HijackThis log...CWS Trojan, Variants, and Parasites... Help?

Discussion in 'adware, spyware & hijack cleaning' started by Lars Larson, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. Lars Larson

    Lars Larson Registered Member

    Feb 26, 2004
    Hi folks! A newbie here to the forums and boy have I got a mean critter in my system. Best I can tell it's the CWS Trojan and it reacts just as fast as I learn something new to battle it. Can't download CWShredder or PepiMK's SmartKiller, and most spyware sites are blocked or hang. I've got Ad-Aware, Spybot, HijackThis, Spyware Blaster, BHO Demon, File Checker, etc, etc, and Norton SystemWorks 2004. Been at this now for 3 or 4 weeks and can't push anymore PC books or programs into my shrunken head. It's got my home PC to where I can't start Windows and my office PC keeps freezing or won't start because it lacks an internet connection. (I'm on Broadband cable) Some programs are obvious fakes, like Word, Yahoo, and MSN, etc. Haven't any experience with the registry and could use some advice or guidance. Any Takers? Thanks...

    Logfile of HijackThis v1.97.7
    Scan saved at 6:25:31 AM, on 2/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\LS-Docs 1-04\HijackThis\hijackthis-\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37194.3871064815
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi Lars,

    Can you try these links for CWShredder:

    And can you tell us why you think it is CWS?


  3. Lars Larson

    Lars Larson Registered Member

    Feb 26, 2004
    Hi Pieter,

    Thanks for responding to my plea for help. As I said earlier, I've been at this for weeks now and after posting, decided to poke around Wilders. I was able to link from Spybot into Wilders Forums, searched and found a new CWShredder Update. Was able to download and run it, and came up clean. Been running spyware programs regularly for several days now so maybe its been effective. I used both of the links you gave and with some effort was able to download and run them. Both came up clean.

    I recognized 8 or 10 variants listed in the CWShredder as ones I've had on both my office and/or home computer. Whether I successfully cleaned them and they are gone is anybody's guess. They keep mutating or re-installing. I've studied and printed out Merijn's whole site, and identified numerous Parasites, BHO's, and some Trojan's using every list I could find. ie/ Doxdesk, Sponge's Page, Spyware Info.com, Tom Coyote, Pest Patrol, Broadband Reports, and many groups/forums. With a few hacker and PC books thrown in for good measure.

    Many of these Parasites, BHO's, and variants being associated with CoolWebSearch Trojan. (Alexa, Kazaa, Bargain Buddy, Rapid Blaster, Istbar, FavoriteMan, nCase, Pugi, Gator, DyFuCa, etc...) I also found files in my computers that matched log files of people in forums whose computers are infected with this Trojan. (Bootconf.exe, Pathfinder.dll, phobos.dll, etc.)

    At first it was just my browser being hijacked and lots of pop-ups. Now I have multiple dialers installed and hidden all over, and many remote access/network connections that just came out of nowhere. Am unable to open spyware or associated websites, and any kind of tech site either. The PC closes or freezes up and then won't let me log off or shut down. It hangs there and sometimes I have to unplug as it won't respond to the on/off button. Also getting lots of pop-up security windows asking for user name and password. (fake I think)

    After searching I've discovered numerous folders with files of personal information, (old screen names, address, emails, journals, etc. and system configurations, settings, passwords, documents, etc.) These are neatly and discretely located around my files and programs, often duplicate lists in another location. I neither made these files nor placed them in groups or lists.

    I suspect I've been hacked by someone. Maybe those three guys in Russia who are reputed to be behind the CWS Trojan... Sigh... Spybot keeps finding 22 invalid ActiveX entries, and Ad-aware catches 4 or 5 registry changes. Norton shows some interesting things in the system memory but I'm not sure how to read it yet. (back to the books) I'll stop now as this is becoming a novel. Thanks for your help.

    Regards, Lars
  4. Minera

    Minera Registered Member

    Oct 31, 2003
    Have you tried going into safemode and running all the virus scans?
    and disconnect your internet and try running all the programs again after rebooto_O See if anything comes up??
    My guess is if anything is trying to load and can't get a connection it would check with the firewall. Maybe it would help weed out which programs are
Thread Status:
Not open for further replies.