CWS Nightmare

Discussion in 'Malware Help (A Specialist Will Reply)' started by skankopickle, Mar 25, 2005.

  1. skankopickle

    skankopickle Private E-2

    Hi, after following all you instructions for basic spyware removal, along with running around 7-8 different spyware removal packages, only one (Xoftspy) pulled up a result; CoolWebSearch. I have run CWShredder and that doesnt locate the version I seem to have on my machine and I am completely at a loss as to what to do next, as deleting the rundll32.exe file just aint cutting it, as it keeps reappearring every time I reboot. I would be very grateful if you have any advice on how to remove the damn thing. I have attatched a copy of my HJT logfile. Many thanks, D.
     

    Attached Files:

    skankopickle, Mar 25, 2005
    #1
  2. yukon98

    yukon98 Specialist

    rundll32.exe is a process which executes DLL's an places their libraries into the memory, so they can be used more efficiently by applications.This program is important for the stable and secure running of your computer and should not be terminated. rundll32.exe is also a process which is registered as the W32.Miroot.Worm. This Trojan allows attackers to access your computer, stealing passwords and personal data. It should be removed immediately.


    http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html
     
    yukon98, Mar 25, 2005
    #2
  3. skankopickle

    skankopickle Private E-2

    Ah, I see. Thing is Xoftspy was flagging this file as CWS spyware, and that has been the only thing I have come up with on all of my searches for spyware, and the only thing I can think of that could possibly be causing all the pop-ups that I have been getting. I have run the online virus scans and a scan with macafees but they turn up clean, should this worm show up on these scans?
     
    skankopickle, Mar 25, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to run thru our complete cleanup procedure!

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 25, 2005
    #4
  5. skankopickle

    skankopickle Private E-2

    Yeah, I have been through the tutorial, and it didnt turn up anything at all. What is happening is this; something on my system is generating tracking cookies, but these cookies are all that is being found, so, for instance, when I run ad-aware or spybot they find the cookies, but not the scource of the problem.

    I didn't have any problems running the scans, they just came up with these cookies, which I can delete, but they just keep coming back. I have ran the online scans, which came up blank, the Macafee stinger, no results there either, also ad-aware, spybot and several others, all in safe mode, all with no results. CWShredder also turns up zero results. The ONLY scan that turns up ANYTHING is this Xoftspy one which picks out runddll32.exe as CWS spyware, but when I reboot it reappears. I really am at a loose end here. I have attatched a copy of my HJT log to my original post. Thanks, D.

    P.S. I am running XP and have turned system restore OFF.
     
    skankopickle, Mar 25, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Tracking cookies are not big issues! If you use a browser, you are going to get cookies.
    Did you mean runddll32.exe or rundll32.exe? Which folder is it saying the file is in?

    Your OS and IE versions are seriously out of date and present a major security risk. You must get updated when we fix your current problems.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINNT\System32\n?tdde.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: (no name) - {63326663-CDCF-410C-A881-CC01CE33349C} - (no file)
    O2 - BHO: (no name) - {F020031A-C085-C102-F82B-BEC9D6C169ED} - C:\WINNT\System32\jperlg.dll
    O4 - HKCU\..\Run: [Xuwd] C:\WINNT\System32\n?tdde.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {A7C19742-5041-41C1-B173-6073482FFF6B} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A7C19742-5041-41C1-B173-6073482FFF6B} - (no file) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {E5371947-F5F3-40C4-8645-8C569439E982} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E5371947-F5F3-40C4-8645-8C569439E982} - (no file) (HKCU)
    O15 - Trusted IP range: 67.19.185.246
    O21 - SSODL: MSTask - {28D6244B-DB47-4C11-8196-64DFF9EC6693} - logsys.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\System32\jperlg.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 25, 2005
    #6
  7. skankopickle

    skankopickle Private E-2

    Hi Chaslang,
    Just a note to say thanks for your help, that really seems to have fixed the problem. Yeah, it wasn't really the cookies that was bothering me, more where they were coming from as they were popping up while I was surfing 'safe' sites (this one included), but I have stopped getting them now.

    I think the thing with Xoftspy must have been a program bug as it stopped picking up the 'corrupted' file after the latest update.

    I also have been having some trouble updating windows (I get prompted to install the same update over and over again) but I'm not sure if this is the right forum for that sort of thing.

    I have attached another HJT log to this post.

    Thanks again, D.
     

    Attached Files:

    skankopickle, Mar 29, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay these is still one item in your log to remove:
    O15 - Trusted IP range: 67.19.185.246

    Let's see if we can remove the TZ IP address.
    Run IE, select Tools, Internet Options. Now select Security and then click the Trusted Sites circle. Then click the

    Sites button. Look for the 67.19.185.246 address in the Web sites box and select it. Then click Remove. Then at the bottom make sure there is a check mark in the box that says Require server verififcation...... blah blah. Now click OK.

    And OK again.

    Is the line now gone from your HJT log?
     
    chaslang, Mar 29, 2005
    #8
  9. skankopickle

    skankopickle Private E-2

    Yup, that's got rid of it. Thanks again for your help, D.
     
    skankopickle, Mar 30, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Mar 30, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds