The NASTIEST infection I have ever seen, help.

Author	All Replies
Ctrl Alt Del Premium join:2002-02-18	The NASTIEST infection I have ever seen, help. Ok, I don't know how, I don't know when, but my family computer (not my Dell laptop) has gotten slammed with CoolWebSearch. I've been fighting this fscker for a while and today I pulled no punches... first thing I did was a Check Disc which corrected some problems, then I ran a SFC /scannow, it copied some files, I then re-installed the full copy of Internet Explorer 6 SP1, I then ran Ad-Aware 6 with all updates, full system scan (hosts file, everything), I also ran Spybot Search & Destroy. After all was said and done, I restarted in safe mode and defragged. Took almost an hour, one file wouldn't defrag, couldn't locate it either. Rebooted, ran Hijack This, Ad-Aware and Spybot again, all come up CLEAN. Now, when you type in, say "whamalajama" in IE's address bar, press down to select Search for "whamalamajama", IE goes to: »auto.muxa.cc/400/?u=»auto.search.msn.com/response.asp···ov=&utf8 And it gets better. I'm using The Proxomitron, and when I turn OFF "Use proxy server" in IE, it works fine, no muxa.cc crap. Also, when I turn ON the proxy in IE but SHUT DOWN Proxomitron, it also works. The only time muxa.cc shows up is when BOTH IE is set to use The Proxomitron, and The Proxomitron is running. I took the next logical step, replace The Proxomitron, which I did. I took the one from my machine, which is working properly, and put it on this infected one. Same result. I'm really out of ideas at this point, and am about ready to put a bullet in the creator's head of muxa.cc Hijack This, Ad-Aware, Spybot are all fully updated, and all say all systems go. Nothing rogue running in the background. Norton AntiVirus 2003 Pro updated and running. I really do have absolutely no idea what's going on with this one. -- The day after tomorrow. Where will you be?
	to forum · permalink · 2004-04-27 00:50:07 ·
foxsteve Premium join:2001-12-28 Campbell, CA 2 edits	In HijackThis.log you can look where is this nasty located in the Registry.
	to forum · permalink · 2004-04-27 01:17:10 ·
sig Premium join:2001-05-05 1 edit	reply to Ctrl Alt Del Ok, you say you had CoolWebSearch, but you haven't mentioned actually using CoolWebShredder, a utility designed especially for CWS. If you haven't yet used it give it a try. There are links to the program in the FAQ: »Security »I think my computer is infected or hijacked. What should I do?
	to forum · permalink · 2004-04-27 01:46:20 ·
Ctrl Alt Del Premium join:2002-02-18	said by sig: Ok, you say you had CoolWebSearch, but you haven't mentioned actually using CoolWebShredder, a utility designed especially for CWS. There are links to the program in the FAQ: »Security »I think my computer is infected or hijacked. What should I do? Forgot to also mention, ran that too. "Your system is completely clean!" -- The day after tomorrow. Where will you be?
	to forum · permalink · 2004-04-27 01:51:50 ·
Wily_One Premium join:2002-11-24 San Jose, CA	Did you visually check your hosts file? I had a similar situation, but it was a case of multiple malware at once. CWshredder always reported clean, yet SpySweeper kept reporting it, plus some others. One file in the C:\Windows\Temp kept coming back, and could not be deleted. Google searches gave bogus results. In the end, I restarted into Safe Mode, deleted the file in Temp, ran Spybot, ran Norton (which never found anything), manually removed stuff from the Registry, and manually deleted folders and files of known malware on my hard drive. Once all that was done, everything was clean except Google searches were still being redirected. Then I looked in my hosts file, and lo and behold there were several entries that had been added/altered. (I have a big hosts file with localhost entries, to thwart ads, and the interesting thing is the alterations were made in the middle of the file, not at the beginning or end.)
	to forum · permalink · 2004-04-27 03:00:04 ·
sivran Back to Opera again Premium join:2003-09-15 Arlington, TX kudos:1	reply to Ctrl Alt Del May seem silly but, have you tried running a windows find for auto.muxa.cc? Search the registry?
	to forum · permalink · 2004-04-27 03:32:21 ·
B Premium,MVM join:2000-10-28	What's strange is that you shouldn't be able to switch proxies that way and have it continue to work. Are you set to automatically locate the proxy, or are you pointing to a specific host and port? If the latter, then when Proxo is running it must be assuming control of that port (assuming the host is localhost) and when it's not some OTHER program (that you haven't mentioend) must be assuming control of that port. How ELSE could you continue to surf with a "proxy" pointing to nowhere? So, while the problem appears to be within Proxo's settings (perhaps it's chaining to another proxy), something else is clearly going on. Could it also just be an IE search-related registry setting? Have you tried alternate browsers, with and without Proxo? -- B -- In a realm outside causality and function
	to forum · permalink · 2004-04-27 03:44:59 ·
hpguru Curb Your Dogma Premium join:2002-04-12	reply to Ctrl Alt Del Check Proxo's Config>Startup tab. What if anything is configured to launch when Proxo starts? Here are a few other things to check. 1) All the files in the Lists subfolder are txt files properly registered to a text editor. 2) There are no files under the html subfolder that you did not add. Files you added have not been modified. 3) Delete any and all proxies listed under the [Proxies] section of your Proxo config file even if Proxo is not currently configured to connect out via a proxy. -- The Justice for Pat Richard Campaign
	to forum · permalink · 2004-04-27 07:01:24 ·
Gavin_TH join:2003-04-03 Australia	reply to Ctrl Alt Del Its a defaultsearch hijack, follow the steps given earlier to post a HijackThis log and get some help. It may also be the latest of these which is exceedingly nasty and semi-stealth. Someone will help you if you post a log -- Gavin Coe DiamondCS Analyst »www.diamondcs.com.au
	to forum · permalink · 2004-04-27 08:08:10 ·
Bubba GIT-R-DONE Premium,MVM join:2002-08-19 St. Andrews Reviews: ·DIRECTV ·Pickwick Cablevi.. ·Comcast	reply to Ctrl Alt Del Even tho you feel the HJT log was clean....the muxa.cc is just one of the many CWS affilliates currently targeted by CWShredder.....fanpmh.t.muxa.cc, muxa.cc....being just 2 of them. As Gavin_TH said....post an HJT log after downloading\executing the latest version of CWShredder. »CWShredder V 1.57.0 -- Team Z Member
	to forum · permalink · 2004-04-27 08:23:47 ·
Ctrl Alt Del Premium join:2002-02-18	reply to Ctrl Alt Del Ok, this is getting very aggravating now. I've noticed a pattern. I clean everything out via all the tools, wait a while, and then this magically re-appears in Hijack This's log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekhbfi.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekhbfi.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekhbfi.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {3CBC1267-2660-4559-9FFE-B38E61B216B8} - C:\WINDOWS\System32\ekhbfi.dll These entried always re-appear, and DLL file name always changes, but it's always /sp.html I'm glad I got Mozilla installed, because EVERYTHING in IE (Favorites, Links, typed URLS) ALL go to some CWS bullshit! -- The day after tomorrow. Where will you be?
	to forum · permalink · 2004-04-27 14:39:09 ·
Ctrl Alt Del Premium join:2002-02-18 2 edits	reply to Ctrl Alt Del After those 4 entried in Hijack This appear, CWShredder then removes CWS.Searchx. Hijack This log: Logfile of HijackThis v1.97.7 Scan saved at 2:50:37 PM, on 4/27/04 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\netdde.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Proxomitron\Proxomitron.exe C:\Program Files\Win Sent.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\mozilla.org\Mozilla\mozilla.exe C:\Program Files\Hijack This\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - Startup: Proxomitron.lnk = C:\Program Files\Proxomitron\Proxomitron.exe O4 - Startup: Win Sent.lnk = C:\Program Files\Win Sent.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: AIM (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···wdir.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload.macromedia.com/pub/sh···lash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AF2BEA69-09CC-4ECA-A6D9-7ECAD94D44D4}: NameServer = 192.168.1.1 The about:blank sites I modifed myself, but CWS makes them point to some local DLL file anyway.
	to forum · permalink · 2004-04-27 14:39:27 ·
JollyStomper The Funky Feel One Premium join:2003-03-16 Level 15	Interesting find: C:\>nslookup auto.muxa.cc Server: Address: Name: auto.muxa.cc Address: 81.211.105.37 After querying the ip, I found: 81.211.105.37 Host reachable, 232 ms. average 81.211.105.0 - 81.211.105.255 ICS TM, JSC 70 Bolshoy pr. V.O. 199002 St.-Petersburg Russian Federation Prasolov S A ICS TM 70 Bolshoy pr. V.O. 199002 St.-Petersburg Russia phone: +7 812 3291492 fax: +7 812 3222242 dnsmaster@ilca.ru Prasolov S A ICS TM 70 Bolshoy pr. V.O. 199002 St.-Petersburg Russia phone: +7 812 3291492 fax: +7 812 3222242 dnsmaster@ilca.ru SOVINTEL-ICSTM2 Updated: 03-Dec-2003 by marty@sovintel.ru Source: whois.ripe.net -- "As I was sayin' buster, this planet ain't big enough for the two of us so... OFF YA GO!"
	to forum · permalink · 2004-04-27 14:58:40 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to Ctrl Alt Del Just curious, does HJT list the App_InitDLLs value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows? If not, can you manually see if there's anything there? (Sorry if this got asked earlier in the thread, I skimmed it.) Thanks, Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2004-04-27 14:59:20 ·
Ctrl Alt Del Premium join:2002-02-18	said by psloss: Just curious, does HJT list the App_InitDLLs value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows? If not, can you manually see if there's anything there? (Sorry if this got asked earlier in the thread, I skimmed it.) Thanks, Philip Sloss I'm not sure about HJT, but I have no value for App_InitDLLs at that registry key. -- The day after tomorrow. Where will you be?
	to forum · permalink · 2004-04-27 15:11:29 ·
Ctrl Alt Del Premium join:2002-02-18	reply to Ctrl Alt Del Well, I think I have the worst spyware infestation know to man on this computer. I think I have this: »www.spywareinfo.com/~merijn/cwsc···llowpage -- The day after tomorrow. Where will you be?
	to forum · permalink · 2004-04-27 15:13:01 ·
Bubba GIT-R-DONE Premium,MVM join:2002-08-19 St. Andrews Reviews: ·DIRECTV ·Pickwick Cablevi.. ·Comcast 1 edit	reply to Ctrl Alt Del said by Ctrl Alt Del: The about:blank sites I modifed myself, Is there anything else that you may have motified ? Numerous threads lately have been started concerning the CWS about: blank and yes it can be a barn burner. I also don't mean to mettle into your troubleshooting procedure but since new variants are popping up rather quickly....I suggest you post the whole log without modifying unless you'd prefer to wing it on your on. From your log. R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekhbfi.dll/sp.html (obfuscated) O2 - BHO: (no name) - {3CBC1267-2660-4559-9FFE-B38E61B216B8} - C:\WINDOWS\System32\ekhbfi.dll If you get a chance and care to....you can see the latest developements of this....CWS Variants ....and how best to procede in eliminating. about:blank / linklist.cc said by Unzy: This is a very complex hijack to solve for now, as only manual instructions are given. Please only follow instructions when you are guided by an Advanced or Expert member! Responsible entries in a HijackThis log : R0 and R1 entries pointing to the following similar looking location : res://C:\WINDOWS\System32\kfiokk.dll/sp.html O2 - BHO: (no name) - {54DDBEA0-AAE2-43A1-9076-3F064D0DEA55} - C:\WINDOWS\System32\kfiokk.dll* * the dll is randomly named for each victim, and is showed as a 02 - BHO in a HijackThis log. -- Team Z Member
	to forum · permalink · 2004-04-27 15:34:15 ·
Ctrl Alt Del Premium join:2002-02-18	said by Bubba: Is there anything else that you may have motified ? Numerous threads lately have been started concerning the CWS about: blank and yes it can be a barn burner. I also don't mean to mettle into your troubleshooting procedure but since new variants are popping up rather quickly....I suggest you post the whole log without modifying unless you'd prefer to wing it on your on. No problem. If I change everything to the stock default settings, like a fresh install of Windows, they get changed to about:blank anyway, and as part of the CWS.Searchx trojan, it loads the randomly named DLL. Doesn't matter what I do, something, at what seems like random, re-infects the computer. There are no unknown processes running, nothing in the startup folders/keys, and Norton/Aw-Aware/Spybot all say clean one minute, and then find CWS the next. -- The day after tomorrow. Where will you be?
	to forum · permalink · 2004-04-27 15:50:41 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to Ctrl Alt Del Just curious.Do you know what this is? C:\Program Files\Win Sent.exe
	to forum · permalink · 2004-04-27 15:58:14 ·
Bubba GIT-R-DONE Premium,MVM join:2002-08-19 St. Andrews Reviews: ·DIRECTV ·Pickwick Cablevi.. ·Comcast	reply to Ctrl Alt Del said by Ctrl Alt Del: Doesn't matter what I do, something, at what seems like random, re-infects the computer. Agree....and as is stated in the link I posted....this sucker is morphing and it will take some patience and help from folks that have been working night and day attempting to keep up with what the programmer of this beast is throwing at them with new variants. It can be re-moved BUT not with trditional methods of letting HJT fix things. However....if you find a quicker way without re-formatting I can assure you there are folks that WILL buy you a cold one or 4 -- Team Z Member
	to forum · permalink · 2004-04-27 16:02:15 ·

Broadband Tech > Security > Security > The NASTIEST infection I have ever seen, help.