• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Larscha

CWS sp.html Hijack

9 posts in this topic

Hello everyone, I would like to start of with saying tanks to everyone who takes their time to read this post.

 

I recently bought a copy of SpySweeper, and started scanning my system, I got about 90 spyware/spy cookies, 89 of them could be deleted. The one leftover was "CWS sp.html Hijack". It had 4 traces in the registry, that changed my SearchBar and SearchPage in Internet Explorer. I have tried to remove this with some software, including Adaware, Spybot, CWShredder. The only one that finds somekind of trouble is CWShredder (also Hijack This, logfile at bottom of post). It asks me about a file called "TEMPNER3FA14CCB.EXE" and its home directory is C:\Windows\, and if i should deleted of not. I dont know what it is so I followed the advice CWShredder gave me, to go here to you guys, trying to find an answer.

 

If anyone knows how SpySweeper works, youll probably understand that it has found the problem, put it in Quarantine and then deleted it, but it just keeps returning. It wont go away..

 

I have read the FAQ here, and that didn't help me, I have asked the guys at webroot(the manufacturer of SpySweeper) but they wont help me.. So now after a week of trying to delete this thing I have decided to get help here. Please help me..

All help is appreciated!

 

Here is a logfile from hijack this if it helps you, I dont dare to change everything, so please have a look at it..

 

Logfile of HijackThis v1.98.0

Scan saved at 14:42:06, on 2004-07-06

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\SYMTRAY.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\PROGRAM\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM\IOMEGA\DRIVEICONS\IMGICON.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe

C:\PROGRAM\SPY SWEEPER\SPYSWEEPER.EXE

C:\DOWNLOAD\SPYWARE REMOVAL\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/Default.asp?Ath=f

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {A3071867-E547-289E-1A89-9AB7219169D7} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O2 - BHO: (no name) - {5B19D40B-1281-4833-839D-3D6F65EEDBCB} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe

O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe

O4 - HKLM\..\Run: [speed racer] C:\Program\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [symantec Core LC] C:\Program\Vanliga filer\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program\Vanliga filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NPROTECT] C:\Program\Norton SystemWorks\Norton Utilities\Nprotect.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program\Vanliga filer\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program\Vanliga filer\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program\Vanliga filer\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program\Norton SystemWorks\Norton Utilities\Nprotect.exe

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program\Norton SystemWorks\Norton CleanSweep\csinject.exe

O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

O4 - HKCU\..\Run: [spySweeper] "C:\Program\Spy Sweeper\SPYSWEEPER.EXE" /0

O4 - HKCU\..\RunServices: [spySweeper] "C:\Program\Spy Sweeper\SPYSWEEPER.EXE" /0

O4 - Startup: HP LaserJet Director.lnk = C:\Program\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe

O4 - Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program\Norton SystemWorks\Norton CleanSweep\csinsm32.exe

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/M...erstarTeleX.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab

O16 - DPF: {F0B63C6D-4CDB-11D3-8CE6-CA9CFC28F360} (ZoomObj Class) - http://www.inzomia.com/files/inzomia.exe

O20 - AppInit_DLLs: apitrap.dll;

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hello me and Zero are working on your problem together in the chat room.

 

Edit: Please wait while we work on your solution.

 

 

 

In the meantime. Even though it is not 100% effective on this variant.

 

Please download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Edited by RubbeR DuckY

Share this post


Link to post
Share on other sites

I just want you to know that I greatly appreciate your help.

 

I ran the AboutBuster, and I dont know if this is what your looking for, all I got was:

 

About:Buster Version 1.25

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

I have used Hijack This again, and here is the log:

 

Logfile of HijackThis v1.98.0

Scan saved at 09:39:45, on 2004-07-07

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\SYMTRAY.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\PROGRAM\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM\IOMEGA\DRIVEICONS\IMGICON.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM\SPY SWEEPER\SPYSWEEPER.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\DOWNLOAD\SPYWARE REMOVAL\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/Default.asp?Ath=f

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/Default.asp?Ath=f

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {A3071867-E547-289E-1A89-9AB7219169D7} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O2 - BHO: (no name) - {5B19D40B-1281-4833-839D-3D6F65EEDBCB} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe

O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe

O4 - HKLM\..\Run: [speed racer] C:\Program\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [symantec Core LC] C:\Program\Vanliga filer\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program\Vanliga filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NPROTECT] C:\Program\Norton SystemWorks\Norton Utilities\Nprotect.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program\Vanliga filer\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program\Vanliga filer\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program\Vanliga filer\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program\Norton SystemWorks\Norton Utilities\Nprotect.exe

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program\Norton SystemWorks\Norton CleanSweep\csinject.exe

O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

O4 - HKCU\..\Run: [spySweeper] "C:\Program\Spy Sweeper\SPYSWEEPER.EXE" /0

O4 - Startup: HP LaserJet Director.lnk = C:\Program\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe

O4 - Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program\Norton SystemWorks\Norton CleanSweep\csinsm32.exe

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/M...erstarTeleX.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab

O16 - DPF: {F0B63C6D-4CDB-11D3-8CE6-CA9CFC28F360} (ZoomObj Class) - http://www.inzomia.com/files/inzomia.exe

O20 - AppInit_DLLs: apitrap.dll;

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

 

Once again, thank you for helping me out.

Share this post


Link to post
Share on other sites

Your problem is different..

 

Download ''Win98fix.zip" from the 'FINDnFIX' page link in my signature!

 

Unzip the folder, DoubleClick on->"Scan.bat" file.

It'll run for few seconds and produce a log. (file.txt)

Post it here!

Share this post


Link to post
Share on other sites

Here you go:

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»»» (*1*) »»»»»........

 

 

»»»»» (*2*) »»»»»........

**File C:\DOWNLOAD\SPYWAR~1\WIN98FIX\WIN98FIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ NONE

 

 

 

Want you to know that I appreciate all help I can get.

Share this post


Link to post
Share on other sites

No traces in current scan. ummmm :scratchhead:

It worked on the same variant on my 98 box.

 

There is a fix included. Won't hurt to use it.

 

In the Win98fix folder DoubleClick on the "Fix.bat" file.

You will get msgbox prompt to restart.

Restart your computer.

 

Run hijackthis and fix

--R1/R0 lines , ending with-- (sp.html)

--O2 -BHO, ending with -- (no file)

Delete the sp.html file from Windows\temp folder

 

 

Wait a while and post fresh

hijackthis log along with new scan from Scan.bat file.

Share this post


Link to post
Share on other sites

So, I did everything as you told me, until the line with deleting sp.html in the temp folder.. There is no such file there, I tried turning on show all hidden systemfiles etc, but no file thats named sp.html...

 

I'll post a Hijack this and a Scan.bat file:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 09:49:58, on 2004-07-08

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\SYMTRAY.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCSETMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\PROGRAM\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM\IOMEGA\DRIVEICONS\IMGICON.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE

C:\PROGRAM\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe

C:\WINDOWS\NOTEPAD.EXE

C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM\SPY SWEEPER\SPYSWEEPER.EXE

C:\DOWNLOAD\SPYWARE REMOVAL\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/Default.asp?Ath=f

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/Default.asp?Ath=f

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe

O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe

O4 - HKLM\..\Run: [speed racer] C:\Program\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [symantec Core LC] C:\Program\Vanliga filer\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program\Vanliga filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NPROTECT] C:\Program\Norton SystemWorks\Norton Utilities\Nprotect.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program\Vanliga filer\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program\Vanliga filer\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program\Vanliga filer\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program\Norton SystemWorks\Norton Utilities\Nprotect.exe

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program\Norton SystemWorks\Norton CleanSweep\csinject.exe

O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE

O4 - HKCU\..\Run: [spySweeper] "C:\Program\Spy Sweeper\SPYSWEEPER.EXE" /0

O4 - HKCU\..\RunServices: [spySweeper] "C:\Program\Spy Sweeper\SPYSWEEPER.EXE" /0

O4 - Startup: HP LaserJet Director.lnk = C:\Program\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe

O4 - Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program\Norton SystemWorks\Norton CleanSweep\csinsm32.exe

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/M...erstarTeleX.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab

O16 - DPF: {F0B63C6D-4CDB-11D3-8CE6-CA9CFC28F360} (ZoomObj Class) - http://www.inzomia.com/files/inzomia.exe

O20 - AppInit_DLLs: apitrap.dll;

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

 

 

 

 

 

 

 

 

 

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»»» (*1*) »»»»»........

 

 

»»»»» (*2*) »»»»»........

**File C:\DOWNLOAD\SPYWAR~1\WIN98FIX\WIN98FIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ NONE

 

 

 

 

 

 

 

 

 

You don't think I should delete the "TEMPNER3FA14CCB.EXE" file that CWShredder found?

 

 

Thanks for all your help!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0