Hi Riddleruk, Perhaps Ad-aware and Spybot did their job, I see no evidence of CWS in your log right now. Let's cover a few things if you will. We have a new post of "Pinned" items on the page where you posted. Would you please take the time to review the thread and benefit from the information there, here is that link:
Next, a new version of HijackThis has been released, you will find a link to it in the thread above, or you can download the update from HJT. Open HJT, click on Config, then choose Misc Tools, then "Check for updates online", follow the directions to update to v1.98.
I know you have Adaware and Spybot, but do you run it like this?
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.
Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.
Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.
pskelley In Training at TomCoyote.com and Spywareinfo.com
Thanks very much for your reply. I've done what you have suggested and believe that I have been attacked again by CWS since my first post - it tried to change my homepage to Aboutblank. I ean adaware and spybot again and reset my homepage. My latest HJT log is as follows:
Logfile of HijackThis v1.98.0 Scan saved at 09:14:20, on 19/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Well Riddleruk, You are correct, as you can see, the CWS infection was not in the first log. I am not sure if it is a new infection or if it was lurking somewhere and had not shown itself yet? Will see if I can get some information about that. We need to remove it, and for that I will need you. Recently a fix was released for this item that looks like this in your log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank The next link will be to the download and instructions for using it. Follow the directions carefully for this is your best chance for success. http://www.majorgeeks.com/download4289.html Lets hope that clears it, but here is another link to the remaining fixes that are available, If you have to use these, I would try fix 5 first, then perhaps 3, 2, 1 in that order. Lets hope About:Buster does the job. http://russelltexas.com/malware/malware.htm Once this is cleared from your computer, please run Spybot and Ad-aware again using the configuration you set up earlier, then post a new log so we can see what is left. Thanks...pskelley In training Tom Coyote Forum & SpywareInfo.com Expert Malware Responder Dell Forum
The following trained DellForum experts feel that too many helpers in one thread, or help from inexperienced users may increase the chance of software accidents. The following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, ChrisRLG, Baskar1234, Grinler, pskelley, SpotCheckBilly, and cghost. Also...these longtime DellForum experts have proven time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs: ddeerrff, msgale and redwolf_98.
I am asking Texruss to take a look and advise us before we move to additional cleanup. It will be this evening at the earliest before he will get the information. Hope this helps...pskelley
I have run About:buster and fix 5 as suggested and my latest log is as follows:
Logfile of HijackThis v1.98.0 Scan saved at 17:36:19, on 22/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Found some information at this forum, you can view the thread, and decide, I am inclined to wait until we get feedback from Texruss, but I thought I would show you the information.
Yes...hostile Trojan...you may need to stop the process in a third-party process viewer like APM (See my malware page) and then delete (possibly have to rename first as indicated in the Wilder's thread below.
When I tried to run APM, Norton AV picked up the trojan file. I ran hiving.bat and this found the DLL. Norton was then able to quarantine it and I have deleted res.dll from there.
Latest log is as follows:
Logfile of HijackThis v1.98.0 Scan saved at 08:46:51, on 27/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
What do you think? I haven't been able to do all that you suggested due to Norton AV's intervention and I'm concerned that CWS is just hiding itself. Maybe I'm getting paranoid!!
pskelley
933 Posts
0
July 16th, 2004 18:00
Hi Riddleruk, Perhaps Ad-aware and Spybot did their job, I see no evidence of CWS in your log right now. Let's cover a few things if you will. We have a new post of "Pinned" items on the page where you posted. Would you please take the time to review the thread and benefit from the information there, here is that link:
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=19204
Next, a new version of HijackThis has been released, you will find a link to it in the thread above, or you can download the update from HJT. Open HJT, click on Config, then choose Misc Tools, then "Check for updates online", follow the directions to update to v1.98.
I know you have Adaware and Spybot, but do you run it like this?
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.
http://www.cjwd.demon.co.uk/spybot-adaware.html
Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.
Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.
pskelley
In Training at TomCoyote.com and Spywareinfo.com
Riddleruk
5 Posts
0
July 19th, 2004 07:00
Hi PSKelley
Thanks very much for your reply. I've done what you have suggested and believe that I have been attacked again by CWS since my first post - it tried to change my homepage to Aboutblank. I ean adaware and spybot again and reset my homepage. My latest HJT log is as follows:
Logfile of HijackThis v1.98.0
Scan saved at 09:14:20, on 19/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
Thanks again for your help.
Regards.
Riddleruk
pskelley
933 Posts
0
July 20th, 2004 00:00
Well Riddleruk, You are correct, as you can see, the CWS infection was not in the first log. I am not sure if it is a new infection or if it was lurking somewhere and had not shown itself yet? Will see if I can get some information about that. We need to remove it, and for that I will need you. Recently a fix was released for this item that looks like this in your log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
The next link will be to the download and instructions for using it. Follow the directions carefully for this is your best chance for success. http://www.majorgeeks.com/download4289.html Lets hope that clears it, but here is another link to the remaining fixes that are available, If you have to use these, I would try fix 5 first, then perhaps 3, 2, 1 in that order. Lets hope About:Buster does the job. http://russelltexas.com/malware/malware.htm
Once this is cleared from your computer, please run Spybot and Ad-aware again using the configuration you set up earlier, then post a new log so we can see what is left.
Thanks...pskelley
In training Tom Coyote Forum
& SpywareInfo.com
Expert Malware Responder Dell Forum
The following trained DellForum experts feel that too many helpers in one thread, or help from inexperienced users may increase the chance of software accidents. The following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs:
Texruss, ChrisRLG, Baskar1234, Grinler, pskelley, SpotCheckBilly, and cghost. Also...these longtime DellForum experts have proven time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs: ddeerrff, msgale and redwolf_98.
Message Edited by pskelley on 07-19-2004 09:39 PM
pskelley
933 Posts
0
July 22nd, 2004 15:00
I am not crazy about it either, for now the About:Blank lines are gone, here is what Merijn has to say about the 020 lines:
http://www.spywareinfo.com/~merijn/htlogtutorial.html
I am asking Texruss to take a look and advise us before we move to additional cleanup. It will be this evening at the earliest before he will get the information. Hope this helps...pskelley
Message Edited by pskelley on 07-22-2004 12:59 PM
Riddleruk
5 Posts
0
July 22nd, 2004 15:00
Hi pskelley
I have run About:buster and fix 5 as suggested and my latest log is as follows:
Logfile of HijackThis v1.98.0
Scan saved at 17:36:19, on 22/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - AppInit_DLLs: C:\WINDOWS\System32\res.dll
The 020 entry is the one that worries me. What do you think??
Thanks again for all your help.
RiddlerUK
Riddleruk
5 Posts
0
July 22nd, 2004 16:00
Thanks pskelley. I agree with you, I'll wait for further advice beofre trying anything further.
Regards.
RiddlerUK
pskelley
933 Posts
0
July 22nd, 2004 16:00
http://forum.tweakxp.com/forum/forum_posts_view.asp?TID=16273&PN=1&get=last
Found some information at this forum, you can view the thread, and decide, I am inclined to wait until we get feedback from Texruss, but I thought I would show you the information.
Texruss
3.4K Posts
0
July 22nd, 2004 21:00
O20 - AppInit_DLLs: C:\WINDOWS\System32\res.dll
Yes...hostile Trojan...you may need to stop the process in a third-party process viewer like APM (See my malware page) and then delete (possibly have to rename first as indicated in the Wilder's thread below.
http://russelltexas.com/malware/malware.htm #18
Post here of interest:
http://www.wilderssecurity.com/showthread.php?t=34893
HTH,
Texruss
Riddleruk
5 Posts
0
July 27th, 2004 07:00
Hi pskelley & Texruss
When I tried to run APM, Norton AV picked up the trojan file. I ran hiving.bat and this found the DLL. Norton was then able to quarantine it and I have deleted res.dll from there.
Latest log is as follows:
Logfile of HijackThis v1.98.0
Scan saved at 08:46:51, on 27/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
What do you think? I haven't been able to do all that you suggested due to Norton AV's intervention and I'm concerned that CWS is just hiding itself. Maybe I'm getting paranoid!!
As ever, many thanks for all your help.
Regards.
RiddlerUK
DELL-Cares
Moderator
•
27.6K Posts
0
February 15th, 2021 06:00
DELL-Cares
Moderator
•
27.6K Posts
0
February 16th, 2021 06:00