943,793 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Cool Web Search Trojan (HiJackThis Log Inside)
Ad:
You are currently viewing page 1 of this multi-page discussion thread
Permalink
Jun 5th, 2004
0

Cool Web Search Trojan (HiJackThis Log Inside)

Expand Post »
Well, it appears I have a CWS trojan on my system (like I even know what that means...). I've run AdAware and Spybot, and then when I run CWShredder it autocloses when it gets to a certain point. I restart it, and it tells me that the trojan is automatically closing it, but it still can't get rid of it.

Now, I don't know if this is related, but I hope so: my Windows Media Player quickstart icon has been replaced by what looks like a "setup"-style icon (a little PC with a box next to it, you know the one) and when I try to run an mp3 or an mpeg, I get all sorts of pop-ups and Media Player doesn't start.

Here's my HiJackThis log...HELP! Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 2:18:37 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\eginir.exe
C:\WINDOWS\System32\eflkjfd.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
lapeyre is offline Offline
10 posts
since May 2004
Permalink
Jun 5th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

You've got a variant of the CoolWebSearch trojan that disables CWShredder. Before running CWShredder, try this link:

CWS.SmartKiller mini removal tool

Additionally, make sure you're running the latest version of CWShredder. The latest as of today, June 5 is 1.59. You can always find the latest version here:
http://www.majorgeeks.com/download4086.html

IIRC, the latest version of CWShredder can detect when a process is trying to kill it, and it might be able to enact countermeasures to combat that effect.
Team Colleague
Reputation Points: 186
Solved Threads: 147
Cookie... That's it
alc6379 is offline Offline
2,519 posts
since Dec 2003
Permalink
Jun 5th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

Quote originally posted by alc6379 ...
You've got a variant of the CoolWebSearch trojan that disables CWShredder. Before running CWShredder, try this link:

CWS.SmartKiller mini removal tool
Well, I downloaded it from all four sites listed on MajorGeeks.com, and in every case when I tried to extract it, it came up as corrupted or invalid!

Now what?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
lapeyre is offline Offline
10 posts
since May 2004
Permalink
Jun 5th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

The mini removal tool came up corrupted or invalid? That's odd, especially from all of the sites.

Try this site:
http://www.safer-networking.org/files/delcwssk.zip

If need be, I can download the file, extract it, and place an extracted version on a server somewhere. PM me if you need that.
Team Colleague
Reputation Points: 186
Solved Threads: 147
Cookie... That's it
alc6379 is offline Offline
2,519 posts
since Dec 2003
Permalink
Jun 6th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

Okay,

I got the mini removal tool to work, and it reported that I didn't have CWS.SmartKiller on my system. Then I ran CWShredder again, and it closed itself at the same spot, just like before.

Hm. So...now what?

Also, is this bug related to the problem I'm having with my Windows Media Player?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
lapeyre is offline Offline
10 posts
since May 2004
Permalink
Jun 6th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

I should have posted this earlier, but CWShredder identified the variant of the virus as "CWS.Smartsearch.2", but still wasn't able to destroy it. Hope that helps.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
lapeyre is offline Offline
10 posts
since May 2004
Permalink
Jun 7th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\eginir.exe< file
C:\WINDOWS\System32\eflkjfd.exe< file
C:\WINDOWS\System32\msmc.exe< file

Run CWShredder whilst in safe mode, close ALL windows & hit FIX.

Reboot normally after doing the above then post a fresh log plz.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,163 posts
since Feb 2004
Permalink
Jun 7th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

Hi Crunchie,

Actually, since I posted that first log I've run all kind of spyware removal tools and the log's changed quite a bit. I still have the same problem with Windows Media Player, however, and suspect that I'm going to have to remove it and reinstall it, in the long run. As mentioned, it's not working, all associations with music and video files have been severed, and when I run it's quickstart icon I just get popups and no media player.

Anyway, here's my most recent log. Please advise, and thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 11:07:35 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\System32\avemspw.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Reputation Points: 10
Solved Threads: 0
Newbie Poster
lapeyre is offline Offline
10 posts
since May 2004
Permalink
Jun 7th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\avemspw.exe<<<<

Reboot normally. Which version of CWShredder have you got? The latest is 1.59. If you don't have that, update it & run it again.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,163 posts
since Feb 2004
Permalink
Jun 7th, 2004
0

Re: Cool Web Search Trojan (HiJackThis Log Inside)

Hi Crunchie,

I followed your instructions, but instead of avemspw.exe coming up in the HiJackThis scan, the file seemed to have renamed itself to aaamona.exe? Is that possible? Anyway, I got rid of it, rebooted, ran CWShredder...and nothing.

I *do* have the latest version of CWShredder, just downloaded it a few days ago. And it's still closing itself about 2/3 of the way through its list.

And can you please advise me on the Windows Media Player issue as well?

Thanks, Crunchie. Here's my most recent log:

Logfile of HijackThis v1.97.7
Scan saved at 11:31:55 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Reputation Points: 10
Solved Threads: 0
Newbie Poster
lapeyre is offline Offline
10 posts
since May 2004

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Search not working right...
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Can someone help me.. (with an HJT log)





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC