CWS trojan deeply infected

[cwyman]

I have a user that I am positive has the CWS trojan.

Anti-virus shows clean bill of health.

We loaded and ran spysweeper on the user's machine. Spyweeper keeps popping up the same files even after he quarantees and removes these files:

C:\WINNT\ntpb32.exe
C:\WINNT\system32\htqa.exe
C:\WINNT\system32\apppk.exe
C:\WINNT\mfcyb.exe
C:\WINNT\system32\apimg.exe
C:\WINNT\system32\d3wg32.exe
C:\WINNT\system32\d3ts32.exe

Doing some investigation I concluded that he has the CWS trojan (variant unknown). I downloaded removeCWS_killer.exe and it stated that it was not found. So then I ran CWShredder.exe and tried to update it from 1.59.0 to 1.59.1 and it wouldn't let us update. So we just tried to run [Fix] without updating and it the window/ application would disappear. So the user tried to restart the app and it came up stating that the CWS trojan variant was present and that the program/application was started under a random string???

So I had her reboot her system to try and run it again, but she received some image errors on boot up and when we finally ran the CWShredder.exe again we got the same disappearing application problem.

So I had her reboot into safe mode and try again and got the same results.

So now I am stuck trying to fix the problem. Need help desperately!!

I looked at this thread, but not sure if this would be a good start for me. Very strange behaviour in XP thread779-764333

Any help would be grateful.

TIA

Carrie

 

[gpalmer711]

Following the instructions from "What are Good Virus/Spyware?Update/Firewall Practices?" faq779-5240

If you start the computer in "SafeMode with Networking".

Make sure you update Spybot and Adaware with the latest definitions before running.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[bcastner]

In some cases one or more of these programs may immediately exit. If this happens to you, download and run this program first, and then Cwshredder, Adaware and/or Hijack This will run successfully:

http://www.safer-networking.org/files/delcwssk.zip"

faq608-4650

Report back.

 

[cwyman]

okay will report back soon!!

Thanks all!

 

[cwyman]

Progress Report:

1. Downloaded bcastner's cws mini removal
2. Rebooted computer in safe mode with networking
3. Ran mini removal program and get "Cool

http://wwwsearch.smart

killer (v1/v2) has not been found on your computer".
4. Tried to run CWShredder and get same results. Runs through about 15 check off items and then disapears.
5. Ran Toolbarcop.exe and removed a BHO that had a description of Error!
6. Downloaded Easy Cleaner from Toni Arts updated the blacklist and then cleaned the registry
7. Currently rerunning Spysweeper to check for any more file errors. I may need to go in and manually remove these files that keep popping up, but the customer states that when he does a search it shows up with no results so my suspicion is that they may be hidden files.

Won't know until tomorrow if spysweeper detected anything or not because the user had to go home and I'm doing this all over a support call. [crossing my fingers]

Keeping you posted on my latest dilema!!

 

[cwyman]

Incidentally,

Looked at process while in safe mode and this was all that was running:

explorer.exe
svhost.exe X 4
lsass.exe
services
winlogon
csrss
smss
taskmgr
system
system idle process

Haven't checked process in normal mode, but I will tomorrow.

 

[bcastner]

There are some true $%#^& out there.

Some of the more up-to-date antivirus scanners can find them, see below, but start with:

http://www.mvps.org/sramesh2k/ToolsQuit.htm

Particularly the notion of renaming files. Hijackthis.exe becomes myhijack.exe, etc.

Second step, the AV folks are getting better about find these issues. Try Trend Micro and Panda for online scans:

http://www.mvps.org/sramesh2k/Scanners.htm

Third step: if System Restore is active, and you have a restore point prior to the issue, use it.

Bill

(And keep us informed)

 

[linney]

Start looking at the AppInit_dll registry entry and the tricks that can get up to.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=appinit_dll

http://groups.google.com/groups?q=appinit_dll&hl=en&lr=&ie=UTF-8&scoring=d

A withdrwan program called DllFix.exe might have been usefull in this case.

This is (was) a fix for the hidden cws dll. buried in
appinit. You will have this if you keep getting reinfected
with searchx according to shredder.

http://zerosrealm.com/index.php?page=dllfix

This site may be interesting to you from a cleaning and prevention point of view.

http://www.diamondcs.com.au/index.php?page=products

 

[cwyman]

Spysweeper states that she has CWS_NS3 hijacker and CWS_NS3.

Spysweeper keeps telling them IE is infected and the home page is now set to res:\\itose.dll\index.html#96676. When I try to reset her home page it reverts to this.

Spysweeper obviously can't clean it so I am still reading posts here, but now that I know what she's got, maybe you all have more specific instructions.

Thanks!

 

[bcastner]

Try the Cool Web Shredder site:

http://www.mvps.org/sramesh2k/Scanners.htm

I suspect AdAware with the most recent definitions can help:

http://www.lavasoftusa.com/support/download/

And the antivirus gang has been on top of this particular issue recently: Try Trend Micro and McAfee:

http://www.mvps.org/sramesh2k/Scanners.htm

 

[gpalmer711]

Apparently this one installs a service that needs to be removed. If you hit start - run and type "services.msc", you'll find one called "Network Security Service" that needs to be stopped and disabled.

It also apparently Creates a BHO with a random name. If you have to joy with Bill's suggestions then try the following.

1) Download AdAware, Spybot and Hijack This from FAQ779-5240

2) Install Spybot and AdAware and update them.

3) Restart in safemode, disable any antivirus software and stop system restore.

4) Run the scans for AdAware, then SpyBot.

5) Run Hijack This and Save a log File.

6) Reboot

7) See if your system is ok again.

8) If not take another Hijack This log and then post both of them back here.


Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[gpalmer711]

Also download the AboutBuster Software

http://www.malwarebytes.biz/

and run it while you are in safemode. Make sure you have updated it first.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[cwyman]

Okay,

Apparently Spysweeper did help quite a bit. After realizing it had CSW_NS3 I was trying to follow Linney's words of advisors with removing the registry entry HKLM-software-microsoft--WindowsNT--CurrentVersion--Windows--AppInit_DLLs, but there was no such entry.

So I had her download and run adaware, reboot into safe mode and run toolbar cop and removed any google entries, error entries, backwards links, anything that didn't need to be there. Then I had her reboot back to normal mode, changed her home address back to a normal address.

Then when she opened IE it came up to the correct home page and Spysweeper didn't come up and warn her about anything.

So I think we are in the clear.

So after all of those steps....

I think we're clean!!

Thanks for the supportive ideas my hopes that CWShredder would work were dashed, but I'm really glad I could fix it.

Carrie