CoolWebSearch variant

Discussion in 'adware, spyware & hijack cleaning' started by forty_ounceCaslt25, May 2, 2004.

Thread Status:
Not open for further replies.
  1. forty_ounceCaslt25

    forty_ounceCaslt25 Registered Member

    Joined:
    May 2, 2004
    Posts:
    4
    Hello everyone,
    I have just been infected with a CoolWebSearch variant known as Searchx. It changes my home page to about:blank, only it is a search directory. I have had problems with CoolWebSearch in the past and this time, thr trojan is twice as hard to remove. Here is my logfile of HijackThis. HOWEVER, I have just removed some files that I think dealt with Searchx. I'm SURE it will come back so when it does, I will post that logfile.

    Thanks,
    Evan
    Logfile of HijackThis v1.97.7
    Scan saved at 11:05:29 AM, on 5/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
    C:\PROGRA~1\MP3ABO~1\body start.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Microsoft Broadband Networking\network_settings\MSBNTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\evan\Desktop\Spyware, Trojan stuff\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: TX4 - {00000000-0033-C1AC-0E62-0C1F0537605D} - C:\WINDOWS\System32\aviwrap32.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {8848B1A1-FCDE-49E3-ACCC-55E9062DD2CF} - (no file)
    O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\Program Files\SafeGuard Popup Blocker Pro\SGPopupBlocker.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    O4 - HKLM\..\Run: [BlueShim] C:\PROGRA~1\MP3ABO~1\body start.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi forty_ounceCaslt25,

    Welcome to Wilders!

    When the problem comes back, do NOT fix anything yet. Post a new HJT log and we will go from there.

    Regards,
    Kent
     
  3. forty_ounceCaslt25

    forty_ounceCaslt25 Registered Member

    Joined:
    May 2, 2004
    Posts:
    4
    OK,
    The CWS trojan horse has come back. I noticed that everytime it does, it has different .dll file names. I think that there is a file that duplicates it :doubt:
    Anyway, here is my logfile:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:44:40 AM, on 5/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
    C:\PROGRA~1\MP3ABO~1\body start.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\iShareIt\ishareit.exe
    C:\Documents and Settings\evan\Desktop\Spyware, Trojan stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: TX4 - {00000000-0033-C1AC-0E62-0C1F0537605D} - C:\WINDOWS\System32\aviwrap32.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {8848B1A1-FCDE-49E3-ACCC-55E9062DD2CF} - (no file)
    O2 - BHO: (no name) - {B5025AB1-6C76-4A01-AC44-79E51473D5C4} - C:\WINDOWS\System32\iemkba.dll
    O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\Program Files\SafeGuard Popup Blocker Pro\SGPopupBlocker.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    O4 - HKLM\..\Run: [BlueShim] C:\PROGRA~1\MP3ABO~1\body start.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
    O4 - Startup: SG scheduler.lnk = ?
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www.google.com
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe

    Thanks a lot,
    Evan
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi forty_ounceCaslt25,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iemkba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: TX4 - {00000000-0033-C1AC-0E62-0C1F0537605D} - C:\WINDOWS\System32\aviwrap32.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {8848B1A1-FCDE-49E3-ACCC-55E9062DD2CF} - (no file)
    O2 - BHO: (no name) - {B5025AB1-6C76-4A01-AC44-79E51473D5C4} - C:\WINDOWS\System32\iemkba.dll
    O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\Program Files\SafeGuard Popup Blocker Pro\SGPopupBlocker.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    O4 - HKLM\..\Run: [BlueShim] C:\PROGRA~1\MP3ABO~1\body start.exe

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    Then download RegLiet from:
    http://www.resplendence.com/registry/reglite.htm

    -Run reglite and go to :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    -Rename the Folder Windows
    to NotWindows highlighted as a purple folder
    in the left hand pane of reglite.

    -Click "AppInit_DLLs" again and clear the data value:
    C:\WINDOWS\System32\xxxxxx.dll <- delete this line ,
    'Apply' and 'ok' to set.
    Write down the name of the dll, since you will need that later on.

    -Rename the NotWindows folder back to its original name (Windows)

    -Restart computer and delete:
    C:\Program Files\AutoUpdate <= entire folder
    C:\Program Files\MP3ABO~1 <= the entire folder that holds body start.exe
    C:\Program Files\COMET SYSTEMs <= entire folder
    C:\Program Files\SafeGuard Popup Blocker Pro <= entire folder

    Go to your root drive: C:\ And create a new folder.
    Name it: "junk"

    Unzip and run WinFile.zip
    Expand and navigate to System32 folder.
    You need to navigate by Double clicking to expand.

    In the last part you need to use the filename you noted in stead of xxxxxx.dll

    When in System32 click top menu: File>Select files
    Copy and paste to the box:
    xxxxxx.dll hit select-
    Find and hilite that file.
    Next in top menu>Security>permissions,
    tell us what is listed there for that file.
    Also check the 'owner' tab

    Lastly, try this: Menu -File>move...
    In From: Copy/paste:
    C:\WINDOWS\System32\xxxxxx.dll
    To: Copy and paste:
    C:\junk\xxxxxx.dll
    And hit ok.
    Close Winfile and check in C:\junk for that file.
    No further action is needed yet...

    Post back results for now.

    Regards,

    Pieter
     
  5. forty_ounceCaslt25

    forty_ounceCaslt25 Registered Member

    Joined:
    May 2, 2004
    Posts:
    4
    Hello,
    Thanks A LOT for posting that fast. I just posted that about 30 minutes ago. I will give that a shot and let you know what happens :) .

    Thanks again,
    Evan
     
  6. forty_ounceCaslt25

    forty_ounceCaslt25 Registered Member

    Joined:
    May 2, 2004
    Posts:
    4
    OK,
    I did everything that you told me too. I deleted all the files you told me to, and I moved xxxxx.dll in to my 'junk' folder. By the way, the file was named logibb.dll. However, when I moved it to the 'junk' folder, it was not there. I clicked on the properties of 'junk' and it said "0 bytes."
    Anyway, when i checked the security and permissions of logibb.dll, it said it had "special access" and could be accessed by anyone. It also said that I was the owner :doubt: .
    Well, that's about it.
    Thanks a lot :) ,
    Evan
     
Thread Status:
Not open for further replies.