Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    4 Star Lounger
    Join Date
    Jun 2001
    Location
    Sacramento, California, USA
    Posts
    491
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Malware problems

    Good Morning, Please let me apologize for the length of this post. I am going to sleep for a couple of hours ( it's
    3:30am PST) and I have worked on this for 4 hours already.
    I have been attacked by coolwebsearch and some other redirects and malware.

    I have tried using Spybot (when I "Fix" the problems and reboot, they are still there)
    I have used CWShredder - When it gets to the point to "FIx" Windows generates the error that it has
    encountered problems and is closing the program. So it doesn't get rid of the cws.
    I have tried AdAware - and when it gets to the point after the quarantine - I get the attached message.
    I have posted the HIajckThis log and am waiting for a reply. I select the ones to be fixed, click "Fix"
    but when I reboot they are still there !

    In addition to all the malware and redirects problems, when I start up, I receive the following
    error message:
    RUNDLL An exception occurred while trying to run C:WindowsSystem32MIAUDITE.dll,UMonitor
    (I don't know if this is related to the malware issues, but it just started today too)

    If you can at least direct me to the proper forums (I already posted to the Hijack This log folks)
    I would appreciate it. If this has happened to you, could you tell me how you fixed all of this?
    This is VERY frustrating - 4 hours trying to restore normalcy and I just can't. (I even did a system restore
    to last week which didn't work)

    Thank you in advance for ANY help. I really would hate to do a full Re-install of Windows XP.
    There is so much I would have to save on CDs etc...... oy !! Please help !

    Sincerely,
    Michael Abrams

  2. #2
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Malware problems

    Please check <!post=this recent thread,418546>this recent thread<!/post> to see if the program (Spy Subtract) mentioned by one other Lounger will possibly help you. Other than that thread, I don't know anything about the new company or their software.

  3. #3
    4 Star Lounger
    Join Date
    Oct 2001
    Location
    Bellevue, Nebraska, USA
    Posts
    569
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Malware problems

    In Internet Explorer, go to Tools, Internet Options, General tab. Select Delete Cookies, and then Delete Files to delete all your temporary Internet files (Note, this also will force the manual entry of usernames and passwords for sites requiring them on your next visit, so make sure you know them). If using Mozilla Firefox, go to Tools, Options, Privacy, and Clear All. We do this as there is no need to scan thousands of temporary files and to delete any corrupt cookies that may already be on your system.

    For Windows Me and XP users, as an option, you might consider temporarily turn off System Restore to enable the scanners to clean any infected restore images. See here for instructions. This keeps malware hiding in restore images from coming back and re-infecting your systems. It may also be the reason for spyware scanners finding the same spyware over and over again. If that is happening, you should consider this option. IMPORTANT: This option removes all past restore point images.

    Now scan for spyware. Ensure you have the latest scanner versions, download and install SpyBot Search and Destroy V1.3.1 TX (which includes the DSO false positive fix) from here. Before scanning, use the program
    Bill (AFE7Ret)
    Freedom is NOT Free!
    Heat is the bane of all electronics!

    ─────────────────────

  4. #4
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Malware problems

    Good morning Michael. I sympathize with you... CoolWebSearch is a bear. Can you post a copy of your HijackThis log here ?? I'm not as well versed as the folks at TomCoyote, and might not get EVERY file that these <img src=/w3timages/censored.gif alt=censored border=0> placed, but I do know a few tricks that might help. If you want to keep after this on your own, there are manual removal instructions for CoolWebSearch here, but I can't swear that they will work as I've not had the opportunity to try them (thankfully) on my own system. I have removed this little bundle of joy from 2 or 3 of my friend's systems manually without formal instructions. Persistence and Google can sometimes substitute for knowledge. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  5. #5
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malware problems

    Hi Michael

    Intermute relesed an updated version of CWShredder (ver. 2.1) in December. If you don't have it, the Free standalone version can be downloaded HERE.

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

  6. #6
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Malware problems

    The latest version of SpyBot S&D (ver 1.4 B2 ) claims to handle a number if CWS junk.
    --------------------------------------------------
    ++ CoolWWWSearch.BadZoneMap
    + CoolWWWSearch.Feat2DLL
    + CoolWWWSearch.HomeSearch
    + CoolWWWSearch.Feat2Installer
    + CoolWWWSearch.Service (2)
    + CoolWWWSearch.Aff.Winshow
    ----------------------------------------------


    Get it at SPYBOT
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  7. #7
    4 Star Lounger
    Join Date
    Jun 2001
    Location
    Sacramento, California, USA
    Posts
    491
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malware problems

    Good Afternoon everyone,
    First of all, THANKS to all who have offered advice. I ran everything in SAFE MODE, and I still have a couple of issues.
    Hopefully, this will sound familiar !

    1 - I still get the following when starting up:
    RUNDLL - An exception occurred while trying to run C:WindowsSystem32mgctfp.dll,UMonitor (different dll than before)

    2 - I ran Spybot 1.3 - I was able to get it to Congratulate me - I think that part is OK (for now)
    Just tried it again - nope - The "Common Hijacker" is back. Gee..... this is killing me !!

    3 - AdAwareSE - After running it and quarantining the 3 items (it was originally 40) I still get the following message:
    "Some objects could not be removed....etc" It only listed fpl0033me.dll this time

    4 - I was able to get CCWShredder to work in Safe Mode. I then ran it in normal mode and it seems to have worked. I will try it again.
    But after I closed down and restarted, I ran CWShredder again and they're back !! I removed them, but they come back ! Then I treid it again, and the original problem is back !! I get a "Windows encountered errors and will close down the program" and the Fix does not complete. I'm down to 10 hairs on my head.

    5- I used AVG Anti-virus - No virus found (Thankfully !)

    6- I used SpySubtract and it cleaned up 2 registry suspects and 3 file suspects

    7- HiJack this see attached I know the 01's are no good. But it will not fix them. Is this where my big problem is?

    Again - Thank you all very much for helping me. I have been at it 4 hours last night and 3 so far today. I hope I
    can fix this before midnight tonight !!

    Sincerely,
    Michael Abrams

  8. #8
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Malware problems

    I cleaned up a PC infected with multiple variants of CoolWeb a few weeks ago. The most effective tool that I found for removing the nastier variants was webroot Spy Sweeper.

    StuartR

  9. #9
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malware problems

    Hi Michael

    It looks like UMonitor might be your problem.
    Check these forum postings: UMonitor attackand Rundll umonitor error.
    A search for UMonitor on the CastleCops website might bring up more info.
    Apparently the 'dll' changes automatically.

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

  10. #10
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Malware problems

    Hi Michael. I've reviewed your HijackThis log and there are a few problem entries. If it will not remove them when you run it normally, try running HijackThis in SafeMode and then remove the entries it finds. My suggestions for removal would be...

    hhntnh.exe <font color=red>If you don't know what this is then go in using Windows Explorer and rename it to hhntnh.old_exe or something. No harm in 2 weeks, remove it.</font color=red>
    Cocuments and SettingsAll UsersStart MenuProgramsStartuphhntnh.exe

    R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = http://localhost <font color=red>this line is redirecting your browser</font color=red>
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch <font color=red>to these three hosts</font color=red>
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) <font color=red>no name, no file, NO REASON - Unless you think it might be related to this line O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:CleanupIEPKPrivacyKeeper.exe (HKCU)</font color=red>

    I found this info about the following line here
    C:WINDOWSsystem32wuauclt.exe <font color=red>I'd delete this using file Windows Explorer</font color=red>
    Troj/Cult-B is a backdoor Trojan which allows a remote intruder to access and control the computer via IRC channels.
    Each time the Trojan is run it tries to connect to a remote IRC server and join a specific channel. The Trojan then runs in the background as a server process, listening for commands to execute.
    When first run the Trojan copies itself to the Windows System folder as WUAUCLT.EXE and creates the following registry entry so that WUAUCLT.EXE is run automatically each time Windows is started:
    HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicro soft auto update = WUAUCLT.EXE <font color=red>And remove this registry key</font color=red>

    I've tried to explain my reasoning and have searched all these entries on Google to determine what they do. I'm not an "expert" but believe that these items are the source of most, if not all, of your trouble. As with all registry editing, you are advised to backup your registry first. If you are not comfortable deleting a file, then rename it and if there are no problems after a few days, you can delete it. I hope this is of some help and that you will post back with your results.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  11. #11
    4 Star Lounger
    Join Date
    Jun 2001
    Location
    Sacramento, California, USA
    Posts
    491
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malware problems

    First of all, I would like to say that I am overwhelmed (and overjoyed) with the caring responses here.
    You guys are really wonderful sharing your knowledge.

    I just got home, so I printed everything out you folks suggested and will start right on it.

    It's a bit late, so I will continue tomorrow. I will definitely post back with my results.

    Thank you again for following up with me. It's just so frustrating !!

    I will speak to you all tomorrow - Michael

  12. #12
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malware problems

    Well done Doc. This kind of analysis looks like a perfect candidate for the <!post=X-RayPC,439311>X-RayPC<!/post> application I posted about. It would have identified all of those log entries, then done an an analysis like yours, using an online database.

    Alan

  13. #13
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Malware problems

    Thanks Alan. I took a look at the X-RayPC site you linked to yesterday. Very interesting. <img src=/S/yep.gif border=0 alt=yep width=15 height=15> I like the idea of an online database. It would save ton's of time Googling up all the suspect entries. Especially with the proliferation of all the variants and how deeply they are now digging into your system to find a home and then constantly changing themselves to prevent detection.

    I started looking at HijackThis logs when I foolishly downloaded a browser hijacker (should have known better and realized it as soon as I clicked on the install button) and had to resort to HijackThis to find out what I'd done. <img src=/S/blush.gif border=0 alt=blush width=15 height=15> I posted my log on one of their sites and didn't get any response for over 3 days, so I started analyzing the log myself and using Google to check out the suspicious entries. It took a few hours, but I cleaned up my system and got an education in the process (never did get any response, even after posting back with my personal solution). It's not rocket science, and most of the entries stick out like a sore thumb if you have just a basic knowledge of what programs are out there and if the line makes sense to you. I'm gonna grab a copy of X-RayPC and check into the database a bit further. It looks like another useful tool to have in one's arsenal against the cretins of the online world. Thanks for the link. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  14. #14
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malware problems

    No need for the <img src=/S/blush.gif border=0 alt=blush width=15 height=15> Doc. It sounds like you learned in exactly the same way I did <img src=/S/blush.gif border=0 alt=blush width=15 height=15> - never did work out how I downloaded such junk in the first place though. There's still a lot to be said for learning about this stuff from first principles though, like we both did. I had the same experience with no response on my HijackThis logs - I can understand that they're probably inundated though.

    I'll be keeping an eye on X-RayPC. As Phil commented, opinions are variable at this early stage, but the thinking behind it seems good IMHO.

    Alan

  15. #15
    4 Star Lounger
    Join Date
    Jun 2001
    Location
    Sacramento, California, USA
    Posts
    491
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malware problems

    I just wanted to check back in. It took 5 tries, 3 days and the assistance of "Racktracker" over at the Hijack This
    forum to get the computer back in order. For someone with OCD (me) that was a terror. I wound using applications
    such as FindIt, Killbox and Comparedll in conjunction with HijackThis. Eventually we got rid of it all.

    Just wanted to thank everyone here for always being there for us. You folks are really wonderful for sharing
    your expertise with the rest of us.

    Thank you all and have a healthy and Happy New Year !

    Michael
    Sacramento, CA USA

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •