0

Well, it appears I have a CWS trojan on my system (like I even know what that means...). I've run AdAware and Spybot, and then when I run CWShredder it autocloses when it gets to a certain point. I restart it, and it tells me that the trojan is automatically closing it, but it still can't get rid of it.

Now, I don't know if this is related, but I hope so: my Windows Media Player quickstart icon has been replaced by what looks like a "setup"-style icon (a little PC with a box next to it, you know the one) and when I try to run an mp3 or an mpeg, I get all sorts of pop-ups and Media Player doesn't start.

Here's my HiJackThis log...HELP! Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 2:18:37 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\eginir.exe
C:\WINDOWS\System32\eflkjfd.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

4
Contributors
12
Replies
13
Views
13 Years
Discussion Span
Last Post by crunchie
0

You've got a variant of the CoolWebSearch trojan that disables CWShredder. Before running CWShredder, try this link:

CWS.SmartKiller mini removal tool

Additionally, make sure you're running the latest version of CWShredder. The latest as of today, June 5 is 1.59. You can always find the latest version here:
http://www.majorgeeks.com/download4086.html

IIRC, the latest version of CWShredder can detect when a process is trying to kill it, and it might be able to enact countermeasures to combat that effect.

0

You've got a variant of the CoolWebSearch trojan that disables CWShredder. Before running CWShredder, try this link:

CWS.SmartKiller mini removal tool

Well, I downloaded it from all four sites listed on MajorGeeks.com, and in every case when I tried to extract it, it came up as corrupted or invalid!

Now what?

0

Okay,

I got the mini removal tool to work, and it reported that I didn't have CWS.SmartKiller on my system. Then I ran CWShredder again, and it closed itself at the same spot, just like before.

Hm. So...now what? :?:

Also, is this bug related to the problem I'm having with my Windows Media Player?

0

I should have posted this earlier, but CWShredder identified the variant of the virus as "CWS.Smartsearch.2", but still wasn't able to destroy it. Hope that helps.

0

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\eginir.exe< file
C:\WINDOWS\System32\eflkjfd.exe< file
C:\WINDOWS\System32\msmc.exe< file

Run CWShredder whilst in safe mode, close ALL windows & hit FIX.

Reboot normally after doing the above then post a fresh log plz.

0

Hi Crunchie,

Actually, since I posted that first log I've run all kind of spyware removal tools and the log's changed quite a bit. I still have the same problem with Windows Media Player, however, and suspect that I'm going to have to remove it and reinstall it, in the long run. As mentioned, it's not working, all associations with music and video files have been severed, and when I run it's quickstart icon I just get popups and no media player.

Anyway, here's my most recent log. Please advise, and thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 11:07:35 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\System32\avemspw.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\avemspw.exe<<<<

Reboot normally. Which version of CWShredder have you got? The latest is 1.59. If you don't have that, update it & run it again.

0

Hi Crunchie,

I followed your instructions, but instead of avemspw.exe coming up in the HiJackThis scan, the file seemed to have renamed itself to aaamona.exe? Is that possible? Anyway, I got rid of it, rebooted, ran CWShredder...and nothing.

I *do* have the latest version of CWShredder, just downloaded it a few days ago. And it's still closing itself about 2/3 of the way through its list.

And can you please advise me on the Windows Media Player issue as well?

Thanks, Crunchie. Here's my most recent log:

Logfile of HijackThis v1.97.7
Scan saved at 11:31:55 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

... instead of avemspw.exe coming up in the HiJackThis scan, the file seemed to have renamed itself to aaamona.exe? Is that possible?

Yes, many of these wonderful little irritants can generate random filenames.


And can you please advise me on the Windows Media Player issue as well?

WMP has a lot of security holes and exploitable bugs. You should use Windows Update to download and install the most current fixes and patches from Microsft.

0

Hi fellas,

Well, it seems to be all gone. I downloaded and reinstalled the latest version of Windows Media Player, and after that CWShredder was finally, FINALLY able to destroy the Smartsearch variant of the CoolWebSearch trojan I had.

I ran AdAware, Spybot, and CWShredder again (just to see it work properly again! What a thrill) and here's my latest HiJackThis log. If you could just sign off on it, I hope to NOT be back soon! In the process of getting rid of this beast, I switched my browser to Opera, and it's so much better than IE...wish I had known about it earlier.

Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 10:28:47 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

That looks good now. I should have mentioned B4 that some CWS infections corrupt the exe file of WMP & it has to be reinstalled. Glad that you got it sorted. Will mark this as solved now. Anyone with similar problems, please start your own thread. Thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.