Lost2003
asked on
HIJACKED BY CWS
I use Internet Explorer and have been hijacked by the CWS. After using merijn's CWShredder and Adaware, my homepage continues to be taken over by the hijacker. I ran hijackthis and will place the log below. Your help would be appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 12:25:46 PM, on 6/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\MPREXE.E
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RESTORE\
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\SPOOL32.
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPCLIENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.
C:\WINDOWS\SYSTEM\STIMON.E
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\O123456V
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAP
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSH
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppovere
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QuickenW\bagent.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Dell Home (HKCU)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {34805D32-AD89-469E-8503-A
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {C606BA60-AB76-48B6-96A7-2
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0
O16 - DPF: {33564D57-0000-0010-8000-0
Logfile of HijackThis v1.97.7
Scan saved at 12:25:46 PM, on 6/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\MPREXE.E
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RESTORE\
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\SPOOL32.
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPCLIENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.
C:\WINDOWS\SYSTEM\STIMON.E
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\O123456V
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAP
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSH
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppovere
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QuickenW\bagent.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Dell Home (HKCU)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {34805D32-AD89-469E-8503-A
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {C606BA60-AB76-48B6-96A7-2
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0
O16 - DPF: {33564D57-0000-0010-8000-0
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is some more information about the CoolWeb hijacker:
http://www.spywareinfo.com/~merijn/cwschronicles.html
How did it get onto my system?
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify
Just a little note, CoolWebSearch itself didn't create this hijacker, nor will you get problems from visiting their site.
This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.
The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.
Patch can be downloaded from:
http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx
http://www.spywareinfo.com/~merijn/cwschronicles.html
How did it get onto my system?
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify
Just a little note, CoolWebSearch itself didn't create this hijacker, nor will you get problems from visiting their site.
This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.
The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.
Patch can be downloaded from:
http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx
sirbounty, just wanted to let you know Lost2003 is having problems logging in to the site, he mailed me about that. Hope the problem will be solved soon.
LucF
LucF
ASKER
Hello,
Thank LucF. I was locked out for some reason.
One of Sirbounty's suggestions was to check hosts/imhosts files and you gave me directions to start > run ...
It did not work. I have a dell computer running windows ME. Need more info to check hosts/imhosts (I do not know what these are).
Thank you both for your ideas. I have eliminated those lines but my homepage continues to revert to the hijacker. Where ever I set the IE homepage, it goes immediately back to http://solongas.com/hp.htm?id=9
I do not think the hijacker is eliminated. Could it be connected to the hosts/imhosts issue?
Lost2003
Thank LucF. I was locked out for some reason.
One of Sirbounty's suggestions was to check hosts/imhosts files and you gave me directions to start > run ...
It did not work. I have a dell computer running windows ME. Need more info to check hosts/imhosts (I do not know what these are).
Thank you both for your ideas. I have eliminated those lines but my homepage continues to revert to the hijacker. Where ever I set the IE homepage, it goes immediately back to http://solongas.com/hp.htm?id=9
I do not think the hijacker is eliminated. Could it be connected to the hosts/imhosts issue?
Lost2003
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
found a hosts file "called old file" that had that listing
in the current hosts file I found this
127.0.0.0 localhost
127.0.0.1 and.doxdesk.com
127.0.0.2 auditmypc.com
127.0.0.3 boards.cexx.org
127.0.0.4 bulletproofsoft.net
there was also a "hosts backup file" from 2001 with this in it:
127.0.0.1 pop3.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 pop3.spa.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
645238813 auto.search.msn.com
I changed the current host file to look like what you sent LucF. Hope I did not jump too quickly in making that change. I saved it and did a new search re-opened the file and it had stayed one line:
127.0.0.1 Localhost
should I restart the computer and see what happens?
in the current hosts file I found this
127.0.0.0 localhost
127.0.0.1 and.doxdesk.com
127.0.0.2 auditmypc.com
127.0.0.3 boards.cexx.org
127.0.0.4 bulletproofsoft.net
there was also a "hosts backup file" from 2001 with this in it:
127.0.0.1 pop3.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 pop3.spa.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
645238813 auto.search.msn.com
I changed the current host file to look like what you sent LucF. Hope I did not jump too quickly in making that change. I saved it and did a new search re-opened the file and it had stayed one line:
127.0.0.1 Localhost
should I restart the computer and see what happens?
lost2003,
Also type
START | RUN | REGEDIT
Once open click on 'My Computer' top left icon, on the left pane -
Then click on EDIT | FIND
In the box that comes up in the 'FIND WHAT:' field type in *.greg-search.com
If you find that key delete it. Or put a new page in the feild.
Marakush
Also type
START | RUN | REGEDIT
Once open click on 'My Computer' top left icon, on the left pane -
Then click on EDIT | FIND
In the box that comes up in the 'FIND WHAT:' field type in *.greg-search.com
If you find that key delete it. Or put a new page in the feild.
Marakush
ASKER
Not sure where the comments I wrote went but I will try again. Sorry if I am repeating.
I found you through Pete Long (www.petenetlive.com). His site sent me to yours with a link.
the hosts file seems to have been the problem. Thanks to sirbounty for pointing that out and to LucF for showing me how to find and open it.
Marakush, the *.greg-search.com turned out negative but I took that as a good sign. I re-ran hijackthis and found none of those lines still present. The hosts file has stayed just the one line.
Thanks for restoring my sanity. Now off to find Opera!!
I think the point split was done separately (should have been 55 to LucF, 50 to sirbounty, & 20 to Marakush) but you all get A's in my book!
I found you through Pete Long (www.petenetlive.com). His site sent me to yours with a link.
the hosts file seems to have been the problem. Thanks to sirbounty for pointing that out and to LucF for showing me how to find and open it.
Marakush, the *.greg-search.com turned out negative but I took that as a good sign. I re-ran hijackthis and found none of those lines still present. The hosts file has stayed just the one line.
Thanks for restoring my sanity. Now off to find Opera!!
I think the point split was done separately (should have been 55 to LucF, 50 to sirbounty, & 20 to Marakush) but you all get A's in my book!
Glad you got it sorted Lost2003.
Thanx Luc for helping me out on this one. ;)
Thanx Luc for helping me out on this one. ;)
I second sirbounty :) Glad you got it sorted.
As you want to split the points, take a look here: http:help.jsp#hi69
LucF
As you want to split the points, take a look here: http:help.jsp#hi69
LucF
Tick the following lines, afterwards, click "fix checked"
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D
O15 - Trusted Zone: *.greg-search.com
Greetings,
LucF