Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log-Luke


  • Please log in to reply
5 replies to this topic

#1 Punkbus

Punkbus

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 25 October 2004 - 01:52 AM

I ran into the CoolWebSearch problem while surfing, I am a little inexperienced so i decided to submit the log: (After the log is the description of what happened)

Logfile of HijackThis v1.98.2
Scan saved at 3:41:51 PM, on 10/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\FSG_4104.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WEB.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\SYSTEM\CUSTOMIE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [Win Comm] C:\PROGRAM FILES\WIN COMM\WINCOMM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...93d90b6f3b1da5e
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

When first encountered the problem, norton antivirus, alerted me of a malicios script I think it was, it said it was repairable so I repaired and it still broke through somehow, Icons immediately popped out of nowhere onto the desktop, and I found that i had encountered malware. I found that trying to Uninstall the 'search uninstaller' in the add/remove programs list was useless, I deleted as many files assosciated with the malware, such as MyWay search bar, and WEB.exe. I found that some of the files were not deleteable as they were running in the background.

After running AdAware I found 1 Unfixable registry value:

COOLWEBSEARCH
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
obj[0]=RegValue : SOFTWARE\Microsoft\Internet Explorer\Main


Please reply with what needs to be checked in the log.

Kind regards
Luke

BC AdBot (Login to Remove)

 


#2 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:08:27 PM

Posted 25 October 2004 - 10:25 AM

Punkbus, welcome.

Please print this out and follow ALL these directions carefully.

CWS is a nasty persistant infection that keeps mutating to any new way of hijacking people's systems and is now being spread through file (music) sharing applications.

If you insist on running file (music) sharing applications like P2P Networking and KaZaa then you will continually be infected by all kinds of nasties in the downloaded files.
This is the new prefered method of virus/worm/trojan spreaders to get into your system and there will be no detection nor removal capability for days/weeks.
The spreaders count on this time to do their nastieness and create new nasties that are not detected.

Go to Add/Remove Programs and uninstall P2P Networking, KaZaa and Points Manager

The system is infected with one of the mutations of WORM_AGOBOT by the presence of WINCOMM.EXE because you have not been updating your anti virus definitions and not keeping up with All Windows Critical Updates.

http://securityresponse.symantec.com/avcen...gaobot.afj.html

Run an online virus scan:
http://housecall.trendmicro.com
http://www.mcafee.com/myapps/mfs/default.asp

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Delete if still present:
C:\WINDOWS\SYSTEM\CUSTOMIE.DLL
C:\WINDOWS\SYSTEM\SERVICES\WEB.EXE
<== files

c:\program files\altnet
C:\Program Files\Common files\SearchUpgrader
C:\Program Files\Kazaa
C:\PROGRAM FILES\WIN COMM
C:\WINDOWS\SYSTEM\P2P NETWORKING
<== folders

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WEB.EXE
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\SYSTEM\CUSTOMIE.DLL
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [Win Comm] C:\PROGRAM FILES\WIN COMM\WINCOMM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\WINDOWS\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

#3 Punkbus

Punkbus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 26 October 2004 - 09:55 AM

I have cleaned up my PC, during the deleting of some files, i noticed the 'runonce.exe' file in my C:/WINDOWS folder, should I delete this, coz I think i read something about it being related to the coolwebsearch problem.

also when i used HijackThis in Safemode, I noticed that some of the parts of the log were no longer there.

These parts were:

O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

This was after I deleted:

the altnet folder
and uninstalled Kazzaa and deleted its folder,
and delted the P2P networking folder

Also 'Search Uninstaller' is still in my Add/Remove Programs and cant be uninstalled. one other thing is concerning me though, I run SpyBot, and each scan picks up a 'DSO Exploit' ( which cant seem to be fixed)

Here is the details-
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Is this important?

Thanks
Luke

#4 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:08:27 PM

Posted 26 October 2004 - 11:37 AM

Luke, please post a current HijackThis log here.

The entries that were no longer there as they were uninstalled correctly. That is why I put "if still present" in the instructions.

Also 'Search Uninstaller' is still in my Add/Remove Programs and cant be uninstalled.

Some applications do not uninstall cleanly and this looks like one of them. It is a bit hard to remove this as it takes using the registry editor and looking for the Add/Remove entry and deleting it.

The DSO exploit is a false indication and is fixed by an update to Spybot S&D as long as you are running v1.3.

The fix is available on MajorGeeks under:
http://majorgeeks.com/download.php?det=4392

Edited by CalamityKen, 26 October 2004 - 11:41 AM.


#5 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 216 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:03:27 AM

Posted 29 October 2004 - 02:35 PM

Hi guys,

Sorry for barging in. :thumbsup:

I am looking for a copy of C:\WINDOWS\SYSTEM\CUSTOMIE.DLL

Could you please look for the backup HijackThis made and send it to me?
Your backups should be in the folder
C:\WINDOWS\DESKTOP\HIJACK THIS\backups

The backup of the dll will be displayed as a dll with the date you removed it in it's name.

Please send the (preferably zipped) file to pieterATwilderssecurity.org (replace AT with @)

TIA,

Regards,

Pieter
How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015

#6 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 216 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:03:27 AM

Posted 31 October 2004 - 09:54 AM

Found it elsewhere in the meantime.

FYI

Scanned file: CustomIE.dll
CustomIE.dll - packed with UPX
CustomIE.dll - infected by Trojan.Win32.StartPage.po

Regards,

Pieter
How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users