HijackThis log...CWS Trojan, Variants, and Parasites... Help?

Hi folks! A newbie here to the forums and boy have I got a mean critter in my system. Best I can tell it's the CWS Trojan and it reacts just as fast as I learn something new to battle it. Can't download CWShredder or PepiMK's SmartKiller, and most spyware sites are blocked or hang. I've got Ad-Aware, Spybot, HijackThis, Spyware Blaster, BHO Demon, File Checker, etc, etc, and Norton SystemWorks 2004. Been at this now for 3 or 4 weeks and can't push anymore PC books or programs into my shrunken head. It's got my home PC to where I can't start Windows and my office PC keeps freezing or won't start because it lacks an internet connection. (I'm on Broadband cable) Some programs are obvious fakes, like Word, Yahoo, and MSN, etc. Haven't any experience with the registry and could use some advice or guidance. Any Takers? Thanks...


Logfile of HijackThis v1.97.7
Scan saved at 6:25:31 AM, on 2/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\cidaemon.exe
C:\LS-Docs 1-04\HijackThis\hijackthis-\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37194.3871064815

 

Hi Lars,

Can you try these links for CWShredder:
http://www.wilderssecurity.com/attachments/cwshredder1510.zip
http://www.computercops.biz/zx/phoenix22/cws.zip

And can you tell us why you think it is CWS?

Regards,

Pieter

 

Hi Pieter,

Thanks for responding to my plea for help. As I said earlier, I've been at this for weeks now and after posting, decided to poke around Wilders. I was able to link from Spybot into Wilders Forums, searched and found a new CWShredder Update. Was able to download and run it, and came up clean. Been running spyware programs regularly for several days now so maybe its been effective. I used both of the links you gave and with some effort was able to download and run them. Both came up clean.

I recognized 8 or 10 variants listed in the CWShredder as ones I've had on both my office and/or home computer. Whether I successfully cleaned them and they are gone is anybody's guess. They keep mutating or re-installing. I've studied and printed out Merijn's whole site, and identified numerous Parasites, BHO's, and some Trojan's using every list I could find. ie/ Doxdesk, Sponge's Page, Spyware Info.com, Tom Coyote, Pest Patrol, Broadband Reports, and many groups/forums. With a few hacker and PC books thrown in for good measure.

Many of these Parasites, BHO's, and variants being associated with CoolWebSearch Trojan. (Alexa, Kazaa, Bargain Buddy, Rapid Blaster, Istbar, FavoriteMan, nCase, Pugi, Gator, DyFuCa, etc...) I also found files in my computers that matched log files of people in forums whose computers are infected with this Trojan. (Bootconf.exe, Pathfinder.dll, phobos.dll, etc.)

At first it was just my browser being hijacked and lots of pop-ups. Now I have multiple dialers installed and hidden all over, and many remote access/network connections that just came out of nowhere. Am unable to open spyware or associated websites, and any kind of tech site either. The PC closes or freezes up and then won't let me log off or shut down. It hangs there and sometimes I have to unplug as it won't respond to the on/off button. Also getting lots of pop-up security windows asking for user name and password. (fake I think)

After searching I've discovered numerous folders with files of personal information, (old screen names, address, emails, journals, etc. and system configurations, settings, passwords, documents, etc.) These are neatly and discretely located around my files and programs, often duplicate lists in another location. I neither made these files nor placed them in groups or lists.

I suspect I've been hacked by someone. Maybe those three guys in Russia who are reputed to be behind the CWS Trojan... Sigh... Spybot keeps finding 22 invalid ActiveX entries, and Ad-aware catches 4 or 5 registry changes. Norton shows some interesting things in the system memory but I'm not sure how to read it yet. (back to the books) I'll stop now as this is becoming a novel. Thanks for your help.

Regards, Lars

 

Lars,
Have you tried going into safemode and running all the virus scans?
and disconnect your internet and try running all the programs again after reboot See if anything comes up??
My guess is if anything is trying to load and can't get a connection it would check with the firewall. Maybe it would help weed out which programs are
illicit.