help to kill CWS

Unknown
edited July 2004 in Spyware & Virus Removal
greetings,

my computer is infected with the dread CWS trojan/spyware/all around badness. In addition to the pop-ups and browser hijacks, it appears to be interfering with my ndis.vxd file and causing many a conflict and many a head-ache.

I have tried to clean it out with CWShredder, AdAware, Spybot S&D and Spyware Blaster. All to no awail, as it keeps coming back. I would post a HiJack This log but the links didn't seem to work, and I shan't have a copy of the program.

Guidance please.

thank you all in advance.

Comments

  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    Welcome to short-media.

    You should be able to get hijackthis from the first link in my signature.
  • egswanso
    edited July 2004
    shwaip wrote:
    Welcome to short-media.

    You should be able to get hijackthis from the first link in my signature.
    Indeed, that was the first place I tried. I get a "the system cannot find the file specified" error
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    I'm having no trouble getting it from that link. Could just be a flaky thing here or there.

    Here it is attached:
  • egswanso
    edited July 2004
    Great, got it. Here is my log:

    Logfile of HijackThis v1.98.0
    Scan saved at 3:25:21 PM, on 7/4/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\DAEMON.EXE
    C:\WINDOWS\LTSMMSG.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\ALISNDMG.EXE
    C:\WINDOWS\SYSTEM\DPMW32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\EXCEL.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {03F7E30D-30A6-4B74-9B61-5CD3CD9838AC} - C:\WINDOWS\SYSTEM\AELGGAA.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [LLMODCL3] c:\windows\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 128 C:\WINDOWS\INF\LLMODCL2.INF
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\THINKPAD\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\SYSTEM\dpmw32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Service Manager] C:\windows\dxsound.exe
    O4 - Startup: Shortcut to killad.lnk = C:\Program Files\KillAd\killad.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O15 - Trusted Zone: www..nerve.com
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09373e4318acc4cd0019/netzip/RdxIE601.cab
    O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O18 - Filter: text/html - {3BE73853-384E-462C-A287-3477FD3E0FC0} - C:\WINDOWS\SYSTEM\AELGGAA.DLL
    O18 - Filter: text/plain - {3BE73853-384E-462C-A287-3477FD3E0FC0} - C:\WINDOWS\SYSTEM\AELGGAA.DLL
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    sorry I took so long to reply. Been a busy couple of days.

    Before I go through your log, I have a couple of questions.

    When you say the the infection keeps coming back, do you mean that it returns immediately after the CWShredder cleaning, or does it come back later on? Also, do you have all the latest updates for win ME?
  • egswanso
    edited July 2004
    shwaip wrote:
    sorry I took so long to reply. Been a busy couple of days.

    Before I go through your log, I have a couple of questions.

    When you say the the infection keeps coming back, do you mean that it returns immediately after the CWShredder cleaning, or does it come back later on? Also, do you have all the latest updates for win ME?
    CWShredder cleaned it once, and it fails to find it since. AdAware cleans it, and it comes right back; virtually immediately, although sometimes it's clean until the next reboot.

    No. The last time I got win ME updates, my OS was corrupted and I had to wipe my system. I know the risks, but it's better then the alternative.
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    sorry...tried to reply yesterday, and my post never made it to the db.

    I'd really suggest updating windows. Several of the patches fix exploits which allow people to do this.

    however, try booting into safe mode + removing these entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
    O2 - BHO: (no name) - {03F7E30D-30A6-4B74-9B61-5CD3CD9838AC} - C:\WINDOWS\SYSTEM\AELGGAA.DLL
    O4 - HKCU\..\Run: [Service Manager] C:\windows\dxsound.exe
    O18 - Filter: text/html - {3BE73853-384E-462C-A287-3477FD3E0FC0} - C:\WINDOWS\SYSTEM\AELGGAA.DLL
    O18 - Filter: text/plain - {3BE73853-384E-462C-A287-3477FD3E0FC0} - C:\WINDOWS\SYSTEM\AELGGAA.DLL
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

    Now, reboot, and before you log on to the internet, get a new log. Post it here please.
  • egswanso
    edited July 2004
    Alright, done. Seems to have worked (so far) vis-a-vis the about:blank and CWS, although i'm still having a conflict with my ndis.vxd

    Here's the new log:

    Logfile of HijackThis v1.98.0
    Scan saved at 7:24:21 AM, on 7/9/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\THINKPAD\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\SYSTEM\dpmw32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Shortcut to killad.lnk = C:\Program Files\KillAd\killad.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O15 - Trusted Zone: www.mlb.com
    O15 - Trusted Zone: www.nerve.com
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09373e4318acc4cd0019/netzip/RdxIE601.cab
    O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    glad to hear the problem seems to be gone.

    try posting in the software or windows forum about your ndis.vxd problem. Seems more like something that goes there :)
  • egswanso
    edited July 2004
    well, it came back. i can keep deleting the files via hijack this, but there seems to remain a hiddle kernel of badness.
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    If you don't mind me asking, what websites did you visit?

    Someone mentioned getting it from suprnova.org.

    I would also really suggest getting windows updates. Try just getting the ones related to internet explorer, and getting them one at a time.
  • egswanso
    edited July 2004
    shwaip wrote:
    If you don't mind me asking, what websites did you visit?

    Someone mentioned getting it from suprnova.org.

    I would also really suggest getting windows updates. Try just getting the ones related to internet explorer, and getting them one at a time.

    today, or when i was first infected? Since i fixed it the other day, at least, I haven't been very active on the web as i haven't been home that much: yahoo, a couple news site (bbc and the like), a couple baseball sites, and checking a couple different e-mail accounts. I've never heard of suprnova.org.

    i'm honestly not sure where i originally got it from. I think it was a russian site, but my browser was taken over by uncontrollable pop-ups and i had to quit out of IE to stop it. After that, infection.

    I'll get updates once I have a CD burner. Right now, if microsoft ****s up my computer again, i'm lose everything with no backup; which i cant afford to do.
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    As a temporary solution, until you get a burner, I would suggest one of the alternative web browsers:
    firefox
    or
    opera
This discussion has been closed.