CWS variant problem w/ "only the best" popup

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jade-sabre, Jun 21, 2004.

  1. jade-sabre

    jade-sabre Private E-2

    Hi,

    I am new to the forums, but I have been lurking all day. I seem to have the same problem that a lot of others are having. I believe it is a CWS variant. The difference is that my homepage for IE is set to res://fdwpa.dll/index.html#96676 which matches what I am seeing in my HijackThis list.

    Please help if you can. I have already tried Disabling my System Restore, deleting R1, R0, and O2 files with HijackThis, and rebooting in safe mode. Nothing is working. Thanks in advance for any help. Here is my file:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:52:55 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\NCOGRO~1\SECURE~1\cvpnd.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\javaaw32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Dell\TrayTool.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\system32\winxd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Documents and Settings\Joshua\My Documents\Spybot\hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fdwpa.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdwpa.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fdwpa.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fdwpa.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fdwpa.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fdwpa.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {8321C97A-8D55-6B2C-CD27-699292B1BAC9} - C:\WINDOWS\apiia32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ToolExe] C:\Program Files\Dell\TrayTool.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [winxd.exe] C:\WINDOWS\system32\winxd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [javaaw32.exe] C:\WINDOWS\system32\javaaw32.exe
    O4 - HKLM\..\RunOnce: [sdkgh32.exe] C:\WINDOWS\system32\sdkgh32.exe
    O4 - HKLM\..\RunOnce: [syscr32.exe] C:\WINDOWS\system32\syscr32.exe
    O4 - HKLM\..\RunOnce: [sysct.exe] C:\WINDOWS\system32\sysct.exe
    O4 - HKLM\..\RunOnce: [sdkpq32.exe] C:\WINDOWS\sdkpq32.exe
    O4 - HKLM\..\RunOnce: [sdksl.exe] C:\WINDOWS\system32\sdksl.exe
    O4 - HKLM\..\RunOnce: [ieyw.exe] C:\WINDOWS\system32\ieyw.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks,
    Josh
     
    jade-sabre, Jun 21, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Major Attitude, Jun 22, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    it's not working for you, or it's too complicated, I heard from several people that this workaround works as well:
    Open the DLL you get hijacked to in Notepad
    Select all content (Ctrl-A) and delete it
    Save the file and exit Notepad
    Find the file in Explorer, right-click it, select Properties, put a checkmark in 'Read-Only' and click OK.
    If you can't find the DLL file, make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools", "Folder Options", "View" and be sure to check off "Show Hidden Files and Folders".
     
    Major Attitude, Jun 22, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds