Dear GeeksToGo:
Your site is wonderful. Way to go! Gives me hope that this mess can be fixed.
I have a pretty new variant of VX2 or CoolWebSearch that is extremely advanced. It is being partially impeded via active scanning by Spybot S&D and Ewido, but there are 14 days before Ewido expires.
Switched to FireFox (too late) and am running ZoneAlarm, have Norton Antivirus. Running XP Pro with SP1 (compatibility problems with SP2), got newest Windows updates (perhaps too late).
I followed all of the pre-hijack-this steps except the online removal tools. Had trouble with Firefox and java plugins. Panda site only works with IE. I do not trust IE right now.
VX2 or CoolWebSearch Observations (in order of relevance):
1. Detected by Ad-Aware, but not by Ad-Aware VX2 plug-in v.1.03.
2. This is NOT the VX2 with IEhelper.dll, nor does it have guard.tmp.
3. Primarily does the following:
3.a. Changes IE homepage to “about:blank”
3.b. Installs CoolWebSearch registry values and WildTangent components without connecting to internet.
3.c. Generates pop-ups, downloads more spyware, etc.
4. Primarily consists of the following:
4.a. Several main .dll files with random names which regenerate (see Ewido report below).
4.b. Many, many .exe files in C:\WINDOWS\system32 which regenerate. Names are pseudo-random, designed to deceive – contain mix of junk with “java,” “net,” “sys,” or end in “32.”
4.c. After attempted extraction, regenerates when you launch either internet explorer (the web broswer) or “explorer” (the file manager standard with Windows). It seems to confuse the latter with the former, constantly monitors system to detect launch.
5. CleanUp! was unable to remove many index.dat files in Cookies, IE5 Cache, and Temporary Internet Files.
6. CWShredder originally found “HomeSearch” and “The Real Search,” but no longer detects since cleaning & constant action of Spybot and Ewido. CWShredder repairing IE files triggers partial launch of VX2. Full original report available.
7. Seems to corrupt C:\WINDOWS\locator.exe, abuses it to make internet connections.
8. Zone Alarm detects some of the .exe files attempting to connect to the internet.
General Note: Cleaning with Ad-Aware, Spybot, Ewido, and CWS Shredder is ineffective. Probably needs something deleted while in Safe Mode.
Special Note: My problem seems to be similar to those described by other users with VX2 and “about:blank” homepage problems, such as pcman999, who is being helped by Trevuren.
Ewido Log:
+ Created on: 4:35:58 AM, 5/21/2005
+ Report-Checksum: 59D0606
+ Date of database: 5/21/2005
+ Version of scan engine: v3.0
+ Duration: 50 min
+ Scanned Files: 76278
+ Speed: 25.34 Files/Second
+ Infected files: 17
+ Removed files: 17
+ Files put in quarantine: 17
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINDOWS\appin32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\atlgm32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\ieum32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ieyr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ipdq.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mfcwv32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\msel.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\netbd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\crik32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\crry.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ipnx.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\javaqf.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\rconj.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\sysem.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysjd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysqn.exe -> Trojan.Agent.bi -> Cleaned with backup
::Report End
HiJack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:18:19 AM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\DefWatch.exe
C:\Program Files\Ewido Security Suite\ewidoctrl.exe
C:\Program Files\Ewido Security Suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\GE Optical Mouse\mouse32a.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\Program Files\Zone Alarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\FireFox\firefox.exe
C:\Documents and Settings\The Man\My Documents\VX2 Removal Stuff\HijackThis.exe
(PS - used to have a C:\WINDOWS\system32 .exe file as a Running Process, but not since removal & active scanning)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rconj.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.msu.edu:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D9E15E07-121D-BD83-5D75-2ABC929E744A} - C:\WINDOWS\ntka32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Alarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AOL Instant Messenger\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nds/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp...er/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A1F318-2CE7-41CD-BE0A-CE6D5F140FBD}: NameServer = 209.137.171.10,209.137.171.20
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msyx.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido Security Suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido Security Suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - C:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)
My apologies for writing so much! Just trying to give good description. I would greatly appreciate the help of anyone on your team. Thank you so much for your care and dedication.
Sincerely,
n00bman