well and truly hijacked by cws - losing the will to live!

Discussion in 'Malware Help (A Specialist Will Reply)' started by noexpert, Aug 4, 2004.

  1. noexpert

    noexpert Private E-2

    :rolleyes:
    My computer has been taken over by CWS. I've done what I can to remove it and limit the damage but it won't go away.

    Here are just some of the things it's got up to :
    taking over administrator rights, altering startup to an unrequested logon (yet no profiles detectable in Windows) and denying permissions to use various antivirus/trojan programs or access online help (Norton totally scrambled, Panda inaccessible, posting to tech forums like this one a challenge),
    preventing shutdown
    Installing something I can't find called "Project1"
    Attempting to change my IE start page (but I beat this with Start Page Guard)
    Messing bigtime with my registry.

    Have tried to deal with this alone but I've reached the end of my rope. Ever time I think I've got it beat, back it pops.

    Happy to post my Hijack This log if there's anyone out there who can help. Running out of options here.

    thank you

    noexpert
    (drowning, not waving)
     
    noexpert, Aug 4, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Aug 4, 2004
    #2
  3. noexpert

    noexpert Private E-2

    Thanks sooo much for getting back to me.

    Have just done a scan with Pest Patrol that shows up various problems, including the ProBot keylogger but I can't tally any of their results with what I can see on my computer. In any case, their solution is to buy software online, and as I don't do any financial business online this is not an option.

    I followed the instructions from the other posts you mention the best I could the other day when I became aware of the problem, but it didn't solve the loss of administrator rights and apart from the small victory of getting my IE start page back, however many times I fix things they keep reverting to the hijacker's settings.

    So here's the log - really grateful for any help you can offer.


    Edit by chaslang: In line HJT log deleted.
     
    Last edited by a moderator: Aug 4, 2004
    noexpert, Aug 4, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I said "If still having a problem afterwards, yes post you HijackThis log as an attachment."
    In line logs will be deleted!

    And get the current HijackThis (1.98.1)
     
    chaslang, Aug 4, 2004
    #4
  5. noexpert

    noexpert Private E-2

    Apologies for doing it wrong.

    The log is attached.
     

    Attached Files:

    noexpert, Aug 4, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What is your expected home page and SearchAssistant? See the items below. Obviously the only one I know that could be valid is majorgeeks.com. Are the other lines things you have set up?

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://ugczed.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://ugczed.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://ffadda.outhost.info/?
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bbc.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://majorgeeks.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nothing.com
     
    chaslang, Aug 4, 2004
    #6
  7. noexpert

    noexpert Private E-2

    my homepage is bbc.co.uk, and I set up the majorgeeks and nothing.com to see what would happen (nothing did).

    the outhost pages are part of my cws invasion.
     
    noexpert, Aug 4, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

     
    chaslang, Aug 4, 2004
    #8
  9. noexpert

    noexpert Private E-2

    The majorgeeks.com and nothing.com values were entered when I installed Start Page Guard, to see if it made any difference, as they asked for more than one entry. My start page of choice is bbc.co.uk.

    I previously downloaded what I thought to be the latest Hijack This from merijn.com before I realised majorgeeks had a more up-to-date version. I will make a new folder as you suggest. Out of interest, what's the problem with having it on the desktop?
     
    noexpert, Aug 4, 2004
    #9
  10. nickson2

    nickson2 Master Sergeant

    Chaslang is a great help, sorry i prolly got him stressed out sortin my probs.
     
    nickson2, Aug 4, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HijackThis is an analysis/repair tool that will make modifications to your Windows Registry. As such it may be that you make a mistake and delete something that you should not have. For this reason, HijackThis creates a folder called backups. It uses this folder to save backups in case you need to undo a change. Putting HijackThis on your Desktop would mean HijackThis would now create a folder called 'backups' on your desktop too. Thus adding additional clutter to your desktop and also susceptability to any software you have that may perform cleanups thus also removing the backups.

    In order for this to be reliable, HijackThis needs a safe folder to keep these critical backup logs and a temp folder is definitely not safe. You might run Disk Cleanup (or any other drive cleaning utility) and delete items in a temp folder without even realizing it. Also note, they are temp folders thus Windows itself could delete or overwrite info that is there.

    Also if you use the Desktop, you could lose track of the backup log in the wallpaper area or someone might delete the backup file by simply dragging it to the Recycle Bin.

    And when people post for help in forums like this, and they run Hijackthis.exe from a Local Settings temp folder in WinXP or Win2000, the text log that is created will show their full name in a line entry since their Windows user profile is commonly named with their full name. When you copy and paste your log Hijackthis provides a line entry showing the path to its running folder. If you use another folder like HJT or SpywareTools anyplace else (even in the root directory of drive C:), your Profile Name will not be displayed in the log.
     
    chaslang, Aug 4, 2004
    #11
  12. noexpert

    noexpert Private E-2

    Wow - I had no idea. I was just deleting the backups routinely, but as you've probably gathered by now I really don't know what I'm doing. I'm extra glad someone else does! ;)

    Thanks for that - and for your help so far in the battle with CWS.
     
    noexpert, Aug 4, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I have started looking at your HJT log. You seem to have gone a little crazy with all kinds of protection programs.

    a load of Symantec stuff (including Norton Advanced Tools Check)
    AVG <---- Hmmm! Do you have two virus programs installed? Not a good idea if you do.
    Bugnosis
    PowerQuest Second Chance
    PopUpStopper
    StartPageGuard
    SpyBot S&D

    Did you have all of this in place before having a problem? If PowerQuest Second Chance was installed before your problems existed, isn't it supposed to be the cure for problems like this. Why not just see if it can do it's job? Unless it does not work on issues like this. I really not that familiar with it to know what it is capable of doing.

    Okay all that being said. First download CWShredder and unzip it (to that SpywareTools folder or whatever you made) but do not run it yet.

    I assume you have Ad-aware since you said you followed my previous instructions but print this info on how to perform a "fullscan" with Ad-aware. Don't scan yet.

    Make note of how to boot in safe mode.

    Run HijackThis and put check marks on the following items but DO NOT FIX until you shutdown all applications first especially Internet Explorer and Firefox (you had them running last time). HijackThis can have problems fixing certain items if you have browers and other applications running:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://ugczed.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://ugczed.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://ffadda.outhost.info/?
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://majorgeeks.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nothing.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    O9 - Extra button: Mentor - {3892CA40-9B9A-11d4-8D73-00105A296A2A} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    And if you do not use freedomaudio for something fix the next two lines too:
    O16 - DPF: FreedomAudio - http://www.freedomaudio.com/install/win/mv/freedominstaller.cab
    O16 - DPF: FreedomAudio Recorder - http://www.freedomaudio.com/install/win/mve/freedominstaller.cab

    Now if all applications are shutdown click Fix in HijackThis.

    Now reboot in safe mode and run CWShredder. Make sure you select Fix.
    While in safe mode perform that "fullscan" with Ad-aware.

    Now reboot in normal mode and tell me how things went with the above steps and how you are working now. If still having a problem, post a new HijackThis log attachment.
     
    chaslang, Aug 4, 2004
    #13
  14. noexpert

    noexpert Private E-2

    My NAV seems to have got corrupted - Live Update stopped working and I can't access the viruscheck interface. Can't uninstall. Tried reinstalling over the original and now I've no idea what's going on with it, but I do know I still can't access any kind of interface. So I downloaded AVG yesterday, did a scan and it apparently deleted some trojans no-one else had found. Once this hijack has been sorted out I will have another go at cleaning out Norton and re-installing it, at which point I'll take off AVG.

    Bugnosis - a recent install - a temporary measure till I know my system's clear. irritating but informative.

    PQSC cost me a hard disk and all its contents last time I messed with it. It loads into my systray but is not actively scanning anything. I think it came with the computer. I leave it well alone - too much to lose if I get it wrong. I don't think it's doing any harm as long as it's switched off.

    PopUpStopper - This is part of my regular startup group.

    StartPageGuard - installed a couple of days ago after I became aware of this hijack.

    SpyBot S&D - part of my normal security routine.


    I downloaded it a few days ago (not to my desktop)

    OK, did that (apart from freedomaudio which I occasionally use).

    Uh-oh...Windows Help disabled in Safe Mode (not that I asked for it but it opens on load). CW shredder protected by "Project1": Error 70 - cannot open.



    Did the Adaware full scan and unearthed some saddo porn stuff in hosts (logfile attached). Quarantined but not deleted. Closer investigation shows that attempt at downloading updates from lavasoft has failed.

    Can't access internet from Safe Mode. This explains failure to contact lavasoft.

    Can't log off safe mode - Project1 error message.


    Rebooting took a few attempts after coming out of Safe Mode.

    Still got default login screen instead of coming straight into Explorer.

    Once in, IE browser startpage has been reset to google.com - a previous choice before I opted for the toolbar. Using StartPageGuard I reset it to bbc.co.uk.

    Downloaded Adaware Update and went back into Safe Mode.... no logoff problems this time, and Windows Help didn't come on once into Safe Mode.
    Did full scan with tweaks and everything - all clear. No problem booting out of safe mode this time.

    Got a "please wait while Windows updates your configuration files" on the way back into normal mode, in spite of not having altered my configuration this time round. Took 3 reboots to get to Explorer - running very, very slowly.

    Once in realised I had forgotten to do the CW shredder thing now I'd cleared adaware.

    Back into safe mode - this time got the Windows Help message again, and once again couldn't access CW Shredder - same Project1 Error 70 message.
    Same problem logging off - had to cut out and come back in via Scandisk.

    Same slow motion Start-up, still got the log-in screen. I press Cancel as I won't give them the satisfaction of pressing OK, not that I'm sure it makes much difference to them. If I close the logon screen with the corner "X" Explorer doesn't come on at all.

    Decide to do another PestScan online as things are obviously still not right. Can't access the scan page from Mozilla, but IE eventually lets me in to do scan. No log provided so I make my own (file follows adaware log text). Apparently all my keystrokes are being logged. Including this. They have a long wait if they want financial details - they've come to the wrong computer.

    Failed to attach HJT log to this message so have pasted it at the top of the attached textfile, so you have all three logs on the one notepad.

    This is as far as I've got.

    My brain hurts.

    Hope you can help.

    Many admiring thanks in advance.
     

    Attached Files:

    noexpert, Aug 5, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I thought I addressed the below items with you before:
    C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    C:\WINDOWS\DESKTOP\DESKTEMP\DOWNLOADS\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    You were supposed to fix where HijackThis is running from and only run it once. Neither FIreFox or notepad should be running when you do your HijackThis scans.

    I also asked you to fix these two lines that are still there:
    O9 - Extra button: Mentor - {3892CA40-9B9A-11d4-8D73-00105A296A2A} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Edit: This is still there too:
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

    Are you sure you clicked Fix in HijackThis?
     
    Last edited: Aug 5, 2004
    chaslang, Aug 5, 2004
    #15
  16. noexpert

    noexpert Private E-2

    Sorry - posted the wrong log. Just done another one which should reflect the changes.

    Had to change the name again as it won't let me upload with the original name.
     

    Attached Files:

    noexpert, Aug 5, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That looks better. Try fixing this line with HJT right now:
    O19 - User stylesheet: (file missing)
     
    chaslang, Aug 5, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the following, click Start, Run, and enter the following command in the dialog box:

    notepad c:\windows\hosts

    Copy and paste back here what is in the hosts file.
     
    chaslang, Aug 5, 2004
    #18
  19. noexpert

    noexpert Private E-2

    All I get is a blank page of notepad. Tried 3 times - same each time.
     
    noexpert, Aug 5, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! No hosts file exists. Did the O19 line actually delete? Run another scan and just tell me (I don't need another log).
     
    chaslang, Aug 5, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I want you to download the following two programs Win98Fix and StartDreck.

    Unzip them to a place where you can find them later to run. Preferably put each of them in their own directories. We are only going to run StartDreck right now.

    This step is very important - you need to be completely disconnected from the internet (physically disconnecting the line to your analog modem or ethernet cable from your computer is best way to be positive).
    What we are going to try to do is identify the hidden file that is causing the problem. So now we are ready.

    - Run StartDreck.exe
    - Click on: Config
    - Click on: Unmark all
    - Check only the following boxes:
    - Registry | run keys
    - System/drivers | Running processes
    - Click on OK

    Reconnect your internet connection and get back here and post the log of results AS A TEXT ATTACHMENT.

    By the way, where are you located?
     
    chaslang, Aug 5, 2004
    #21
  22. noexpert

    noexpert Private E-2

    OK - logfile attached. All the way from Scotland. :)
     

    Attached Files:

    noexpert, Aug 5, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so you are up rather early in the morning and I am up way to late at night.

    The StartDreck program did not reveal anything so we will not have to run Win98Fix.

    I need to get some sleep, so in the mean time can you run these online scans and let me know if they find anything:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    http://www.bitdefender.com/scan/licence.php
    http://www.ravantivirus.com/scan/

    Also, run these:
    Avast Virus Cleaner: http://www.majorgeeks.com/download4188.html
    McAfee Stinger Avert: http://www.majorgeeks.com/download4063.html

    Did that O19 line get fixed or not?
     
    chaslang, Aug 5, 2004
    #23
  24. noexpert

    noexpert Private E-2

    It's pretty late for me too - I need to get to bed so I can get up in a minute!!

    Will do once I've had a bit of sleep myself - will also check the O19 line. I think I fixed it, but can't remember any more as my brain has shut down.

    Many, many thanks for your help with this so far - it's very much appreciated.
    Pleasant dreams - talk to you later.
    ;)
     
    noexpert, Aug 5, 2004
    #24

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds