Member Avatar for lapeyre

Well, it appears I have a CWS trojan on my system (like I even know what that means...). I've run AdAware and Spybot, and then when I run CWShredder it autocloses when it gets to a certain point. I restart it, and it tells me that the trojan is automatically closing it, but it still can't get rid of it.

Now, I don't know if this is related, but I hope so: my Windows Media Player quickstart icon has been replaced by what looks like a "setup"-style icon (a little PC with a box next to it, you know the one) and when I try to run an mp3 or an mpeg, I get all sorts of pop-ups and Media Player doesn't start.

Here's my HiJackThis log...HELP! Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 2:18:37 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\eginir.exe
C:\WINDOWS\System32\eflkjfd.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

  • 4 Contributors
  • 12 Replies
  • 274 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 12 Replies

Member Avatar for alc6379

You've got a variant of the CoolWebSearch trojan that disables CWShredder. Before running CWShredder, try this link:

CWS.SmartKiller mini removal tool

Additionally, make sure you're running the latest version of CWShredder. The latest as of today, June 5 is 1.59. You can always find the latest version here:
http://www.majorgeeks.com/download4086.html

IIRC, the latest version of CWShredder can detect when a process is trying to kill it, and it might be able to enact countermeasures to combat that effect.

Member Avatar for lapeyre

You've got a variant of the CoolWebSearch trojan that disables CWShredder. Before running CWShredder, try this link:

CWS.SmartKiller mini removal tool

Well, I downloaded it from all four sites listed on MajorGeeks.com, and in every case when I tried to extract it, it came up as corrupted or invalid!

Now what?

Member Avatar for alc6379

The mini removal tool came up corrupted or invalid? That's odd, especially from all of the sites.

Try this site:
http://www.safer-networking.org/files/delcwssk.zip

If need be, I can download the file, extract it, and place an extracted version on a server somewhere. PM me if you need that. :)

Member Avatar for lapeyre

Okay,

I got the mini removal tool to work, and it reported that I didn't have CWS.SmartKiller on my system. Then I ran CWShredder again, and it closed itself at the same spot, just like before.

Hm. So...now what? :?:

Also, is this bug related to the problem I'm having with my Windows Media Player?

Member Avatar for lapeyre

I should have posted this earlier, but CWShredder identified the variant of the virus as "CWS.Smartsearch.2", but still wasn't able to destroy it. Hope that helps.

Member Avatar for crunchie

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\eginir.exe< file
C:\WINDOWS\System32\eflkjfd.exe< file
C:\WINDOWS\System32\msmc.exe< file

Run CWShredder whilst in safe mode, close ALL windows & hit FIX.

Reboot normally after doing the above then post a fresh log plz.

Member Avatar for lapeyre

Hi Crunchie,

Actually, since I posted that first log I've run all kind of spyware removal tools and the log's changed quite a bit. I still have the same problem with Windows Media Player, however, and suspect that I'm going to have to remove it and reinstall it, in the long run. As mentioned, it's not working, all associations with music and video files have been severed, and when I run it's quickstart icon I just get popups and no media player.

Anyway, here's my most recent log. Please advise, and thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 11:07:35 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\System32\avemspw.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Member Avatar for crunchie

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\avemspw.exe<<<<

Reboot normally. Which version of CWShredder have you got? The latest is 1.59. If you don't have that, update it & run it again.

Member Avatar for lapeyre

Hi Crunchie,

I followed your instructions, but instead of avemspw.exe coming up in the HiJackThis scan, the file seemed to have renamed itself to aaamona.exe? Is that possible? Anyway, I got rid of it, rebooted, ran CWShredder...and nothing.

I *do* have the latest version of CWShredder, just downloaded it a few days ago. And it's still closing itself about 2/3 of the way through its list.

And can you please advise me on the Windows Media Player issue as well?

Thanks, Crunchie. Here's my most recent log:

Logfile of HijackThis v1.97.7
Scan saved at 11:31:55 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Member Avatar for DMR

... instead of avemspw.exe coming up in the HiJackThis scan, the file seemed to have renamed itself to aaamona.exe? Is that possible?

Yes, many of these wonderful little irritants can generate random filenames.


And can you please advise me on the Windows Media Player issue as well?

WMP has a lot of security holes and exploitable bugs. You should use Windows Update to download and install the most current fixes and patches from Microsft.

Member Avatar for lapeyre

Hi fellas,

Well, it seems to be all gone. I downloaded and reinstalled the latest version of Windows Media Player, and after that CWShredder was finally, FINALLY able to destroy the Smartsearch variant of the CoolWebSearch trojan I had.

I ran AdAware, Spybot, and CWShredder again (just to see it work properly again! What a thrill) and here's my latest HiJackThis log. If you could just sign off on it, I hope to NOT be back soon! In the process of getting rid of this beast, I switched my browser to Opera, and it's so much better than IE...wish I had known about it earlier.

Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 10:28:47 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Member Avatar for crunchie

That looks good now. I should have mentioned B4 that some CWS infections corrupt the exe file of WMP & it has to be reinstalled. Glad that you got it sorted. Will mark this as solved now. Anyone with similar problems, please start your own thread. Thank you.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.