Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Tenacious CWS malware! Organized report, need help

  • Please log in to reply




  • Member
  • PipPip
  • 30 posts
Travelling in Hong Kong this one managed to slip through my anti-virus protection (6/3/2005).

This is the most tenacious, vicious [bleep] I have ever seen. I have done my best but I need some help.


1) Favorites changed to include:
Free Online Dating.url
F--- Real Girls.url
Kill Annoying Popups.url
Online Sex Poker
Play Adult-Poker.url
Remove Toolbars.url
Spyware Uninstall.url
XXX personal photos.url

2) Unexpectedly redirected to poker/[bleep] sites when browsing

3) [bleep]/Gambling Pop-ups

Here are the steps I have taken so far:

aa) Windows Update for all Critical Security patches

a) Run McAfee Anti-Spyware (caught a few)
b) Run Microsoft Anti Spyware (shows clean)
c) Run Ad-Aware SE (shows clean)
d) Run Spybot S&D (shows clean)

e) Run OfficeScan Anti-Virus (shows clean)
f) Run Ewido (shows clean)

g) Run HijackThis (following advice here to fix every questionable entry)

h) Run Nail Fix
i) Run CWShredder (shows clean)

j) Run CleanUp to delete all TEMP files, all cookies, all offline content

At this point I was really hoping I was clean. I restart, fire up IE, and cruise around a bit. It usually takes 5 or 6 visits for anything to happen.

Sigh. Still getting redirected. I haven't seen any popups yet. So I took this step:

k) Run PANDA Active Scan. Panda finds 9 'infected' files-- the Favorites mentioned above.

I'm including my Panda log, my Ewido log, and my current HJT log.

Note: I have masked (#) the corporate domain servers; they look fine to me.
The WinVNC entries were installed by corporate IT. They may be compromised now, somehow, for all I know. I am worried about the last O23 entry for WinVNC marked [file missing].


Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url

ewido security suite - Scan report

+ Created on: 9:54:16 AM, 6/8/2005
+ Report-Checksum: B8167123

+ Date of database: 6/8/2005
+ Version of scan engine: v3.0

+ Duration: 31 min
+ Scanned Files: 120829
+ Speed: 63.41 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:

+ Scan result:
No infected files found!

::Report End

HIJACK THIS LOG (perfoming as of this exact moment)
Logfile of HijackThis v1.99.1
Scan saved at 12:04:06 PM, on 6/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\netOctopus Agent\Nant.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
C:\Program Files\netOctopus Agent\nantsecc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
O4 - HKLM\..\Run: [NANTSessionAgent] C:\Program Files\netOctopus Agent\nantsecc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = #.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netOctopus Agent - Netopia, Inc. - C:\Program Files\netOctopus Agent\Nant.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
  • 0





  • Topic Starter
  • Member
  • PipPip
  • 30 posts
(drat... sorry about the bump... sigh)

Edited by badaxe, 08 June 2005 - 02:42 PM.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP