Coolweb Search resistance to CWShredder

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

I've posted probably 5 times with problems over the past 2 days and can't seem to get any response, but I think I may have narrowed my problem down to CoolSearch. My home page keeps reverting to about:blank with a generic search page that has no trademark on it. I run CWShredder and it doesn't find anything. When I run Adaware and Spybot, they always find CoolWeb stuff, even if I run Adaware back to back, it KEEPS finding new registry entries and files. So I suppose it keeps getting downloaded from somewhere? Also, I get these strange "BACKUP" files in my C:\ directory. About 8 of them appear at a time. I've cleaned my system with AntiVir XP, Housecall, and RAV. The problems are still occuring with porn popups, prolific adware downloads, and homepage reverting to the about:blank search page.

Does ANYONE have a clue? My posts seem to be completely ignored. Does that mean I have a serious problem??? Here's my HJT:

Logfile of HijackThis v1.97.7
Scan saved at 4:18:58 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Support Center\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christian\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Voyager
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Entt] C:\Documents and Settings\Christian\Application Data\rsoi.exe
O4 - Global Startup: Verizon Support Center.lnk = C:\Program Files\Support Center\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90...scan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l...cfscan.cab

lilliebet65 · Posted: Wed Jun 02, 2004 6:07 pm Post subject:

Hi mborschow

It's perhaps because you've posted so many times that you're not getting a response. Our volunteer experts can only do so much, if they see your name all over the forums they don't know how many responses you've had. Please follow the guidelines, post only one HJT log in one forum - be patient and we will help you as soon as humanly possible. I have requested help, sit tight - someone will check your log soon. Thanks for your co-operation Very Happy

LoPhatPhuud · Posted: Wed Jun 02, 2004 8:19 pm Post subject:

You have a CoolWebSearch variant infection which requires special treatment.

=== Find Hidden dll ===
Download 'Dllfix.exe' from:
http://tools.zerosrealm.com/dllfix.exe
http://downloads.subratam.org/dllfix.exe

It is a self-extracting archive; double click on it.

Open the DLLFIX folder and double click on Start.bat.

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter.
Let the program run.
When finished, Press 'E' to exit.

Open the DLLFix folder.
1. Post the contents of Output.txt in this thread.
2. Attach file Windows.txt to the same post. (Attach, do not post, the file is in binary)

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

I did as you requested. Here is the output log:

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Wed 06/02/2004
08:42 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (1447:17F9) - FS:FAT clusters:16k
Total: 19 994 066 944 [19G] - Free: 5 232 558 080 [4.9G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q831167;

Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\RASADHLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\RASADHLP.DLL +++ File read error

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FF5573C-0EB5-43db-A1B2-C4326813468E}]
@="ie"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

The other file is attached. Thanks for your help! I hope this works!!!

LoPhatPhuud · Posted: Wed Jun 02, 2004 10:01 pm Post subject:

=== Remove Hidden dll === (manual entry of dll name)
Open the DLLFIX folder and double click on Start.bat.
At the main menu, press '2' (Run Fix) and enter.

At the second menu, press '1' (Enter DLL Name Manually) and enter.
1. At the prompt, enter: RASADHLP.DLL

Your system will reboot in 15 seconds and begin the fix.

When finished, there will be a log (log.txt) in the dllfix folder.

=== Clean Remaining Infection ===
Please Download CoolWebShredder, from
http://www.merijn.org/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

Select 'custom options'.
Select your drive, scan and fix all it finds.

=== Post All Logs ===
Run HiJackThis again and post a new log in this thread.

Run Start.bat from the dllfix folder again.
At the main menu, press '1' (Run Find-All by FreeAtLast) and enter.
Let the program run.
When finished, Press 'E' to exit.

Post the output.txt, logs.txt and the saved HiJackThis log in this thread.
Attach the Windows.txt file, as before. (Attach, do not post, the file is in binary)

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

I did as requested. CWShredder found nothing on my system. Then I updated and ran Adaware. It found some CoolWebSearch registry entries, which I deleted. (CWShredder missed them?)

The log for the DLLFix requested that I email a zip file to an aol address, so I did.

Whoever you are, you're brilliant. Thank you!

...........
HJT log:
...........

Logfile of HijackThis v1.97.7
Scan saved at 10:01:48 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE
C:\Program Files\Support Center\bin\mpbtn.exe
C:\Documents and Settings\Christian\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Voyager
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Entt] C:\Documents and Settings\Christian\Application Data\rsoi.exe
O4 - Global Startup: Verizon Support Center.lnk = C:\Program Files\Support Center\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90...scan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l...cfscan.cab

..........................
DLLFIX output log:
..........................

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Wed 06/02/2004
10:07 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (1447:17F9) - FS:FAT clusters:16k
Total: 19 994 066 944 [19G] - Free: 5 223 809 024 [4.9G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q831167;

Locked or 'Suspect' file(s) found...

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FF5573C-0EB5-43db-A1B2-C4326813468E}]
@="ie"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

............................
DLLFix logs content:
............................

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 2.01 053104
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Wed 06/02/2004
09:41 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully

Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Running from C:\Fix\dllfix
Processing File Manually
C:\WINDOWS\system32\rasadhlp.dll
Md5 Check of C:\WINDOWS\system32\rasadhlp.dll

Md5 tested As C5ABBBD9C7307679B4FBA203213A6FD4
File was found but md5 didnt match
MD5 was: C5ABBBD9C7307679B4FBA203213A6FD4
Resetting file attributes
File was zipped for submission to Shadowwar
File is located at C:\Fix\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully

Restoring Cleaned Appinit Value

The operation completed successfully

LoPhatPhuud · Posted: Wed Jun 02, 2004 11:53 pm Post subject:

Thanks, but the real credit goes to the people who develop these fixes. I just take their works and use them.

I expected CWShredder to return empty, but it was best to be sure. This particular infection is one of the nastier ones around.

Still a little cleanup to do and you will be clean.

Before we begin, please be sure that HiJackThis is in a permanent folder. This will allow us to use backups to restore entries if necessary. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O4 - HKCU\..\Run: [Entt] C:\Documents and Settings\Christian\Application Data\rsoi.exe

Close all windows except HijackThis and click Fix checked:

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Documents and Settings\Christian\Application Data\rsoi.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/ts...2409420406
**Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Post a another HiJackThis log for final review.

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

I'm sorry it took so long to reply. The computer was left alone in fairly good shape for 8 hours while I slept. When I woke up, 13 programs had installed themselves: Action Alert, Bridge, Coupons and Offers, CSync, Ebates Moe Money Maker, IE Driver, Internet Optimizer, IST Service, Max Speed, MProcessor, PGate Basic, WSEM Update, and XXX Toolbar. I attempted to log onto this site to report, but I would get a "Cannot Find Server" response, and an immediate redirection to PCBugDoctor.com. This continued to happen, so I figured I'd have to do some cleaning before I could access the site. Adaware found 182 Registry Keys, and 21 values! (In only 8 hours.) Spybot found some. And I cleaned with AntiVir, and manually, as well.

I did as you instructed, however, the first two items you wanted me to fix were not in the HJT list.

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

And after displaying hidden files and system files, I was unable to locate:

C:\Documents and Settings\Christian\Application Data\rsoi.exe

As the computer stands now, my homepage is NOT redirected, it is fine. I still get 3-4 popups when I start IE, and popup blitz when I navigate to hotmail or yahoo. I'm also getting a series of 4 dialog boxes asking if I want Virtual Bouncer to raise my security levels. I think I successfully eradicated it from my system moments ago, though. I still cannot get rid of Coupons and Offers, or PGate Basic. All other installed programs are gone.

Here is my new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 1:12:29 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\loannctj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Support Center\bin\mpbtn.exe
C:\WINDOWS\System32\l_anets.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christian\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Voyager
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 207.36.196.189 ieautosearch
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [yaxzhebfwva] C:\WINDOWS\System32\loannctj.exe
O4 - HKLM\..\Run: [l_anets] C:\WINDOWS\System32\l_anets.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Verizon Support Center.lnk = C:\Program Files\Support Center\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90...scan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l...cfscan.cab

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

Apparently I have the BetterInternet trojan. Adaware finds a new dll file every time I run it. It only finds one. Each time, the file name is different, and it says I cannot remove it unless I reboot. So I reboot, the file is deleted. I run Adaware again, and a NEW dll file is detected linked with VX2.BetterInternet...but of course it has a different filename. It can't be deleted until I reboot, so I do, the file is deleted, I run Adaware again, and guess what happens? Lather, rinse, repeat.

Could this be the source for the onslaught of popups?

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

Sorry to KEEP posting things before you have a chance to address the other ones, but I just ran an Adaware scan (I've been doing it hourly to keep up with the rampant spyware installations) and it found numerous CoolWebSearch components on my system, so apparently I haven't got rid of it effectively. Argh!

LoPhatPhuud · Posted: Thu Jun 03, 2004 7:03 pm Post subject:

To avoid future infections you are going to have to take steps to ensure that this does not re-occur. The computer was clean of CWS exploits And other infections when we finished; any further detections are new infections. Better Internet (Look2me) is another difficult infection to remove but there is a program for it.

All your current infections were gathered on the interent. The computer did not miracuously infect itself while you slept. If you did not surf to the locations where these infected your system, someone else did!

Judging from your comments and the new log, I would suggest you quarantine the comupter when you are not using it. Sooner or later you are going to end up having to reformat and re-install if this pattern continues. It will be just a matter of time until you get some serious trojans.

First:
Download the following tool and install it in its own folder:
http://tools.zerosrealm.com/VX2Finder.exe

Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Then:
RUn HiJackThis again and post a new log in this thread, along with the above information.

Note:
As we are cleaning, stay off the internet except to chekc email. You will be notified each time I post.

Also, it appears that Computer Cops is under a ddos atatck and it may take me a while to get back on.

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

Thanks for your patience. I'm sorry for the PM, I've gathered that it's inappropriate and I won't do it again.

3 people do use this computer, however, it was only used by me between our conversations yesterday and the onslaught of spyware today. The only sites visited during that time apart from this one were hotmail and weather.com. I understand that trojans can hide in your system and download spyware in the background. Can this be what's happening?

Is it normal to have more than 1 svchost process running simultaneously?

I did as requested, and here are the logs. I SO appreciate your help!!!

....................
....................
Log for VX2.BetterInternet File Finder

Files Found---

Guardian Key--- is called:

User Agent String---

....................
....................

Logfile of HijackThis v1.97.7
Scan saved at 6:19:17 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Support Center\bin\mpbtn.exe
C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christian\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Voyager
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Verizon Support Center.lnk = C:\Program Files\Support Center\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90...scan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l...cfscan.cab

LoPhatPhuud · Posted: Thu Jun 03, 2004 7:57 pm Post subject:

I will say it again, Those infections you listed did not miracuously appear on your computer. The were obtained by surfing at websites. None of the sites you went to have any of those infections. I go to the daily.

I am interested in how you know the names of the infections? The log you posted first log you posted today has none of those infections showing. There is no sign of VX2.BetterInterent, nor I doubt, was it ever there. A false positive by AdAware? Possible but unlikely. THe VX2.BetterInternet finder we ran showed no signs of that exploit. AdAWare cannot remove it.

Two other infections (these to be specific):
O4 - HKLM\..\Run: [yaxzhebfwva] C:\WINDOWS\System32\loannctj.exe
O4 - HKLM\..\Run: [l_anets] C:\WINDOWS\System32\l_anets.exe

Both disappeared from the first log to the last log you posted to today. There is no spyware program that will remove them. Where did they go?

To answer your question re svchost.exe, yes it is normal to have more than one instance running.

Now, for the last log you posted. That log is clean also. There is no sign of infection; of any infection!!

I am going to sign off on your log. There is nothing more to do and if you have a new infection., then I suggest you start a new thread. In closng, here is some info about protecting your system.

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

1. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

2. Download and install the following free programs]
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/in...topic=9857

Good luck, and thanks for coming to Computer Cops.

mborschow · Trooper Joined: May 13, 2004 Posts: 18 Location: USA

You might not get this since you've closed the string, but I got the name of the the BetterInternet trojan from SpyBot. And the two infections that were gone from the HJT log weren't cleaned by Adaware or Spybot, I removed them manually, as I recognized that they weren't vital windows system components. I'm a fairly advanced user, just not nearly as advanced as you!

I certainly appreciate all your help. The suggestions you made regarding security have been in place on my system for months now. I update Windows every week. I clean my system with Adaware and Spybot every day, and with AntiVir 6 every week. Rarely do things get through and cause such a serious infestation. I'm still getting uncontrolled popups. I think I may have managed to acquire a new strain of something, so I'll wait a week, battle it on my own, and then repost if I'm still having problems. Maybe by then other people will be experiencing it and posting.

Thanks again! You guys rock.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 856 pages served in previous 5 minutes. Page Rendered: 0.594 seconds.