Jump to content


Photo

CWS.searchx, coolwebsearch


  • Please log in to reply
16 replies to this topic

#1 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 27 June 2004 - 07:17 AM

I have some problems with my pc. Could someone look at my Highjack this filelog and tell me what's wrong and what I can do too repair this? I have tried Ad-aware and cwshredder but it still comes back.....

Logfile of HijackThis v1.97.7
Scan saved at 13:02:55, on 27.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\scagent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Gisle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll
O2 - BHO: (no name) - {FD008DEC-0164-48EF-B35D-68B4490B93F7} - C:\WINDOWS\madopew.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SpyFerret] C:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
O15 - Trusted Zone: www.parmann-foss.no
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8048.4705324074
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://flash.vg.no/c...cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab
O19 - User stylesheet: C:\WINDOWS\color.css

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 27 June 2004 - 12:40 PM

Move Hijackthis off your desktop (extract from zip)into a permanent folder. Example:
c:\program files\hijackthis\hijackthis.exe

This will allow backups to be made and saved By hijackthis in case something goes wrong.

Download the latest version of Ad-Aware, and check to make sure you have the most recent updates.
http://www.lavasoftu...pport/download/

Download and install APM from: (don't run it yet we will get to that in a minute)
http://www.diamondcs...ex.php?page=apm

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
O2 - BHO: (no name) - {FD008DEC-0164-48EF-B35D-68B4490B93F7} - C:\WINDOWS\madopew.dll

Then start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the O2 - BHO: entry from above.
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware to remove the txt and html protocol association.

Then reboot and run another hijackthis scan and post your new log here.
Posted Image

#3 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 27 June 2004 - 03:15 PM

Thank you for helping me. I have tried to do as you said, but when i went into APM and clicked on Internet explorer i didn't find 02-BHO in the lower window???. Here is the new log from highjack this. What can i do now?? Again, thank rou for helping me!!

Logfile of HijackThis v1.97.7
Scan saved at 22:06:20, on 27.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\scagent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Gisle\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SpyFerret] C:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
O15 - Trusted Zone: www.parmann-foss.no
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8048.4705324074
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://flash.vg.no/c...cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 27 June 2004 - 05:24 PM

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:
c:\program files\hijackthis\hijackthis.exe

This will allow backups to be made and saved By hijackthis in case something goes wrong.

Place a check next to the following entries, then close all open windows except hijackthis and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe

Then reboot into safe mode and delete these files.
Svchosts.exe (notice the spelling, do not delete svchost.exe by mistake)

You may have to enable hidden files to find all the files.

Then reboot and run another hijackhtis scan and post your new log here.
Posted Image

#5 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 27 June 2004 - 06:15 PM

Here come's the new log. Thank you very much for helping me. Hope this one look's fine.

Logfile of HijackThis v1.97.7
Scan saved at 01:10:22, on 28.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\scagent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Gisle\Local Settings\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startsiden.no/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SpyFerret] C:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
O15 - Trusted Zone: www.parmann-foss.no
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8048.4705324074
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://flash.vg.no/c...cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 27 June 2004 - 06:32 PM

I tried to run CWShredder and it still find CWS.Searchx!!!!! But my pc is looking fine now. Seems like about:blank is gone. Is there still something with my log that's not good?

#7 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 27 June 2004 - 07:06 PM

SpyFerret is not one of the better spyware removal programs available.
You would be mutch better served by spybot and ad-aware.

Other than that your log looks good.

Does CW shredder remove the files and then find them again the next time you run it?
Posted Image

#8 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 28 June 2004 - 02:03 AM

OK, then i will remove SpyFerret....

Yes, CW Shredder find CWS.searchx and removes it. When i run the CWS.Shredder one's more it still find CWS.Sheacrhx.

Ad-aware don't find anything now and that's good....

Do yoy have more great tip to solve this CWS.searcx problem?

#9 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 28 June 2004 - 02:57 AM

Thank you Racktracker for very good help!!!! You have maid my pc too run much faster and now i hope you can help me to find a solution to make the CWS.searcx to go away.

#10 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 28 June 2004 - 08:26 AM

download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results into this message for further review

http://downloads.sub...rg/FINDnFIX.exe
Posted Image

#11 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 28 June 2004 - 12:17 PM

Here comes the FINDnFIX log. Hope you can locate what's wrong!!! Again, thank you for taking your time.


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is FAT32.
C: is not dirty.

28.06.2004
7:10pm up 0 days, 0:05

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


One or more CON code pages invalid for given keyboard code

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group SPITS\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone



»»»»»»Backups created...»»»»»»
7:12pm up 0 days, 0:08
28.06.2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-27-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 06-27-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuota,

**File C:\FINDnFIX\WIN.TXT


#12 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 29 June 2004 - 08:02 AM

Run these free online virus scans.
http://housecall.trendmicro.com/
http://www.pandasoft...n_principal.htm

Open Adaware and check to see that you have the most recent updates.
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Run shredder again and see is searchx shows up.

Thanks FAL
I mistakenly thought that was a positive hit for the registry key.

Edited by Racktracker, 29 June 2004 - 08:18 AM.

Posted Image

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 08:13 AM

Click Start>Run and type regedit.
Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

If LEGACY___NS_Service_3
exists then right click on it and choose delete from the menu.

Close regedit.

I does not exist! :weee:

I only added this check to find the other cws variant...
Hence the output: :scratchhead:

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.

;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 05:10 PM

Hej Racktracker! Now I have done what you said an unfortunately CWS.Searckx came back when I ran CWShredder...

Here is the result of scanning with Trendmicro:
Infected files found with Trendmicro


TROJ PORNDIAL.BP C:\ WINDOWS \system\teen.exe
VBS STARTPAGE.I C:\WINDOWS\odbc.hta
TROJ DELF.CY C:\WINDOWS\fierm.exe
JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…TROJ DELF.CY C:\Documents and Settings\Gisl…
DOS MASSMSG.A C:\Documents and Settings\Gisl…
TROJ ISTBAR.K C:\Documents and Settings\Gisl…
TROJ XMEDIA.E C:\System Volume Information\_...
TROJ PORNDIAL.BP C:\System Volume Information\_...
VBS STARTPAGE.I C:\System Volume Information\_...


I deleted all this files…

#15 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 05:26 PM

upps not finished with my last reply...

Infected files found with Trendmicro


TROJ PORNDIAL.BP C:\ WINDOWS \system\teen.exe
VBS STARTPAGE.I C:\WINDOWS\odbc.hta
TROJ DELF.CY C:\WINDOWS\fierm.exe
JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…TROJ DELF.CY C:\Documents and Settings\Gisl…
DOS MASSMSG.A C:\Documents and Settings\Gisl…
TROJ ISTBAR.K C:\Documents and Settings\Gisl…
TROJ XMEDIA.E C:\System Volume Information\_...
TROJ PORNDIAL.BP C:\System Volume Information\_...
VBS STARTPAGE.I C:\System Volume Information\_...


I deleted all this files…(I hope!!!)

Here is the result of scanning with Activescan

Incident Status Location

Virus:Trj/Downloader.JT Disinfected Operating system
Virus:Trj/Downloader.JT Disinfected C:\WINDOWS\system32\regsvc.exe
Virus:Trj/Downloader.JT Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KUD5LV20\exe[1].bin
Virus:Trj/Xmedia.C Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\l101[1].exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].jar[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].RB0[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].RB0[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].RB0[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\V23QCZQ3\playup_pr25[1].RB0[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\V23QCZQ3\playup_pr25[1].RB0[Dummy.class]
Virus:Trj/Runet.A Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\FZX9EK8B\load[1].htm
Virus:W32/Netsky.D.worm Disinfected Personal Folders\Deleted Items\Re: Your website\your_website.pif
Virus:W32/Netsky.D.worm Disinfected Personal Folders\Deleted Items\Re: Document\your_document.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Shocking document\document05.doc .pif
Virus:W32/Mitglieder.V.worm Disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Virus:Trj/StartPage.FH Disinfected C:\RECYCLED\Dc47.zip\backup-20040627-214502-382.dll
Virus:Trj/Runet.A Disinfected C:\FOUND.029\FILE0005.CHK
Virus:Trj/Runet.A Disinfected C:\FOUND.029\FILE0006.CHK
I hope i did everything right. I am not so familiar with this kind of operations with my pc........

So it seems this one (CWS.Searchx) is a tricky one.... My only trust to get this away is you Ricktracker, so i hope you not will give it up..... Thank you so much for your kindness and I hope you will reply me as soon as possible... Sorry my bad english!!

#16 spits

spits

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 05:45 PM

IT's GONE!!!!!!!!!!!! I tried CWShredder ones more time and now everything seem to be okej. It look's like CWShredder finally managed to delete the file.......

If you don't have any more comment's from my recent reply's I want take more of your time.... Thank you once again Racktracker!!!! This forum is very helpfull and i will talk to my friends about it!!!

#17 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 29 June 2004 - 06:49 PM

I'm glad you got it fixed.

You should read this to help prevent future problems.

So how did I get infected
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button