CWS: MadFinder :: I'm almost desperate about this one...

Discussion in 'adware, spyware & hijack cleaning' started by dream-weaver, May 4, 2004.

Thread Status:
Not open for further replies.
  1. dream-weaver

    dream-weaver Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    hey,

    Really hope that someone could give me a hand on this one...
    Usually, most of the problems I encounter are already pretty much
    solved by a simple, or a little more complex google search.

    Well, I've been searching for days for the answer for this one,
    removed pretty much almost everything that was in my HijackThis log :doubt:,
    and still this madfinder keeps appearing with every reboot.

    This is how it goes:
    About 2 weeks ago I visited some site, where those bastards put
    an enormous amount of pop-up windows, and also some message boxes
    asking some question with only "ok" as the option. There were so many
    of them, that by trying madly to close em all up, I accidently pushed the
    OK button once :doubt:

    I think this is the source of my all problems which follow. After I rebooted
    my computer I had all kinds of spyware: google search looking quite different
    with fake results, endless pop-ups, etc. Also, my computer has started working much slower, especially right after restart when it loads.

    I went to google this problem, found lots of threads, including the one which is in this forum: CWS continuously comes back after cleaning ( https://www.wilderssecurity.com/archive/index.php/t-29563 )
    It looked so much like my problem, so I did what was suggested there.

    It DOES clean up your system. But only for a little while... I sincerely hope that I'm wrong about this one, but I think that tyfris will pay us another visit. This spyware is by far the nastiest I've ever encountered, and this is why:

    After I used CWShredder to remove some spyware, and also removed all ms****.dll entries for HijackThis log, I rebooted. It was gone! I then continued working, forgetting all about this. Later on, after a few restarts, It comes back again! I ran CWShredder again and removed it. Again, a few restarts, no spyware, and again CWS:Madfinder appears, and everytime it happens it also gives another RANDOM spyware with it. sometimes its searchx, sometimes its clientman.

    It has to download it from somewhere I guess, cause I could swear that I've already deleted all this scum from my computer. Question is, what is this illusive process that does it on restart. I looked @ my alt- ctrl- del, and found nothing suspicious. Maybe you can aid on this one:

    ----------------------------------------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 01:36:46, on 04/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Babylon\Babylon.exe
    C:\Wincmd\TOTALCMD.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\mdm.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
    O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: הורד באמצעות פלאש-גט - C:\PROGRA~1\FlashGet\jc_link.htm
    O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - C:\PROGRA~1\FlashGet\jc_all.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: מחקר (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{886D8C13-588E-4A10-B5F9-254F57204F16}: NameServer = 82.80.247.241 82.80.247.242

    --------------------------------------------------------------------

    As you can see, not much here. I was so angry on this that I removed almost all my startup programs to exterminate this infection :mad: . And still, it remains.

    I would really really appreciate some help on this one!
     
    dream-weaver, May 4, 2004
    #1
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    dvk01, May 4, 2004
    #2
  3. dream-weaver

    dream-weaver Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    thanks for reply.

    OK...

    I followed the link, ran the proggie. It gives me the file "file.txt",
    and its Empty...

    I also tried doing a manual scan for this specified string "hookxx" in my
    system folder. Nothing found...

    I've been thinking of possibilities to this one: Is it possible that by pressing the "OK" button on the pop-up, I granted a specific site the right to install unlimited software on my computer without my authorization?
     
    dream-weaver, May 4, 2004
    #3
  4. dream-weaver

    dream-weaver Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    I rebooted my computer, and CWS:MadFinder is here again.

    This is the log, before I CWShredd it:

    Logfile of HijackThis v1.97.7
    Scan saved at 04:39:16, on 04/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Babylon\Babylon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Wincmd\TOTALCMD.EXE
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\mdm.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il
    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msdaim.dll
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mskpkc.dll
    O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
    O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: הורד באמצעות פלאש-גט - C:\PROGRA~1\FlashGet\jc_link.htm
    O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - C:\PROGRA~1\FlashGet\jc_all.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: מחקר (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{886D8C13-588E-4A10-B5F9-254F57204F16}: NameServer = 192.115.106.31 62.219.186.7

    ------------------------------------------------------------------

    8 new scum ms****.dll entries, one new msgked.dll (name doesn't change) entry. When I reboot, it takes much more time to load, and one other thing which I noticed: I'm using norton antivirus, and during the restart process it stays disabled for some time (I guess this is when the spyware is being reinstalled). At that time I am NOT connected to the internet, so I'm pretty much sure all those new dlls originate from somewhere in computer...

    Anything else that I can do, before I run CWShredder again?
     
    dream-weaver, May 4, 2004
    #4
  5. dream-weaver

    dream-weaver Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    and here's the find-all log:

    Possible bad file(s) found... (locked)
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs1"=""

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A0A40C-F432-4C59-BA11-B25D142C7AB7}]
    "LastPop"="38111.2044351389"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0982868C-47F0-4EFB-A664-C7B0B1015808}]
    "Ignore"="ebay.com,odysseusmarketing.com,messagebroadcaster.net,
    refer-a-website.com,mega-shopping.biz,searchassistant.net,essential-free-downloads.com,downloads-for-free.com,
    sweepstakes-hq.com,kazanon.com,world-portal.com"
    "Update"="38117"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BA1C6EB-D062-4E37-9DB5-B07743276324}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25F7FA20-3FC3-11D7-B487-00D05990014C}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{447160CD-ECF5-4EA2-8A8A-1F70CA363F85}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94927A13-4AAA-476A-989D-392456427688}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC916B4B-BE44-4026-A19D-8C74BBD23361}]
    "Server"="http://odysseusmarketing.com/meta"
    "Ignore"="online-meds.ws,information.com,7search.com,clickbank.net,essential-free-downloads.com,sweepstakes-hq.com,downloads-for-free.com,onlineinternetpharmacy.com,essential-free-downloads.com,sweepstakes-hq.com,computercashcow.com,
    refer-a-website.com,sextoysex.com,odysseytickets.com, dvdsqueeze.com,1800patches.com,gozingcellular.com,unitedvending.net, nextisle.com,world-portal.com,yahoo.com,messagebroadcaster.net, searchassistant.net,odysseusmarketing.com,smilescoffee.com, gozing.com,800patches.com,ascentive.com,1ink.com,nextaisle. com,no-pops.com,next-aisle.com,searchcactus.com,kazanon.com, mega-shopping.biz,eharmony.com"
    "Update"="38113"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}]
    "Server"="http://odysseusmarketing.com/walt/"
    "Ignore"="online-meds.ws,7search.com,information.com,prescriptions-r-us.biz,odysseusmarketing.com,messagebroadcaster.net,refer-a-website.com,essential-free-downloads.com,downloads-for-free.com,sweepstakes-hq.com,kazanon.com,odysseytickets.com,searchfeed.com,next-aisle.com,nextaisle.com,nextisle.com,searchassistant.net,mega-shopping.biz,expedia.com,hotels.com,orbitz.com,travelocity.com, priceline.com,earthlink.com,nextaisle.com,next-aisle.com,1stblaze.com,ebay.com,amazon.com, aol.com,yahoo.com,hotmail.com,msn.com,google.com,yahoo.com,paypal.com,cnn.com,world-portal.com,ticketmaster.com, microsoft.com,buy.com,passport.net,go.com,msnbc.com, netscape.com,nytimes.com,usatoday.com,weather.com,excite.com, lycos.com,mapquest.com,washingtonpost.com,att.net,attbi.com, comcast.com, foxnews.com,comcast.net,netzero. net,juno.com,bigfoot.com,searchassistant.net,searchfeed.com, messagebroadcaster.net,kazanon.com,odysseusmarketing.com"
    "Update"="38111"

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    @="SearchRepPP Class"
    "CLSID"="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
    "CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"


    There are a few things here that doesn't seem right...
     
    Last edited by a moderator: May 4, 2004
    dream-weaver, May 4, 2004
    #5
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    to see if we can prevent the cws hijackers reinfecting you try this
    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm if you haven't already got one and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255 and 213.159.117.0-213.159.118.255
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked

    First download CWshredder from http://www.thespykiller.co.uk

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msdaim.dll
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mskpkc.dll
    O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

    Delete these files

    C:\WINDOWS\System32\msgked.exe

    I also strongly suggest uninstalling flashget which is a spyware application in itself


    Now Run Cwshreddder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then
    Reboot normally & post a new hijackthis log where the O4 entry for jushed32.exe will appear so we can remove it



    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R302 03.05.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
    dvk01, May 4, 2004
    #6
  7. dream-weaver

    dream-weaver Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    ok... I think there is some progress...

    I went into safemode, and ran CWShredder. Both MadFinder and SearchX were found, as usual. It removed it successfully.
    As for msgked.exe, If I haven't mentioned it before, I had this file in my system folder only ONCE. I deleted it then, a week ago, and it never re-appeared there, only the registry key time and time again.

    I update my windows regularly, and especially the past few days, cause of the spyware issue and the new lsass exploit.

    Didn't quite understand about the jushed32 file, I don't remember seeing it in the log, and it's not there now also...

    After that, while still in safemode, I decided to use all tools available, and recommended by you, to scan the hard-drive.

    I first used AdAware which didn't give much, except for a few registry entries.
    After that I tried webroot's SpySweeper. It did a much better job, finding lots of cookies, and especially this 2 files in my temporary internet files:

    c:\documents and settings\dream-weaver\local settings\temporary internet files\content.ie5\d7e9bes2\2in1[1].dll
    c:\documents and settings\dream-weaver\local settings\temp\~dfac8b.tmp

    First one was recognized as ClientMan, second one was recognized as Gator...

    After that, I used SPyBot, which was new to me. It DID find a lot of entries:

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-220523388-113007714-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    MediaPlex: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\Documents and Settings\dream-weaver\Cookies\dream-weaver@mediaplex[1].txt

    Windows Media Player: Client ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

    Windows Media Player: Client ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

    I'm not sure why I had this exploits, if I update my windows regularly, but whatever it's M$ after all :-|
    SpyBot also found 3 registry references to ClientMan which I've never seen yet. Those Are:

    HKEY_CLASSES_ROOT \ Dnsrep.DnsRepObj
    HKEY_CLASSES_ROOT \ Dnsrep.DnsRepObj.1


    The third one of these references couldn't be removed (in safemode) and it asked for a restart.


    Anyway... now after I restarted my system, it didn't hang as it usually does. The AntiVirus was enabled, and as for this restart, no new CWS is present atm...

    I'll go and do a few more restarts to be sure. Still, looking much better!

    HijackThis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 07:40:15, on 04/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Babylon\Babylon.exe
    C:\Wincmd\TOTALCMD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\mdm.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
    O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: הורד באמצעות פלאש-גט - C:\PROGRA~1\FlashGet\jc_link.htm
    O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - C:\PROGRA~1\FlashGet\jc_all.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: מחקר (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{886D8C13-588E-4A10-B5F9-254F57204F16}: NameServer = 192.115.106.31 62.219.186.7

    3 Restarts by now... So far So good. Thx dvk01 for your help. If I can contribute in anything to the research and removal of this especially nasty scumware, just let me know, and I'll be glad to help.
     
    Last edited: May 4, 2004
    dream-weaver, May 4, 2004
    #7
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...