CWS Affiliate: Toolband

bagong · 12-17-2004, 03:57 AM

Sir:
I have problem when starting my Internet Explorer. It always redirected to Http://www.web--search.com; eventhough i've tried to set my default homepage to about:blank or other homepage.
I've run CWShredder and it found CWS affiliate:toolband and had been deleted and fixed. But when I starting my computer the problem is back!
Please help me, for your info English is not my mother tongue, so please in simple English.
Thank You,
Bagong

dai · 12-17-2004, 06:52 AM

post ahijack log in the hijack forum for one of the experts to advise on
whenever you clean anything off,turn off system restore before you start and back on again when you have finished

CTSNKY · 12-17-2004, 07:10 AM

The "official" speech:

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.

chariotdrvr · 12-17-2004, 07:39 AM

There's alot of that going around and I'm here looking for answers to one of CWS's variants. While there are people here with way more info to give than I can but I'll atleast throw my two bits worth in.
You are going to need a couple of basic other anti malware programs like Lavasoft's AdawareSE and Spybot Search and Destroy... both having free unlicensed versions. With both programs they'll locate a number of components to the trojan that you have ...you could or should first before running them disconnect from the internet and of course delete all temporary files. Restart in SAFE MODE. Then, when the parts of the trojan are found, you could delete them straightaway or you can go to RUN and type 'regedit' then on the anti-spyware program click on the found items and right -click ' jump to location' or ' locate'... and then your registry viewer will allow you to see exactly where these bugs are lodged and you can manually delete them.
There's also a program called Spy Guard that alerts you whenever a ' site hijacker' attempts to change your brower's registry settings. It alerts you that a program is trying to do so and gives you the option accept or reject the new setting.
There are planted bugs possibly in your C.\Windows or C:\Windows\System 32 folder that you'll have find... that are either O byte files, some randomly named, 33 byte files and 77 byte files that will have the day, hour and minute that your computer became infected; You can find that out by going to 'view' on your browser's taskbar and then to 'arrange icons' by first 'size' then 'modify'(which is the date they'd be created) Look em up on the net first to make sure that they're not important system files. The bug files you'll want to delete...some will be relatively difficult to delete to which you can always right click on...got to properties... and change the properties to ' read only '.
(to my much more knowledgeable readers and administrators here...please correct any errant info I'm offering here)
...then that should allow you to delete them.
Some of variants... thanks to Melkosoft for inventing this trojan pestilence.. are as up to date as most anti spyware programs are... make sure you web update all your security programs constantly!
Check the processes running in your taskbar... there's a program called 'Process Explorer' ....possibly other programs exist doing the same function, but it basically analyzes the processes running on your computer... tells you the dll's driving it ...basically gives you a run down on what is going on if in your case is anything like mine which was a similar trojan.... maybe connected to another???
My problem is that there's a dll. in my system's folder that's wrapped itself around an important application ( winlogon.exe ) and a lesser important (wdfmgr.exe) and I have to figure how to extricate that one. But it must be related to the same virus... because the (randomely named) dll. has the exact time and date of the initial infection and Symantec has been unable to delete or quarentine it, and it refuses me permission to change it or delete it... my thought... because it's original language was in russian...(does that have anything to do withit?... likely not, just have to consider it)

Hope some of that helps...and if anyone wants to correct any of that feel free. I'm just a novice myself.

good luck

**jgvernonco** · 12-18-2004, 06:06 AM

Quote:

Originally Posted by chariotdrvr

There's alot of that going around and I'm here looking for answers to one of CWS's variants. While there are people here with way more info to give than I can but I'll atleast throw my two bits worth in.
You are going to need a couple of basic other anti malware programs like Lavasoft's AdawareSE and Spybot Search and Destroy... both having free unlicensed versions. With both programs they'll locate a number of components to the trojan that you have ...you could or should first before running them disconnect from the internet and of course delete all temporary files. Restart in SAFE MODE. Then, when the parts of the trojan are found, you could delete them straightaway or you can go to RUN and type 'regedit' then on the anti-spyware program click on the found items and right -click ' jump to location' or ' locate'... and then your registry viewer will allow you to see exactly where these bugs are lodged and you can manually delete them.
There's also a program called Spy Guard that alerts you whenever a ' site hijacker' attempts to change your brower's registry settings. It alerts you that a program is trying to do so and gives you the option accept or reject the new setting.
There are planted bugs possibly in your C.\Windows or C:\Windows\System 32 folder that you'll have find... that are either O byte files, some randomly named, 33 byte files and 77 byte files that will have the day, hour and minute that your computer became infected; You can find that out by going to 'view' on your browser's taskbar and then to 'arrange icons' by first 'size' then 'modify'(which is the date they'd be created) Look em up on the net first to make sure that they're not important system files. The bug files you'll want to delete...some will be relatively difficult to delete to which you can always right click on...got to properties... and change the properties to ' read only '.
(to my much more knowledgeable readers and administrators here...please correct any errant info I'm offering here)
...then that should allow you to delete them.
Some of variants... thanks to Melkosoft for inventing this trojan pestilence.. are as up to date as most anti spyware programs are... make sure you web update all your security programs constantly!
Check the processes running in your taskbar... there's a program called 'Process Explorer' ....possibly other programs exist doing the same function, but it basically analyzes the processes running on your computer... tells you the dll's driving it ...basically gives you a run down on what is going on if in your case is anything like mine which was a similar trojan.... maybe connected to another???
My problem is that there's a dll. in my system's folder that's wrapped itself around an important application ( winlogon.exe ) and a lesser important (wdfmgr.exe) and I have to figure how to extricate that one. But it must be related to the same virus... because the (randomely named) dll. has the exact time and date of the initial infection and Symantec has been unable to delete or quarentine it, and it refuses me permission to change it or delete it... my thought... because it's original language was in russian...(does that have anything to do withit?... likely not, just have to consider it)

Hope some of that helps...and if anyone wants to correct any of that feel free. I'm just a novice myself.

good luck

Posting the log is easier...

bagong · 12-19-2004, 06:32 PM

The following are hijacklog file. Please advise.

Logfile of HijackThis v1.97.7
Scan saved at 8:20:45 AM, on 12/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jones.Pardosi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = JKTSOS17:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.20.2.3;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - Startup: ipmsg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.kompas.com/CFIDE/classes/CFJava.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.getweathercast.com/WUInstCAST.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...io5_3_16_0.cab

Thank You,
MB

CTSNKY · 12-19-2004, 07:23 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

Do you know what the following program(s) are for? If not, check these too:
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

O4 - Startup: ipmsg.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Common Files\CMEII\
C:\Program Files\Common Files\GMT\
C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe
C:\Program Files\AQUATI~1\ <<<Only if you do not recognize this folder!
C:\Program Files\BUTTER~1\ <<<Only if you do not recognize this folder!

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

bagong · 12-22-2004, 03:56 AM

Sir:
Thank You for your kind advise, I have followed the instructions. I have checked my IE and it has back to normal.

However, I post the latest Hijackthis log.
Thank You,
Bagong

Logfile of HijackThis v1.97.7
Scan saved at 2:27:23 PM, on 12/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Jones.Pardosi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = JKTSOS17:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.20.2.3;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Startup: ipmsg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.kompas.com/CFIDE/classes/CFJava.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.getweathercast.com/WUInstCAST.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...io5_3_16_0.cab

greyknight17 · 12-22-2004, 09:08 AM

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O4 - Startup: ipmsg.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe

Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided.

12-17-2004, 03:57 AM	#1 (permalink)
bagong Registered User Join Date: Dec 2004 Posts: 5 OS: Win2000	CWS Affiliate: Toolband Sir: I have problem when starting my Internet Explorer. It always redirected to Http://www.web--search.com; eventhough i've tried to set my default homepage to about:blank or other homepage. I've run CWShredder and it found CWS affiliate:toolband and had been deleted and fixed. But when I starting my computer the problem is back! Please help me, for your info English is not my mother tongue, so please in simple English. Thank You, Bagong

12-17-2004, 07:10 AM	#3 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	The "official" speech: Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless. __________________ GO BIG BLUE!!

12-17-2004, 07:39 AM	#4 (permalink)
chariotdrvr Registered User Join Date: Nov 2004 Posts: 4 OS: xp	re:cws toolband There's alot of that going around and I'm here looking for answers to one of CWS's variants. While there are people here with way more info to give than I can but I'll atleast throw my two bits worth in. You are going to need a couple of basic other anti malware programs like Lavasoft's AdawareSE and Spybot Search and Destroy... both having free unlicensed versions. With both programs they'll locate a number of components to the trojan that you have ...you could or should first before running them disconnect from the internet and of course delete all temporary files. Restart in SAFE MODE. Then, when the parts of the trojan are found, you could delete them straightaway or you can go to RUN and type 'regedit' then on the anti-spyware program click on the found items and right -click ' jump to location' or ' locate'... and then your registry viewer will allow you to see exactly where these bugs are lodged and you can manually delete them. There's also a program called Spy Guard that alerts you whenever a ' site hijacker' attempts to change your brower's registry settings. It alerts you that a program is trying to do so and gives you the option accept or reject the new setting. There are planted bugs possibly in your C.\Windows or C:\Windows\System 32 folder that you'll have find... that are either O byte files, some randomly named, 33 byte files and 77 byte files that will have the day, hour and minute that your computer became infected; You can find that out by going to 'view' on your browser's taskbar and then to 'arrange icons' by first 'size' then 'modify'(which is the date they'd be created) Look em up on the net first to make sure that they're not important system files. The bug files you'll want to delete...some will be relatively difficult to delete to which you can always right click on...got to properties... and change the properties to ' read only '. (to my much more knowledgeable readers and administrators here...please correct any errant info I'm offering here) ...then that should allow you to delete them. Some of variants... thanks to Melkosoft for inventing this trojan pestilence.. are as up to date as most anti spyware programs are... make sure you web update all your security programs constantly! Check the processes running in your taskbar... there's a program called 'Process Explorer' ....possibly other programs exist doing the same function, but it basically analyzes the processes running on your computer... tells you the dll's driving it ...basically gives you a run down on what is going on if in your case is anything like mine which was a similar trojan.... maybe connected to another??? My problem is that there's a dll. in my system's folder that's wrapped itself around an important application ( winlogon.exe ) and a lesser important (wdfmgr.exe) and I have to figure how to extricate that one. But it must be related to the same virus... because the (randomely named) dll. has the exact time and date of the initial infection and Symantec has been unable to delete or quarentine it, and it refuses me permission to change it or delete it... my thought... because it's original language was in russian...(does that have anything to do withit?... likely not, just have to consider it) Hope some of that helps...and if anyone wants to correct any of that feel free. I'm just a novice myself. good luck

12-19-2004, 06:32 PM	#6 (permalink)
bagong Registered User Join Date: Dec 2004 Posts: 5 OS: Win2000	hijackthis logfile The following are hijacklog file. Please advise. Logfile of HijackThis v1.97.7 Scan saved at 8:20:45 AM, on 12/20/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\ORL\VNC\WinVNC.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\Common Files\CMEII\CMESys.exe C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Microsoft Office\Office\1033\msoffice.exe C:\Program Files\Common Files\GMT\GMT.exe C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jones.Pardosi\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = JKTSOS17:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.20.2.3;<local> R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file) O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3 O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1 O4 - Startup: ipmsg.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.kompas.com/CFIDE/classes/CFJava.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.getweathercast.com/WUInstCAST.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...io5_3_16_0.cab Thank You, MB

12-19-2004, 07:23 PM	#7 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have an outdated version of HijackThis. Click here to get the latest version of HijackThis. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\Common Files\CMEII\CMESys.exe C:\Program Files\Common Files\GMT\GMT.exe C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - Default URLSearchHook is missing O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file) O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" Do you know what the following program(s) are for? If not, check these too: O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3 O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1 O4 - Startup: ipmsg.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\Common Files\CMEII\ C:\Program Files\Common Files\GMT\ C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe C:\Program Files\AQUATI~1\ <<<Only if you do not recognize this folder! C:\Program Files\BUTTER~1\ <<<Only if you do not recognize this folder! Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. __________________ GO BIG BLUE!!

12-17-2004, 06:52 AM	#2 (permalink)
dai Manager, Hardware Forums Join Date: Jul 2004 Location: west australia Posts: 44,256 OS: vista 32x ultimate retail	post ahijack log in the hijack forum for one of the experts to advise on whenever you clean anything off,turn off system restore before you start and back on again when you have finished

12-22-2004, 03:56 AM	#8 (permalink)
bagong Registered User Join Date: Dec 2004 Posts: 5 OS: Win2000	CWS:Toolband Sir: Thank You for your kind advise, I have followed the instructions. I have checked my IE and it has back to normal. However, I post the latest Hijackthis log. Thank You, Bagong Logfile of HijackThis v1.97.7 Scan saved at 2:27:23 PM, on 12/22/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\ORL\VNC\WinVNC.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe C:\Program Files\Microsoft Office\Office\1033\msoffice.exe C:\WINNT\System32\svchost.exe C:\Documents and Settings\Jones.Pardosi\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = JKTSOS17:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.20.2.3;<local> R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_3_16_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - Startup: ipmsg.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.kompas.com/CFIDE/classes/CFJava.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.getweathercast.com/WUInstCAST.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...io5_3_16_0.cab

12-22-2004, 09:08 AM	#9 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	You have an outdated version of HijackThis. Click here to get the latest version of HijackThis. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - Default URLSearchHook is missing O4 - Startup: ipmsg.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Documents and Settings\Jones.Pardosi\Start Menu\Programs\Startup\ipmsg.exe Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools