Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cws And Agobot-ku Infection. Ie Hijacked And External System Control Occured And Strange Phone Calls.

  • Please log in to reply
1 reply to this topic

#1 SleeplessInBama


  • Members
  • 1 posts
  • Local time:01:29 AM

Posted 11 April 2006 - 10:14 PM

Home system getting was getting really slow and doing strange things like putting additional buttons (BHOs?) in InternetExplorer (IE). Also very slow and often had to click buttons several times to get the mouse to register. Thought it was a dirty mouse but cleaning it made no difference. Also it would open different web sites (porn mostly) and download who knows what. Popups galore etc. Sometimes it would go to different websites than intended. Looking back on it that may have occurred more than at first thought, since some are similar to the intended site so you don't always notice so much. Other times it wouldn't open a website (acted like it didn't exist) and just displays blank. Suspected spyware infection or worse. Downloaded Ad-Aware and that found tons at first and inproved it alot. But still would continue to get more infections every time on the net. This state persisted for last 4 or 5 months.
Then a few days ago I was on the system late at night looking at stock accounts and other stuff on the network. System acting VERY strange. Closing stock website window automatically, having to click many times to get stuff to react etc. Thought it was just windows sucking wind some more (it always gets slower the longer you use it you know). Took a break and just sat for about 5 minutes half falling asleep when suddenly the mouse started moving and clicking stuff etc. Very wild. At first thought it was a mouse mess up but didn't take too long to figure out the mouse movements were intentful and not random movements. Didn't know what to do so I just pulled the plug (DSL) and it stopped. Today received a phone call while was in the process of getting rid of it as I could. Person asked me, "Hello is this MYNAME?". I said "yes", Answer was, "Just letting you know" then a hangup. :thumbsup: I have changed over the stock trading accounts and did other things as best I knew how. Found that the stock trade was redirected as was poker site DNS and TONs of other stuff (or at least that was my take on the Host file stuff).
I have Ad-Aware loaded which is great except you have to run it manually (free version) instead of having it monitor the connect. I also had NO firewall established ( :flowers: ). Also was running AVAST anti-virus (free version) at the time that has detected virus' in the past and does a bangup job. Most recently it found a "Thanksgiving virus" on Thanksgiving day.
After much shock and panicked investigation I have come to this point. Have run many spyware programs and antivirus stuff and have followed the instructions from this site before sending in this topic. At this point I have (I believe) gotten rid of Agogot-KU with spybot ( :huh: ) as well as many others but CWS is a real bugger. Unfortunately I cleaned out the log from spybot that it made because the buttons on spybot are all messed up on the confirmation dialog box (are they messed up for everyone or is that a result of the infection?) This resulted in my having to reinstall spybot to keep spybot's remember response feature from automatically allowing CWS to reinstall itself. Since then I managed to figure out that the buttons are mislabeled for some reason (I suspect because of some infection). Once I figured out what each of the buttons in spybots confirmation dialog ACTUALLY does I was able to tab over to the proper buttons (drawn under the others label) and remove CWS from the startmenu. However after a reboot if IE is reopened spybot will inform me that the same CWS file is trying to get back into the Startup stuff.
Hope that made sense. Anyway, after 3 days of getting to this point finally decided to ask for help. I have performed everything in your instructions and now have run Ad-Aware, SpyBot, Avast, HouseCall, BitDefender, Panda, McAffee Stinger, and installed ZoneLabs firewall. Zonelabs firewall gave me an incompatibility message with AVAST. I disabled AVAST during the install as instructed and reenabled it afterwards. So far see no probs with AVAST and Zone. I have also Updated to the latest Microsoft Windog :huh: version.
From what I have been able to learn I think he must have gotten in through AGOBOT-KU since that was hard to remove as well. But I could be wrong. But regardless I think originally there were about 10 hits in spybot and now I think I am down to just the one (i.e. CWS). Anyhow. Sorry so long winded. Here is the log file from HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 9:06:48 PM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve Perreault\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ask.com/web?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.history.last_page_visited", "https://acctmgt.comcast.net/Comcast/AcctMgt/forgotpwd.cmd");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "29241393.s");
user_pref("timebomb.first_launch_time", "1129241190968000");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Steve Perreault\Application Data\Mozilla\Profiles\default\r9nleidl.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: askBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Ask Toolbar - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Monitor & Configuration.lnk = C:\WINDOWS\system32\monitorsmc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Save Image to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimagestofolder.html
O8 - Extra context menu item: &Save Image to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimages.html
O8 - Extra context menu item: &Save Link to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveltof.html
O8 - Extra context menu item: &Save Link to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savelink.html
O8 - Extra context menu item: &Save Page to Folder... - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savepagetofolder.html
O8 - Extra context menu item: &Save this Page to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savewebpage.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://spybot.eon.net.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks in advance for any attention you can give this. Have read your other helps for others with similar probs and you guys seem great.

BC AdBot (Login to Remove)



#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,434 posts
  • Gender:Male
  • Location:USA
  • Local time:02:29 AM

Posted 20 April 2006 - 06:53 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users