Appreciate some help.
Trying to help someone with the following HJT log whose homepage is changed. He has tried all sorts of programs (AA, SS&D, CWS, TH), but nothing seems to help.
Logfile of HijackThis v1.97.7
Scan saved at 8:15:12 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\sdkuw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\EzButton System V1.0\EzButton.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\sysql.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\JD\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JD\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsouw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsouw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsouw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsouw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qsouw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qsouw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {D33DFBEE-1962-2A02-A9AB-05CE2C3B90AD} - C:\WINDOWS\atlld32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [sdkuw32.exe] C:\WINDOWS\sdkuw32.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [apiux32.exe] C:\WINDOWS\system32\apiux32.exe
O4 - HKLM\..\RunOnce: [appyc.exe] C:\WINDOWS\appyc.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: ChatSpace Java Client 2.0.0.66 - http://chat.facethejury.com:8000/Java/cs4ms066.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25539f9b23b081...ip/RdxIE601.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7761.6824305556
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
Analysis:
Believe all the R0 and R1 entries have to go, except the following?:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
Would believe this goodie goes also:
O2 - BHO: (no name) - {D33DFBEE-1962-2A02-A9AB-05CE2C3B90AD} - C:\WINDOWS\atlld32.dll
And these?:
O4 - HKLM\..\Run: [sdkuw32.exe] C:\WINDOWS\sdkuw32.exe
O4 - HKLM\..\RunOnce: [apiux32.exe] C:\WINDOWS\system32\apiux32.exe
O4 - HKLM\..\RunOnce: [appyc.exe] C:\WINDOWS\appyc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Don't know yet if this is his ISP:
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
Appreciate your letting me know if the above analysis is correct, or if there are any other entries that need to go.
There might also be something lurking there that I do not recognize. :unsure:
Thanks again.
Full Version: HomePage Woes
You have been infected with a new variant of CoolWebSearch.
Please take the following steps:
First, please enable viewing of hidden/system files per the instructions here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Using the Task Manager end the task on the following processes:
sdkuw32.exe
sysql.exe
Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
Scroll down and find the service called "Network Security Service".
When you find it, double-click on it.
In the next window that opens, click the Stop button, then change the Startup Type to Disabled.
Now hit Apply and then OK and close any open windows.
Be sure to close all browser and explorer windows before continuing.
Run HijackThis and place a check mark next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsouw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsouw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsouw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsouw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qsouw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qsouw.dll/sp.html#96676
O2 - BHO: (no name) - {D33DFBEE-1962-2A02-A9AB-05CE2C3B90AD} - C:\WINDOWS\atlld32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [sdkuw32.exe] C:\WINDOWS\sdkuw32.exe
O4 - HKLM\..\RunOnce: [apiux32.exe] C:\WINDOWS\system32\apiux32.exe
O4 - HKLM\..\RunOnce: [appyc.exe] C:\WINDOWS\appyc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25539f9b23b081...ip/RdxIE601.cab
Close all open windows except HiJackThis and Press 'Fix Checked'.
Exit HiJackThis.
Reboot into Safe Mode* and delete the following files:
C:\WINDOWS\qsouw.dll
C:\WINDOWS\atlld32.dll
C:\WINDOWS\sdkuw32.exe
C:\WINDOWS\system32\apiux32.exe
C:\WINDOWS\appyc.exe
Go to Start --> Run and enter 'regedit', press 'Enter'
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
If __NS_Service_3 exists , right click on it and choose delete from the menu.
Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu
Exit regedit, boot in Normal Mode.
Run HiJackThis again and post a new log in this thread.
* Boot into Safe Mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
Please take the following steps:
First, please enable viewing of hidden/system files per the instructions here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Using the Task Manager end the task on the following processes:
sdkuw32.exe
sysql.exe
Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
Scroll down and find the service called "Network Security Service".
When you find it, double-click on it.
In the next window that opens, click the Stop button, then change the Startup Type to Disabled.
Now hit Apply and then OK and close any open windows.
Be sure to close all browser and explorer windows before continuing.
Run HijackThis and place a check mark next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsouw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsouw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsouw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsouw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qsouw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qsouw.dll/sp.html#96676
O2 - BHO: (no name) - {D33DFBEE-1962-2A02-A9AB-05CE2C3B90AD} - C:\WINDOWS\atlld32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [sdkuw32.exe] C:\WINDOWS\sdkuw32.exe
O4 - HKLM\..\RunOnce: [apiux32.exe] C:\WINDOWS\system32\apiux32.exe
O4 - HKLM\..\RunOnce: [appyc.exe] C:\WINDOWS\appyc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25539f9b23b081...ip/RdxIE601.cab
Close all open windows except HiJackThis and Press 'Fix Checked'.
Exit HiJackThis.
Reboot into Safe Mode* and delete the following files:
C:\WINDOWS\qsouw.dll
C:\WINDOWS\atlld32.dll
C:\WINDOWS\sdkuw32.exe
C:\WINDOWS\system32\apiux32.exe
C:\WINDOWS\appyc.exe
Go to Start --> Run and enter 'regedit', press 'Enter'
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
If __NS_Service_3 exists , right click on it and choose delete from the menu.
Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu
Exit regedit, boot in Normal Mode.
Run HiJackThis again and post a new log in this thread.
* Boot into Safe Mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
LoPhatPhuud,
Thank you very much for the reply.
Will pass on the info.
Enjoy taking a look at HJT logs and taking a shot at what is wrong with them. Yes, must need the brain examined, been retired for quite a while, and this sure keeps the mind going. However, you are the PROs!!
If you do not mind, have a question on the following, just for learning purposes:
"Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
Scroll down and find the service called "Network Security Service".
When you find it, double-click on it.
In the next window that opens, click the Stop button, then change the Startup Type to Disabled.
Now hit Apply and then OK and close any open windows."
Is the Network Security Service something added to Windows Services by this CWS variant? Presume it is...
Thanks again for the help.
Thank you very much for the reply.
Will pass on the info.
Enjoy taking a look at HJT logs and taking a shot at what is wrong with them. Yes, must need the brain examined, been retired for quite a while, and this sure keeps the mind going. However, you are the PROs!!
If you do not mind, have a question on the following, just for learning purposes:
"Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
Scroll down and find the service called "Network Security Service".
When you find it, double-click on it.
In the next window that opens, click the Stop button, then change the Startup Type to Disabled.
Now hit Apply and then OK and close any open windows."
Is the Network Security Service something added to Windows Services by this CWS variant? Presume it is...
Thanks again for the help.
Yes, this exploit adds the Network Security Service as one means to keep itself on your computer. There are two files in C:\Windows\ or C:\Windows\System32\ that watch over each other and, I assume, have the ability to replicate the exploit if one part is removed.
Also, this exploit deletes files. Here are indtructions for replacing them,
Two files were also deleted from your computer and need to be replaced.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
If you have Spybot S&D installed you will also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
Also, this exploit deletes files. Here are indtructions for replacing them,
Two files were also deleted from your computer and need to be replaced.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
If you have Spybot S&D installed you will also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
Thanks for the info!! ;)
On..."Also, this exploit deletes files. Here are instructions for replacing them,..."
Are the instructions what follows below for control.exe and the hoster , or is there something else? Just want to make sure. Trying to help someone else with their PC.
Thanks again.
On..."Also, this exploit deletes files. Here are instructions for replacing them,..."
Are the instructions what follows below for control.exe and the hoster , or is there something else? Just want to make sure. Trying to help someone else with their PC.
Thanks again.
The iexploit deleted control.exe and Hosts from the infection computer. If Spybot S&D was installed, it also deleted sdhelper.dll.
The link I posted are for replacements files and in the case of the Hosts file, it will created a new one using the default MS values.
Hope this helps.
The link I posted are for replacements files and in the case of the Hosts file, it will created a new one using the default MS values.
Hope this helps.
OK, thanks!!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.