Win32.Iroffer.14b2
NOD32
Found Win32/Iroffer.1402
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found Backdoor.Win32.Iroffer.14b2


File: csrss.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 dee02ab15d2431bd7627b43df870a964
Packers detected:
ASPACK
Scanner results
AntiVir
Found BDS/Iroffer.14b2.C
ArcaVir
Found Trojan.Servu-based
Avast
Found Win32:Trojano-1331
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Servu.AZ
ClamAV
Found nothing
Dr.Web
Found not a virus Program.ServUServer.60
F-Prot Antivirus
Found security risk or a "backdoor" program
Fortinet
Found HackerTool/ServUDmn
Kaspersky Anti-Virus
Found not-a-virus:Server-FTP.Win32.Serv-U.gen
NOD32
Found Win32/ServU-Daemon application
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing


File: ntsrv.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 906510472f226daf373a500ddfdd7560
Packers detected:
ASPACK
Scanner results
AntiVir
Found BDS/Iroffer.14b2.A
ArcaVir
Found Trojan.Small.Wp.A16
Avast
Found Win32:Trojano-1332
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Runas.A
ClamAV
Found nothing
Dr.Web
Found Trojan.Runas
F-Prot Antivirus
Found nothing
Fortinet
Found Misc/G6service
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found Trojan.Runas


:thumbsup:

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:06 AM

Posted 30 August 2005 - 05:14 PM

Hello Colins,

Ewido Security Suite may clean this for us, so lets try that first. :thumbsup:

Download and then install
Ewido Security Suite http://downloads.ewido.net/ewido-setup.exe

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Reboot to Safe Mode

Open Ewido Security Suite
Give it time to load
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
*******************************************

I am not sure where you found this file services.exe, as it is not one of the ones I asked you Jotti scan. It is good you did scan it, as Jotti says it is bad. :flowers:

We have to be careful with that file, because there is a legit services.exe.

services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of servicse during shut-down.


Where did you find it? Is this the file from C:\WINDOWS\system32\services.exe? Or did you find it in C:\WINDOWS\SYSTEM\DRIVER\ folder?

All the other bad files are in C:\WINDOWS\SYSTEM\DRIVER\ folder, so we will go ahead and delete those.

Could you also let me know what other files are residing in the following folder
C:\WINDOWS\SYSTEM\DRIVER <==folder

We will leave the services.exe for the next Hijackthis removal process.

*******************************************

We have to stop some services.

Click Start > Run and type in Services.msc
Click OK
In the Sevices box, click the Extended tab.

Scroll down to:
NTBOOTMGR
Click Stop, then Disable

Reboot your computer.

*******************************************

Open HijackThis. Click on 'Open the miscellaneous tools section'
Click on 'Delete an NT Service'
Paste in this:
NTBOOT
and click 'OK'

Reboot your computer.

*******************************************

Click Start > Run and type in Services.msc
Click OK
In the Sevices box, click the Extended tab.

Scroll down to:
NTLOAD
Click Stop, then Disable

Reboot your computer.

*******************************************

Click Start > Run and type in Services.msc
Click OK
In the Sevices box, click the Extended tab.

Scroll down to:
NTSVCMGR
Click Stop, then Disable

Reboot your computer.


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.
C:\WINDOWS\system\driver\csrss.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe


While in the Safe Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe <==file
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe <==file
C:\WINDOWS\system\driver\csrss.exe <==file


*******************************************


Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues button and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

*******************************************


Finally, reboot to the Normal Mode and post a new Hijackthis log, include the Ewido log, and tell me how your computer is running.

Edited by SifuMike, 31 August 2005 - 12:38 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Colins

Colins
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 01 September 2005 - 04:04 PM

Hi,
I did everything you said, both ewido and hijackthis logs below. Note I had renamed the DRIVER_ directory. This actually helped with deletion as the processes were not running. I didn't read your instructions fully and used the default deletion settings in CCleaner, hope this doesn't cause any other problems.. otherwise everything appears to be fine. :thumbsup:
colins.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:37:48, 01/09/2005
+ Report-Checksum: 57B00366

+ Scan result:

HKU\S-1-5-21-1214440339-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-1214440339-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F14AABDD-0232-4E5A-9B52-4178AC0A62B5} -> Spyware.AdSubtract : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@adviva[2].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@e-2dj6wjliqidjidp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Barbi\Cookies\barbi@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\system\Driver_\csrss.exe -> Backdoor.ServU-based : Cleaned with backup
C:\WINDOWS\system\Driver_\Driver_.jim/services.exe -> Backdoor.Iroffer.14b2 : Cleaned with backup
C:\WINDOWS\system\Driver_\Driver_.jim/csrss.exe -> Backdoor.ServU-based : Cleaned with backup
C:\WINDOWS\system\Driver_\services.exe -> Backdoor.Iroffer.14b2 : Cleaned with backup
D:\Setup\Jaws\byl.exe -> TrojanDownloader.INService.i : Cleaned with backup
D:\Backup\E\GAMES\eraze.exe -> Not-A-Virus.Joke.JepRuss : Cleaned with backup
D:\System Volume Information\_restore{3266E26E-0D4F-445D-8491-1242C8B8F226}\RP397\A0118723.EXE -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{3266E26E-0D4F-445D-8491-1242C8B8F226}\RP397\A0118724.EXE -> Adware.Gator : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 21:44:43, on 01/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Remote Disconnection Utility\RDClient.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mass Downloader\massdown.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1035
F3 - REG:win.ini: load= D:\APPS\NDW\SCHEDULE.EXE
O2 - BHO: (no name) - {03D78915-B1AC-16AD-2260-68633245C48D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /runonce
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Remote Disconnection Client.lnk = C:\Program Files\Remote Disconnection Utility\RDClient.exe
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: Download &All using Mass Downloader - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using &Mass Downloader - C:\Program Files\Mass Downloader\Add_Url.htm
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:06 AM

Posted 01 September 2005 - 04:39 PM

Hi Colins,

The log looks clean! :thumbsup: Good job on the cleanup!


let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer+.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.



Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again

Edited by SifuMike, 01 September 2005 - 04:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Colins

Colins
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 06 September 2005 - 05:32 AM

Done all that, new restore points set, Firefox mozilla used ipo IE. Thanks again for all your help. You can close the thread now.
colins. :thumbsup:

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:06 AM

Posted 06 September 2005 - 09:32 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users