ccApp and svchost

[Guest]

i am reinstalling XP in my new harddisk recently.
i just dont know why once i have connected to interent the "bullseye
network" or Bargains Buddy stuff will have my IE open and give me some ad
right away. this happened even after i have scan and deleted them (the
spywares) with Ad-aware then reboot.
the other thing is, when i open my TaskManager, sometimes i found ccApp &
svchost are taking up my CPU resources 50% each, i think they should not be
working properly, can anyone help me with this issue.
this makes my pc very slow, even when i am having p4 3G, running no program
in the background.

thanks very much
wilson

 

[Hans-Georg Michna]

i am reinstalling XP in my new harddisk recently.
i just dont know why once i have connected to interent the "bullseye
network" or Bargains Buddy stuff will have my IE open and give me some ad
right away. this happened even after i have scan and deleted them (the
spywares) with Ad-aware then reboot.
the other thing is, when i open my TaskManager, sometimes i found ccApp &
svchost are taking up my CPU resources 50% each, i think they should not be
working properly, can anyone help me with this issue.
this makes my pc very slow, even when i am having p4 3G, running no program
in the background.

Wilson,

this is probably a virus infection.

Hans-Georg

 

[Richard G. Harper]

ccApp is part of your Norton Antivirus program and if you're having problems
with it you should uninstall and reinstall it.

Svchost could be anything - legitimate or not - as it's only a client, not a
program, in accessing the Internet. Clear up problem #1 first and see if
this one persists.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Chuck]

i am reinstalling XP in my new harddisk recently.
i just dont know why once i have connected to interent the "bullseye
network" or Bargains Buddy stuff will have my IE open and give me some ad
right away. this happened even after i have scan and deleted them (the
spywares) with Ad-aware then reboot.
the other thing is, when i open my TaskManager, sometimes i found ccApp &
svchost are taking up my CPU resources 50% each, i think they should not be
working properly, can anyone help me with this issue.
this makes my pc very slow, even when i am having p4 3G, running no program
in the background.

thanks very much
wilson

Wilson,

AdAware is not the only tool for removing spyware, and sometimes it's not the
best tool either. You need HijackThis, and expert advice to remove crap like
BargainBuddy. All of these tools are free, and used together, will give you the
best chance of diagnosing and removing your problems.

Start by downloading each of the following additional free tools:
CWShredder <http://www.majorgeeks.com/download4086.html>
HijackThis <http://www.majorgeeks.com/download.php?det=3155>
LSP-Fix and WinsockXPFix <http://www.cexx.org/lspfix.htm>
Spybot S&D <http://www.safer-networking.org/index.php?page=download>
Stinger <http://us.mcafee.com/virusInfo/default.asp?id=stinger>
TrendMicro Engine <http://www.trendmicro.com/download/dcs.asp>
TrendMicro Signatures <http://www.trendmicro.com/download/pattern.asp>

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. Create a separate folder for the two TrendMicro files,
such as C:\TrendMicro - copy the downloaded files there (unzipped if necessary).
CWShredder and Spybot S&D have install routines - run them. The other
downloaded programs can be copied into, and run from, any convenient folder.

First, run Stinger. Have it remove any problems found.

Next, close all Internet Explorer and Outlook windows, and run CWShredder. Have
it fix all problems found.

Next, disable System Restore.
<http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm>
Boot your computer into Safe Mode.
http://support.microsoft.com/?id=315222
Run C:\TrendMicro\Sysclean.com. Delete any infectors found.
Reboot your computer, and re enable System Restore.

Next, run AdAware again. First update it ("Check for updates now"), configure
for full scan (<http://forums.spywareinfo.com/index.php?showtopic=11150>), then
scan. When scanning finishes, remove all Critical Objects found.

Next, run Spybot S&D. First update it ("Search for updates"), then run a scan
("Check for problems"). Trust Spybot, and delete everything ("Fix Problems")
that is displayed in Red.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
<http://forums.spywareinfo.com/index.php?showtopic=227>
<http://forums.spywareinfo.com/index.php?showtopic=11150>

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: <http://forum.aumha.org/index.php>
Net-Integration: <http://forums.net-integration.net/>
Spyware Info: <http://forums.spywareinfo.com/>
Spyware Warrior: <http://spywarewarrior.com/index.php>
Tom Coyote: <http://forums.tomcoyote.org/>

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

Finally, improve your chances for the future.

Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/

Block Internet Explorer ActiveX scripting from hostile websites (Restricted
Zone).
<https://netfiles.uiuc.edu/ehowes/www/main.htm> (IE-SpyAd)

Block known dangerous scripts from installing.
<http://www.javacoolsoftware.com/spywareblaster.html>

Block known spyware from installing.
<http://www.javacoolsoftware.com/spywareguard.html>

Make sure that the spyware detection / protection products that you use are
reliable:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Harden your operating system. Check at least monthly for security updates.
http://windowsupdate.microsoft.com/

Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).

Maintain your Hosts file (merge / eliminate duplicate entries) with:
eDexter <http://www.accs-net.com/hosts/get_hosts.html>
Hostess <http://accs-net.com/hostess/>

Secure your operating system, and applications. Don't use, or leave activated,
any accounts with names or passwords with trivial (guessable) values. Don't use
an account with administrative authority, except when you're intentionally doing
administrative tasks.

Use common sense. Yours. Don't install software based upon advice from unknown
sources. Don't install free software, without researching it carefully. Don't
open email unless you know who it's from, and how and why it was sent.

Educate yourself. Know what the risks are. Stay informed. Read Usenet, and
various web pages that discuss security problems. Check the logs from the
security products that you use regularly, look for things that don't belong, and
take action when necessary.

How did I get infected in the first place?
http://forums.net-integration.net/index.php?showtopic=3051
Essential tips for infection prevention
http://forums.spywareinfo.com/index.php?showtopic=24339

Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Hans-Georg Michna]

ccApp is part of your Norton Antivirus program and if you're having problems
with it you should uninstall and reinstall it.

Richard,

ccApp is one of the favorite targets for some viruses. They like
to replace that file with their own code.

Hans-Georg

 

[Guest]

thanks very much for all your suggestions dukes~

I have tried full scan with Norton Antivirus, but it stop adnormally, even
when i am not connecting to internet.
so how i manage to download a copy of spyware tool from Giant, and had a
deep full scan while not connecting to internet.. moreover, i trying to use
Firefox instead of IE6.
Everything seems fine after the deep scan and using firefox as internet
browser.
Hopefully, it would run happily ever after.
But I will try to have a deep virus scan tonight, see if any problem found.

cheers

 

[Hans-Georg Michna]

thanks very much for all your suggestions dukes~

I have tried full scan with Norton Antivirus, but it stop adnormally, even
when i am not connecting to internet.
so how i manage to download a copy of spyware tool from Giant, and had a
deep full scan while not connecting to internet.. moreover, i trying to use
Firefox instead of IE6.
Everything seems fine after the deep scan and using firefox as internet
browser.
Hopefully, it would run happily ever after.
But I will try to have a deep virus scan tonight, see if any problem found.

Wilson,

as I already mentioned, your virus scanner may well be taken
over by a virus, so it will not find the virus. If so, you need
a different virus scanner. Ideally scan the disk from far over
the network or put it into another computer.

Of course I cannot be sure, but the symptom points clearly that
way.

Hans-Georg

 

[Guest]

thanks Hans-Georg

the problem i mentioned earlier still the same.
when i log into internet, my internet browser (firefox this time) will
popup, trying to connect to some web site (bottom status bar showing :
"connecting to Web ads.findit.ws...........", i closed the browser
immediately.

i also tried virus scanning my pc via an online scan RAV, it took ages to do
a full scan, but it only found 1 suspicious file msass43.exe. which i have
renamed it., and see how it goes tonight.
cheers

 

[Chuck]

thanks Hans-Georg

the problem i mentioned earlier still the same.
when i log into internet, my internet browser (firefox this time) will
popup, trying to connect to some web site (bottom status bar showing :
"connecting to Web ads.findit.ws...........", i closed the browser
immediately.

i also tried virus scanning my pc via an online scan RAV, it took ages to do
a full scan, but it only found 1 suspicious file msass43.exe. which i have
renamed it., and see how it goes tonight.
cheers

Wilson,

Your suspicious file msass43.exe may be a new Backdoor based upon the Windows
DCOM exploit.
http://isc.sans.org/diary.php?date=2004-11-07

This should indeed account for gratuitous CPU usage. Did the CPU usage drop
after you renamed the file?

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Hans-Georg Michna]

thanks Hans-Georg

the problem i mentioned earlier still the same.
when i log into internet, my internet browser (firefox this time) will
popup, trying to connect to some web site (bottom status bar showing :
"connecting to Web ads.findit.ws...........", i closed the browser
immediately.

i also tried virus scanning my pc via an online scan RAV, it took ages to do
a full scan, but it only found 1 suspicious file msass43.exe. which i have
renamed it., and see how it goes tonight.
cheers

Wilson,

hehe, one is enough to wreak havoc. Some of the stupider viruses
may be fooled by renaming, but most won't be.

The procedure is to identify the virus, then use one of the
prescribed methods to get rid of it. Since this virus attacks
Norton Antivirus directly, Symantec will have a removal tool.

Then you have to think hard about how you could get the virus in
the first place. If the door through which it came is still
open, you won't be happy in the future.

Hans-Georg

 

[Guest]

Hans-Georg ,

it seems alright, when i connect to the internet this time.
the browser did not pop up automatically at least.
but working thru half way, while i was typing some message on a broad, some
virus warning from Norton Antivirus popup and said it cannot be fixed. one of
the virus warning is on a file name "IEXPLORES.exe". i am thinking if these
virus coming thru Outlook Express. i notice it maybe retrieving mails at that
moment.
these virus driving me nuts already.
got to fight with it.....
thanks

 

[Hans-Georg Michna]

it seems alright, when i connect to the internet this time.
the browser did not pop up automatically at least.
but working thru half way, while i was typing some message on a broad, some
virus warning from Norton Antivirus popup and said it cannot be fixed. one of
the virus warning is on a file name "IEXPLORES.exe". i am thinking if these
virus coming thru Outlook Express. i notice it maybe retrieving mails at that
moment.
these virus driving me nuts already.
got to fight with it.....

Wilson,

yes, they are nasty. Your computer is a zombie now, probably
trying to send spam.

I'm away for a few days and may not be able to come here into
the newsgroup until Sunday or Monday. Therefore I ask all other
helpers to continue from here.

Hans-Georg

 

[Malke]

Wilson,

yes, they are nasty. Your computer is a zombie now, probably
trying to send spam.

I'm away for a few days and may not be able to come here into
the newsgroup until Sunday or Monday. Therefore I ask all other
helpers to continue from here.

Hans-Georg

Will do, Hans-Georg. Wilson, your computer is still infested with
malware. It can be rather tricky to remove the Bargain Buddy, Cashback,
Bullseye cr*p. Here are my standard malware removal steps, which you
should do (and see my comments afterwards):

1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions;

2) remove spyware with Spybot Search & Destroy
(www.safer-networking.org) and Ad-aware (www.lavasoftusa.com). These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from
http://www.intermute.com/spysubtract/cwshredder_download.html. I would
not install the other Intermute programs, however. Alternately, there
are CoolWebSearch malware removal steps at
http://www.silentrunners.org/sr_cwsremoval.html. A combination of
HijackThis and About:Buster (http://www.majorgeeks.com) works well in
removing homepage hijackers. Always read the instructions before
running a spyware removal tool. Be sure to update these programs before
running, and it is a good idea to do virus/spyware scans in Safe Mode.
Make sure you are able to see all hidden files and extensions (View tab
in Folder Options);

3) If you are running Windows ME or XP, you should disable/enable System
Restore because malware will be in the Restore Points. With ME, you
must disable System Restore completely. With XP, you can delete all but
the most recent (presumably clean) System Restore point from the More
Options section of Disk Cleanup (Run>cleanmgr).

4) make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update;

5) run a firewall.

It can take a lot of skill and a deep knowledge of Windows operating
systems to remove malware. If, after following the above procedures,
you still can't get your machine clean, take it to a good local
professional (not a BestBuy or CompUSA type of store) and have them
clean it for you.

Good luck,

Malke

 

[Guest]

thanks Malke

I had another virus scan with Norton.
and still found quite a few malwares, like bargainbuddy....
which cannot be fixed or removed....
i have checked they are not running in the process. and they are attahced in
some *.idf or *. ivx files.
so i go into those folder and renamed them.
reboot again, and things seemd fine after that last night.
also, i have enabled the firewall on my internet connection.
so i hope this should stop them happening for a while at least.....

i will see if things still going well tonight....
many thanks for all you dukes help
cheers
wilson