[间谍：求助] Coolwebsearch 的 Hijackthis

不知何时竟然感染了最凶的 CoolWebSearch 的searchx variant,
Ad-aware + Spybot + CWShredder 跑了 n 遍清理了 n 遍他很快又会 reinfect，
会不会是清理不干净？麻烦各位大大们帮我看一看，谢过先。


Logfile of HijackThis v1.97.7
Scan saved at 11:21:30 PM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\STMicroelectronics\STV0680 SDK Ver 290\STV0680evk\CamCtrl.exe
C:\AppServ\Apache\Apache.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\AppServ\Apache\Apache.exe
C:\WINDOWS\Integrator.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\Explorer.EXE


O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [Dial-Up Monitor] C:\Documents and Settings\Chong Zhe Wei\Desktop\DUNMon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: camctrl.lnk = C:\Program Files\STMicroelectronics\STV0680 SDK Ver 290\STV0680evk\CamCtrl.exe
O4 - Startup: Hare.lnk = C:\Program Files\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Flash Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Flash Catcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/p ... s/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94CF6F66-BB86-47AB-A6F4-47997206F165}: NameServer = 192.168.0.1

bryon

Spyware blaster
http://www.javacoolsoftware.com/

(/(^o^)\)

http://www.spywareinfo.com/forum ... e2&showforum=30

cool web search and other malware Removal

去以上网站问问吧。。。。。。。

WLFung

这里有一些参考的Key，好象真的有很多种CoolWebSearch的恶意侵入方式。看看它们的Key在哪里……（太多了）

http://www.spywareinfo.com/~merijn/cwschronicles.html

你也装很多东西一下…
如果是Search Bar的东东，你可以在IE的Bar上右击，看看Search Bar的名称，然后在Registry找那个名称，自己Delete掉那个Key就可以了。

多吗？为了给我这两年来还不没 reformat 过一次的 laptop 可以尽量跑得顺
我已经尽量少到不能再少了，剩下的东西都是'日常用品'

就是设法找了 n 遍还找不到、清理了 n 次又会被 reinfect n 次才会令人纳闷 =_="
还好今天他没再出现了，希望是斩草行动成功吧

friends

上官好剑 于 10/5/2004 11:08 PM  说 :
不知何时竟然感染了最凶的 CoolWebSearch 的searchx variant,
Ad-aware + Spybot + CWShredder 跑了 n 遍清理了 n 遍他很快又会 reinfect，
会不会是清理不干净？麻烦各位大大们帮我看一看，谢过先。


Lo ...

我已將你的 HijackThis log 呈交上去了，等待一些，
有了回复后我會回貼在這裡的！

注：可以試用 CWShredder 來清除掉。。。

那多谢了 ^^
当时我几乎一天要执行 shredder 四五次呢，真是头痛的一个软件

friends

上官好剑 于 14/5/2004 01:19 PM  说 :
那多谢了 ^^
当时我几乎一天要执行 shredder 四五次呢，真是头痛的一个软件

呈交給專家。。。他們看了，說你的 HijackThis Log 沒有問題
呀！

什么咚咚會給你認為你又中了 CWS 呢？

汗。。。那就不太对劲了，已经清洗了至少十几次，
最近比较轻松了，常常风平浪静就是一两天，但有时候又会在我再没有安装新软件、
没有去什么古里古怪的网站之下被 reinfected，看来真不简单了 =_="

麻烦你了，多谢哦