CoolWebSearch

I've been hijacked. I read thru a few previous threads and it seems like I have fought off nearly all of these in the last 3 days. I have downloaded the following:

(mostly due to the previous posts and after reading a few stickys I won't post the hijackthis.log unless requested. )

hjk.zip installed in C:\Program Files\spyhackattack\hjt\
procexpnt.zip installed but debug not allowed. I can log in as admin
giantantispyware.exe installed and running
cwsinstall.exe installed waiting till I finish this post to activate
spybotsd131tx.exe to fix the DSO problem incountered earlier
startuplist.zip still zipped att
vx2finder(126).exe installed

I get a number of entries on my hosts file that look like this:
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 auto.search.msn.com
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch


everything after spybot cannot be deleted for more than 30 seconds.
I have ensured system restore is off and there is always 1 program with a random name in /windows/temp/MXBBB4.exe (currently). I cannot delete
this running file in taskmanger it says system file. I can rename the file then delete it. and there are 3 files in my deleted items bin that cannot be deleted. OK thats it can someone help?

 

This particular baddie is a real pain. Nobody has a fix for it yet.

How many user accounts are on your machine?

Please run HijackThis For ALL User Accounts - In the small box in the lower right where it says "other stuff," select CONFIG > Misc Tools and choose Generate Startup List Log. Please save the logs for each account and attach them for me.

Also, boot into safe mode and get me a startuplist log for the Administrator Account. Attach that as well.

I am probably wasting time for both of us, but I want to see if a common denominator jumps out at me.

It would probably be a good idea for you to run through our Cleanup Tutorial to make sure that your machine is otherwise clean.

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

I will try to check back when I can. Got a busy week of work ahead of me, so please be patient.

PP

 

There is 6 accounts
Administrator
All users
Default User
b.duke (<-me)
svc.2000inst (the install team account)
j.pock

of these I can only log in as myself and the administrator
Giantantivirus recommended I delete the regkey for default password. I did so now I cannot log in as svc.2000inst

I have attached both startup files:
startuplist.log (mine)
startuplistadmn.log (administrators)

 

Couldn figure out how to attach twice. The upload link would only allow 1 file per thread. I've renamed the administrators startuplist.txt as su_admn.log and it still wont allow me to attach. I can post here as it is the smaller of the two logs. please let me know.

 

Please Copy and Paste it for me. I'll deal with it.

PP

 

EDIT: PP

Attached Startup List. Did not find what I was hoping to find.

 

Ok maybe I found something.
when I started IExplorer I happened to be looking at my task manager.
the program that actually started was "SysFader"
I searched my disks I cannot find that file. I looked in the registry and couldn't find it either.

SysFader starts only randomly. like once in 10 starts or 1/3 starts it seems to depend. can you help me kill that program from my system?

 

Done.
used the advanced options:
search system folders,
search hidden files and folders
search subfolders.
No file by the name of SysFader exists on my system except for that 1/2 second before internet explorer starts.

 

I have tried every possible way to use the debug mode.
I logged into the box as local administrator and changed the debug user to myself and all administrators. Saved it. ran procexe and it said I don't have permission. in fact no one has permission. is there another way to force it to grant debug?

 

I checked to ensure I was looking for hidden files and folders as well:
looked for:
kalvsuy32
iosyko
iwrop
sywin16

in the all or part of the name field and each one came back negative.
I'm still curious about the 3 files in my deleted items bin that cannot be deleted. they are still there but I can see them and when I empty it says are you sure you would like to deleted these 3 files?

yet when I look in the bin nothing is there. after deleteing them I right click and delete them again. The files are either instantly recreated or they are never deleted to begin with.

 

I don't know if I missed this earlier or if it's a new developement.
WToolsA.exe
and WSup.exe
I did see a RH.exe and one other but it was too fast.
I tried to kill the process but it won't let me.

mnmsrvc.exe is back too. I don't use NetMeeting for anything. Should I post a hjt.log?

 

TBPS.exe
PIB.exe
both seem to be toolbars
WToolsA.exe
and WSup.exe

all 4 are currently suspended but cannot be killed. I went into the directory and renamed what I could but the actual execs could not be renamed.

 

Ok so I got very behind the 8 ball with the WToolsA.exe and WSup.exe Found the Toolbar and the multiple hijack attempts. May the private E-1 who reads this in search for the answer to his WToolsA problem, may he listen real close. Do not take this one lightly. Unplug the cable from the wall. Reboot into safe mode and start from there. I had to start Hijackthis and procexe and a few other toys then after I removed all "toolbar" and "searchassistant" entries, I felt confident enough to restart explorer.exe. I still found the Huntbar and VirtualBouncer but I'm hopeful the tools can now kill those two as well. I'm T-minus 4 hours and counting till I officially must conceed and reformat.

 

Ad-Aw
are-se (with modified VX2) found IBIS Toolbar as well.
the registrry keys and the 5 IBIS files in the Giatantyspyware quarantine bin.
and about 37 other registry entries. I'm still in safe more and writing this post from a separate machine.
VX2 ran clean
CCleaner keeps cleaning these websearch entries:
c:\windows\ntbtlog.txt 1.42 kbs
http://download.websearch.com/TbStatInstLog.asmx/SetStatus(8H41) 83 bytes
http://crl.verisign.com/Class3CodeSigning2001.crl(8H1) 67.08 KB
http://crl.verisign.com/pca3.crl(8H1) 688 bytes
and the IBIS Toolbar is still infected somewhere. That's Giant, Spybot, Ad-Aware, and now PestPatrol. I'm going to search if anyone else has had this problem in the forums with this toolbar.
Something is still running and I need to kill it before I go to bed and sleep my alloted 3 hours before I need to be back in here. I don't know where this process is that is running. I've saved my startup config and I'll save another copy of my HijackThis.log as well and post it.

ok I figured that out the quarantine files were still getting recognised. I deleted all of them manually.
I found earlier c:\windows\system32\calsp.dll . Hijackthis found it first. 4 instances of an unknown process running. I renamed the dll then opened it up as a text file and on the text section I saw it belonged to CouponAge. so I immediately deleted it.

Finally while still in safe mode and the wire pulled out I have run clean.
spybot_s&d: clean
Giant : clean
PestPatrol (paid for version) : clean
CWSshredder: clean
stinger:clean

I'm going to attempt to log in when I wake up as myself again. Still with the network cable disconnected. and run the same battery above. if this works than I'll repost a sucess as well. The main file that looks like it was letting the barn doors open was the calsp.dll file inthe win\sys32 directory. I'll try this in a couple hours....now for a couple ZZzzzs

 

You are correct. I still have the 01 files being attached.
procexe says there is a:
nmnsrvc.exec with a subprocess rundll32.exe running as an app
I cannot delete it.
all I need to do is plug in the ethernet cable and the new 01's begin to appear.
there is still 3 files in my deleted item bin that will not delete but cannot be shown either.
my ethernet address is still 0.0.0.0 but if I plug it in I get fullconnectivity immediate and the 01's .
now there is some process that is installing the 69.20.16.183 stuff.
I've only got a short time till they reimage.

 

Ok this is worse than I first thought.
I found a number of files on my system that do not belong.
I have the .exe's listed and everytime I delete them the file magically returns. with last modified date of:
8/23/2001 5:00AM
this I think is also why we cannot run the sysinternals file.
the names I seethat don't belong:
append.exe
debug.exe
dosx.exe
edlin.exe
exe2bin.exe
mem.exe
mscdexnt.exe
nlsfunc.exe
nw16.exe
share.exe
setver.exe
login.cmd
usrlogin.cmd

I think I may have been hit with a very good trojan that my system cannot see because the files listed are actually the replaced files.

 

oops I might have sounded like all the files in my system32 directory with a date of 8/23/2001 05:00 AM.
Thats not true
there is 2300 files in my system32 bin.
I estimate about 92 extra files in my system32 folder.
This being the case I'm still waiting on my reformat team to get here. Probably won't happen till tomorrow.

 

ok here is what I have left

Hummingbird InetD we use it to connect to our remote tools
Hummingbird Exceed Display management
OfficeScanNT RealTime Scan
NVIDIA Driver Helper Service (unknown I have an Intel Graphics card)
OfficeScanNT personbal Firewall
Oracleora817ClientCache (it says manufacturer is unknown)
OfficeScanNT Listener

thats it. Yes I do have procexe installed. How would you like it configured? with DLL's in the lower pane?

 

Hummingbird InetD Hummingbird Ltd. running
Hummingbird Exceed Display management Hummingbird Ltd. running
OfficeScanNT RealTime Scan Trend Micro Inc. running
NVIDIA Driver Helper Service NVIDIA Corporation stopped
OfficeScanNT personbal Firewall Trend Micro Inc. running
Oracleora817ClientCache Unknown stopped
OfficeScanNT Listener Trend Micro Inc. running

 

in the startup tab there is 2 which are troublesome:
SED c:\programfiles\SED\SED.exe (I deleted that but already WToolsA and TBSP and PIB and WSup are installed. I have them suspended but something is letting all the problems in at the moment.
and one line that is blank but has a SOFTWARE\Microsoft\Windows\CurrentVersion\Run after it.

I fixed the 3 files in the deleted item bin thing
Had to cd into c:\Recycle and Recycler then do a attrib -s -h * on everything in them and then delete everything. there was 2 desktop.ini files in there and after I deleted them I could see the 3 files in my desktop recycle folder.

 

yes I cannot delete them it always says the file is being used by another program.

here is todays log.

 

in fact I have ccleaner and it says it cleans them but the files return shortly.
and I have verified system restore is disabled.

 

I can delete the file but I cannot make it stop. the exe in my windows\temp is always a different name and connot be deleted but can be renamed and deleted. .

 

sysfader still loads before my IExplorer. That may be a secondary issue to the redirects but perhaps that might help

 

nevermind about the sysfader thing. I found it was actually part of the NVIDIA effects thing. I have turned it off.

 

I don't trust using the infected machine to post here so I am using putty to ssh over to the linux machine then pasting the text file into a vi session and uploading from the linux box. I found a bw2.exe file in my c:\windows\temp directory. I deleted it via dos "del" command. Some varient of the EF56CA.exe is running on all of our machines I think. it always changes it name every time you reboot and I cannot delete. I used the attrib command with a -s to remove the system lock from it and I got a "denied" msg

 

both of those are expected. they are company internal websites. I did download the HiJackThis from an older Thread when you were working on this before. bw2.exe appeared today as I was trying to find ways to kill the EF56CA.exe earlier. I have re-read the read me first for the third time and I think I have not missed antything. I will download from the main downloads link now.

 

I think we have a sucess. I'm rebooting before I confirm that but the new tools did indeed sucessfully remove everything. It poped up with the new warning message that gave suggestions for other tools to use first. I like the new HiJackThis. Good idea and I am very glad you caught the fact it was out of date. I would have never known till it was too late. Let me reboot and I'll post once more to let you know if this fixed it.

 

Ok looking back it doesn't look like I explain this strange file on our ssystems.

C:\WINDOWS\TEMP\ZE17D3.EXE (the current name of this program) is, I THINK, actually a progam run by our security team. Somehow part of our trendmicro antivirus stuff.

C:\WINDOWS\System32\cmd.exe is the short version of "command" I was running that to see if anything elase was in my c:\windows\temp folder.

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE I use a version of outlook2003 which allows me to use WORD as the editor to create emails I was emailing my security team telling them of the fix.

C:\Program Files\spyhackattack\sysinternals\procexe\procexp.exe was looking to see if SED or TBPS or etc was running before I shut down.

C:\Program Files\SpywareBlaster\spywareblaster.exe I was running in the background to make sure nothing else got in while it was clean

C:\Program Files\Internet Explorer\iexplore.exe and this one <smile> I ran the "fix checked" and then when it fixed it I brought up this to reply back but noticed you asked for a new HiJackThis.log. so I rescanned and then hit the save log button and uploaded it thats shy most of this junk is running. When I saw it was fixed I brought it all up and then noticed you needed a new log.

I can officially say the new software (plus the removal of a pesky bw2.exe) and all of the help from you guys has saved this computer. I'd like to hang out at this website for a while. I need to learn a lot more.