dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1192
jd15
join:2005-03-24
Hillsdale, ON

jd15

Member

HJT Log - I have been hijacked by CWS

ABLogFile.1.zip
509 bytes
(ABLogFile.1.txt)
hijackthis.zip
2,468 bytes
(hijackthis.log)
My computer is slowing, there are many pop ups, redirects, blocked pages, home page changes, balloons appearing in the startup menu, and an inability to completely clean my machine. Prior to printing I have to run a scan or it does not print properly. I have not noticed it trying to call out, although I did delete CWS_dialer in a previous scan prior to knowing about your site. Email seems to be OK. Please note I am on dial up and have tried everything.
Also, I am a neophyte to this.

Regarding post 8428:
Step 1: Several scans using CWShredder, Spy Sweeper, Ad aware, and Norton AV, deleted and quarantined infected files. My machine was never really cleaned with these. On restart the process would have to be started over.
Step 2: I tried to run the Web based AV scanners and was unable to. IE ran into a problem and indicated that it had to shut down. Previous to this problem, I have used housecall before, and knew what to expect.
Step 3: Downloaded "About Buster". Log attached.
Downloaded "Spybot S&D". It reported 1 entry of ALEXA related; and 5 entries of a DSO exploit. These were quarantined.
step 4: Downloaded TDS-3: I did 3 scans.
The first identified "Trojan downloader.win32.agent.bq12 + riskware + adware.
The second identified the trojan downloader again.
The above were quarantined.
The last scan reported multiple dll's identified as Trojan.win 32.emt.a . These were not deleted because I was unsure about the effect considering the number of them.

Included as attachment are the logs for About buster and HJT.

Please help if you can.


John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

Logfile of HijackThis v1.99.1
Scan saved at 9:22:40 AM, on 3/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\addgh32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hjt\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeinvestor.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {367621ED-3460-6D3E-460F-EF17F9AEAF1C} - C:\WINDOWS\system32\netog32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [addgh32.exe] C:\WINDOWS\addgh32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096471411406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysvm32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
John2g

John2g to jd15

Premium Member

to jd15
This looks suspicious.

C:\WINDOWS\addgh32.exe
John2g

John2g to jd15

Premium Member

to jd15
This is also suspicious.

O2 - BHO: (no name) - {367621ED-3460-6D3E-460F-EF17F9AEAF1C} - C:\WINDOWS\system32\netog32.dll

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 edit

CalamityJane to jd15

Premium Member

to jd15
This is CWS HomeSearch Assistant version. It needs to be fixed all at once, otherwise the files will regenerate with new names. If you will hold on just a few minutes, I'm writing up the fix now.

Need to add in the AboutBuster Log:

Scanned at: 7:30:23 AM on: 3/23/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\desktop.ini:dvkaf
C:\WINDOWS\KB824105.log:usucw
C:\WINDOWS\KB828035.log:ypbvj
C:\WINDOWS\KB842773.log:xcqrf
C:\WINDOWS\msdfmap.ini:plzqx
C:\WINDOWS\Q322011.log:lhotr
C:\WINDOWS\Q819696.log:ehhgt
C:\WINDOWS\River Sumida.bmp:umvtm
C:\WINDOWS\Sti_Trace.log:suzua
C:\WINDOWS\TSC.INI:iuglk
C:\WINDOWS\xpsp1hfm.log:vqyyv

Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\desktop.ini:dvkaf
C:\WINDOWS\KB824105.log:usucw
C:\WINDOWS\KB828035.log:ypbvj
C:\WINDOWS\KB842773.log:xcqrf
C:\WINDOWS\msdfmap.ini:plzqx
C:\WINDOWS\Q322011.log:lhotr
C:\WINDOWS\Q819696.log:ehhgt
C:\WINDOWS\River Sumida.bmp:umvtm
C:\WINDOWS\Sti_Trace.log:suzua
C:\WINDOWS\TSC.INI:iuglk
C:\WINDOWS\xpsp1hfm.log:vqyyv

Attempted Clean Of Temp folder.
Pages Reset... Done!
CalamityJane

1 edit

1 recommendation

CalamityJane to jd15

Premium Member

to jd15
1. Make a copy of these instructions so you have them handy as the next steps need be done in safe mode with IE closed

2. Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

3. Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

4. Scan with HijackThis and checkmark the following items, then press *fix checked*

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {367621ED-3460-6D3E-460F-EF17F9AEAF1C} - C:\WINDOWS\system32\netog32.dll

O4 - HKLM\..\RunOnce: [addgh32.exe] C:\WINDOWS\addgh32.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysvm32.exe (file missing)
..............
5. While still in safe mode, delete the following files (if found)

C:\WINDOWS\addgh32.exe

C:\WINDOWS\sysvm32.exe

C:\WINDOWS\system32\netog32.dll

6. Still in safe mode, run AboutBuster again and save the log to post back here.

7. Reboot back into normal mode.

8. Scan once more with HijackThis and post a fresh HJT log and the AboutBuster Log you save.

9. Follow up with an online scan at Housecall (Trend-Micro) as it will likely find additional infected files to delete
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
jd15
join:2005-03-24
Hillsdale, ON

jd15

Member

Thank you for your help so far.

I did as you suggested and IE is already working better.

The line [addgh32.exe] did not exist. Instead [ntze32.exe] was there. I deleted it and hope this was the right thing to do.

I will repost the 2 log items.

Thanks again.

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

2 edits

Doctor Four to jd15

Premium Member

to jd15
Is this system an NTFS based one (Win2000, XP)? If so
rather than Fat32, you'll also need Adsspy to look for
alternate data streams (CWS HomeSearch, aka CWS_NS3 is
known to hide parts of itself from process viewers
through the use of these). Otherwise the hijack will
likely keep returning until this is found and cleaned.

I recall reading about this when trying to remove a
similar hijack from a Win98 machine here at work, but
in my case, once I ran both HJT and AboutBuster, CWS
was gone for good as FAT32 doesn't support the use of
ADS. Google for CWS_NS3 - there's a helpful tutorial
on removing this one at Bleeping Computer.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to jd15

Premium Member

to jd15
Shuten Doji
AboutBuster takes care of the ADS on NTFS
................
@jd15,

I'm posting your HijackThis log from your last scan. Please remember to copy and paste these into your replies rather than uploading them as attachments (saves us a lot of work)

Logfile of HijackThis v1.99.1
Scan saved at 1:32:45 PM, on 3/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hjt\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeinvestor.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096471411406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysvm32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
CalamityJane

CalamityJane to jd15

Premium Member

to jd15
Adding the latest AboutBuster log and your comments from the duplicate thread:

Scanned at: 1:23:51 PM on: 3/24/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\EPISME00.SWB:owqmq
C:\WINDOWS\KB824105.log:pgcuw
C:\WINDOWS\KB885835.log:heebi

Removed 4 Random Key Entries
Removed! : C:\WINDOWS\d3qz.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\EPISME00.SWB:owqmq
C:\WINDOWS\KB824105.log:pgcuw
C:\WINDOWS\KB885835.log:heebi

Attempted Clean Of Temp folder.
Pages Reset... Done!
quote:
As requested I am reposting the about buster and HJT logs.

I also was able to run housecall. It found 10 more files which it could not clean and I deleted them.

Can you confirm if my computer is now clean?

On a previous scan I renamed a file crfd32.exe. Do I need this file? And if so where do I find it?
Then I will come back and review all this for you.

Bookmark THIS thread so you can find it again

paul613
join:2000-04-19
College Park, MD

paul613 to jd15

Member

to jd15
Please download and run the CWShreader, it will search all known versions of this malware and remove them.

»majorgeeks.com/download3019.html

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to jd15

Premium Member

to jd15
Ok, in normal mode...

Scan with HijackThis and place a checkmark in the boxes next to these items, then press *fix checked*

R3 - Default URLSearchHook is missing

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysvm32.exe (file missing)
.............
Then, please run AboutBuster again post a fresh log from it (remember to copy and paste the contents of logs into your reply)
CalamityJane

CalamityJane to paul613

Premium Member

to paul613
said by paul613:

Please download and run the CWShreader, it will search all known versions of this malware and remove them.
No, it does not (this version)...besides, been there done that already if you read the first post.

paul613
join:2000-04-19
College Park, MD

1 edit

paul613 to jd15

Member

to jd15
You should try updating it, since I removed this from several pcs with it already.
jd15
join:2005-03-24
Hillsdale, ON

jd15 to CalamityJane

Member

to CalamityJane
I have fixed those items with HJT. The R3 and 023.

Please note: As per Shuten Doji mentions above: One of the threats identified with the various scans in steps 1 - 4 was this CWS_NS3.

Thanks again for all the help.

About Buster log below:
Scanned at: 6:15:17 PM on: 3/24/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 edit

CalamityJane

Premium Member

Ok, good. AboutBuster log is now clean...that's what I was looking for.

So, your log looks clean except for the couple of orphaned registry items(the R3 and 023). Make sure this file is actually gone:
C:\WINDOWS\sysvm32.exe

Are you running Spybot? If so check in Tools under *System Internals* and Press *check* at the top to let it see if it finds any inconsistencies in the registry that need fixing.

As for the other file you renamed, do you know what you renamed it to? It may have gotten zapped by Trend.

You might also find additional leftover (but harmless) files from this infection if you do the other AV scans. There may have been .dat files or other created when it regenerated itself, so new scans may find more junk. If so, just let them delete any infected files found. This thing leaves a lot of garbage behind, but not running anyway.

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
»support.microsoft.com/de ··· s;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .

»Security »How do I prevent browser hijacks and spyware?

Service Pack 2 for XP is now available and it will address numerous security issues in your Operating System and IE
»v5.windowsupdate.microso ··· ault.asp

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 1.2.1 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
»www.microsoft.com/techne ··· ome.mspx
jd15
join:2005-03-24
Hillsdale, ON

jd15

Member

I remember the name of the file. I believe the reference that i remember was that it becomes corrupt as part of CWS_MSConfig. I could be wrong however.

Should I return the file to crfd32.exe?

Thanks for the help.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

said by jd15:

Should I return the file to crfd32.exe?
No, don't do that. We don't want it back

You can just delete it if you know what it is.
jd15
join:2005-03-24
Hillsdale, ON

jd15 to CalamityJane

Member

to CalamityJane
First of all thanks.

I first checked for sysvm32.exe and found nothing.

I ran a scan using spy sweeper.
It identified the following problems:

Cool web search
CWS_NS3
CWS_TINYO
Trojan_ downloader_TIBSER
Spy Sweeper reported successful removal.

A Lavasoft Adaware scan found nothing.
Spybot S&D found nothing.
On my version of Spybot I could not find a tab for Tools.

Then I decided to do a manual search for sysvm32.exe. I found this file and deleted same under C:/windows/prefetch.

Another scan of Spy Sweeper found nothing.

I am hoping that this is the end of it. And thanks to Calamity Jane. I will take your advice with respect to further security. Hopefully, it is gone.
spooler0
Premium Member
join:2004-11-17

1 edit

1 recommendation

spooler0

Premium Member

Click for full size
said by jd15:

"A Lavasoft Adaware scan found nothing.
Spybot S&D found nothing.
On my version of Spybot I could not find a tab for Tools."
If you would like to try again to find tools in Spybot S&D, reopen the program,

then click on the mode button,

then change to "advanced" mode, click "yes" when the program warns you that the world as you know it will end if you go to advanced mode,

then select "tools",

then proceed as CalamityJane suggested.

See if the above works... Then be prepared for more warnings if you elect to "fix" the system internals if there are any inconsistencies. I would ask her what to do if you find any.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to jd15

Premium Member

to jd15
said by jd15:

I ran a scan using spy sweeper.
It identified the following problems:

Cool web search
CWS_NS3
SpySweeper has a reputation for FP's with CWS_NS3.