• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rkingz

CWS Hijacked, trouble removing

10 posts in this topic

Okay, I know this is probably a very familliar story, guy is supposed to be looking at Real Estate sites per wife, guy gets bored, guy decides to see if he can find naked Paris pics, Guy gets Hijacked and is going to killed if wife finds the computer looking like this. TMI??? I don't care really, time for discretion is over, I really could use help.

 

So far I have and ran lastest updates Of Spybot, Norton, Adaware, Norton, Sweeper, as well as the Shredder. Shredder and Spybot didn't catch the issue, Adaware and Spy Sweeper did, however as everyone pretty much knows, it doesn't permanently fix the problem. I tried deleting, renaming, regedits, running all above software in safe mode, following advice from various sources, including reading the FAQ here, and this thing won't stay away. I have realized I know just enough to be dangerous, so if anyone can help me I would appreciate it.

 

Here is my Hijack this Log.

 

BTW: you want irony? One of the popups is for the Paris Hilton video.

 

Logfile of HijackThis v1.98.0

Scan saved at 9:08:13 AM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\EarthLink 5.0\updatemgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\System32\gearsec.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\ntsz.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\WINDOWS\system32\sdkqj32.exe

C:\HTL\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cfszc.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cfszc.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cfszc.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cfszc.dll/sp.html#37680

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\mwgejxtq.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\mwgejxtq.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4313DE2C-E41C-8EF4-24FC-30FEFEDECF0F} - C:\WINDOWS\system32\ipal.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [updateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sdkqj32.exe] C:\WINDOWS\system32\sdkqj32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18228d35ce619e...ip/RdxIE601.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

Thanks!

Share this post


Link to post
Share on other sites

Just to let you know I'm looking at your log and I'll get back to you as soon as possible

Share this post


Link to post
Share on other sites

rkingz, could you try to define exactly from what web site you has has got infection? Try investigate this- look at your IE history, use approx date/time Its important try to fix this source, if possible.

Edited by santander

Share this post


Link to post
Share on other sites

Hello rkingz

 

You have one of the new coolwebsearch hijacks, but we need to clear some other things before we deal with it.

 

Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'. After that, Reboot.

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - Default URLSearchHook is missing

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18228d35ce619e...ip/RdxIE601.cab

 

These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it...

 

O4 - Startup: PowerReg Scheduler V3.exe

 

The same principal applies to Backweb, its part of legitimate programs but reports back information about your computer and is not vital to the running of HP software...

 

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

 

Then delete this file

C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

 

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. Rename REALSCHED.EXE to REALSCHED.OLD as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

 

Then fix with HJT

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

Reboot and post a fresh log and we'll move on to removing cws

 

******

 

Santander

 

I think during the time span concerned it could be a few places, this cws could have come from anywhere. There are also methods to prevent infection from bad sites in the future. Also, Please see The various helper groups here. Do join the team if you want to post help, we'd love to have you with us. :)

Share this post


Link to post
Share on other sites

Scoff,

Thanks for the advice and taking time to help me with this, especially since I picked CWS out of my own stupidity, I thought I was safeguarded pretty well.

 

Santander: I have no idea where I picked it up, Paris Hilton was involved, other than that all I know was I clicked off some windows that popped up and the hard drive just started writing like crazy. (I Hate that sound, it's the sound of being screwed.)

 

Anyway back to the issue at hand.

 

I just updated Adaware ran it and it looks like it fixed most of my issues. Spysweeper still detects a CWS_plugin that I can't seem to get rid of, but all the symptoms of CWS seem to be gone.

 

I made the corrections you suggested and if you could look at my log to see if there is anything harmful left I would appreciate it.

 

Logfile of HijackThis v1.98.0

Scan saved at 6:21:43 PM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\EarthLink 5.0\updatemgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\gearsec.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\HJT\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\mwgejxtq.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\mwgejxtq.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [updateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [sdkqj32.exe] C:\WINDOWS\system32\sdkqj32.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

Thanks again for your help and advice and I will for now on limit my Paris viewing to Simple Life episodes recorded on TIVO.

Share this post


Link to post
Share on other sites

Looks like you've killed cws but the exe that causes the infection is still there, inactive, better to be on the safe side.

 

Download About:Buster by RubbeR DuckY from either of the following locations.

 

http://www.atribune.org/downloads/AboutBuster.zip

or

http://tools.zerosrealm.com/AboutBuster.zip

 

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page. It will also produce a report - save this somewhere. Then click ok to run aboutbuster.exe again, make a copy of that report also.

 

Reboot and post a new HijackThis log along with the two reports from About:Buster.

Share this post


Link to post
Share on other sites

Scoff,

 

Here are the two reports from Buster and a new Hijack this log. Unfortunately, the 2 Buster logs are from the 2nd and 3rd time I ran it. I mistakenly closed the window the first time, and there were items deleted from the first run that don't show up in the following ones. It does seem that the Legacy file keeps popping back up after removal.

 

About:Buster Version 1.25

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

 

 

About:Buster Version 1.25

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

 

 

ogfile of HijackThis v1.98.0

Scan saved at 6:24:08 PM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\EarthLink 5.0\updatemgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\gearsec.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for AboutBuster.zip\AboutBuster.exe

C:\HJT\AboutBuster\AboutBuster.exe

C:\HJT\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie...ton/search.html

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\mwgejxtq.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\mwgejxtq.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [updateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [sdkqj32.exe] C:\WINDOWS\system32\sdkqj32.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

Once again, thanks for your assistance, it is GREATLY appreciated.

 

Thanks

Rkingz

Share this post


Link to post
Share on other sites

Cws hasn't come back so it looks like this is a remnant.

 

Boot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

 

Make sure you have all hidden files shown

 

Delete the following entries:

Files

C:\WINDOWS\system32\sdkqj32.exe

 

Then empty your temporary directories (the contents - not delete the directories themselves)

  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Empty your "Recycle Bin"

Some tips to help prevent this happening again.

 

SpywareBlaster will block bad ActiveX and malevolent cookies.

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

 

If you don't have an up to date hosts file it might be a good idea to replace it with a new one. This will help you block bad sites and ad servers. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.

 

It may be worth reading How did I get infected in the first place?

Share this post


Link to post
Share on other sites

Scoff,

 

I did everything you said, however, I could not locate the C:\windows\system32\sfkqj32.exe file. I did a manual and auto search 15 different ways and I couldn't find it.

 

Is there anything else I need to do?

 

I truly appreciate your help, I am never surprised when some idiot unleashes a virus or some type of annoying spyware, but I am always impressed when people reach out to help others in whatever way they can.

 

I am very grateful,

Rkingz

Share this post


Link to post
Share on other sites

Don't worry, thats good. It means that the file is gone and its the registry entry only thats showing up in the log. For the sake of completeness have HJT fix this line.

 

O4 - HKLM\..\Run: [sdkqj32.exe] C:\WINDOWS\system32\sdkqj32.exe

 

and you're good to go.

 

Happy surfing.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0