Jump to content


Photo

Please help me get rid of this.


  • Please log in to reply
24 replies to this topic

#1 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 15 July 2004 - 03:45 PM

Awhile ago i got infected with cws because of somthing my brother downloaded. It hijacked windows media player, and it installs spyware when i try to open somthing in it. When i run cwshredder, it crashes when it gets to cws.smartsearch. I run the miniremoval_coolwebsearch_smartkiller, but it says i am not infected. I got the most upto date cwshredder and adaware but i am still getting popups and wmp crashes. Also, aim tries to sign on somtimes to put up an away message with a link to spyware. Its getting VERY frustrating. Heres my Hijackthis log.


Logfile of HijackThis v1.98.0
Scan saved at 4:39:38 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\NETSTATT.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\WINDOWS\System32\WRT01S.exe
C:\WINDOWS\System32\APIT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...art.cgi?np-hkcu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 63.227.76.27:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (disabled by BHODemon)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Wininit (System33r)] system33r.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Yahoo Messenger] NETSTATT.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [WRT01S] C:\WINDOWS\System32\WRT01S.exe
O4 - HKLM\..\Run: [APIT] C:\WINDOWS\System32\APIT.exe
O4 - HKLM\..\RunServices: [Microsoft Wininit (System33r)] system33r.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\rent-a-center\Application Data\Microsoft\sr64\ceognkal.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Yahoo Messenger] NETSTATT.EXE
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: LimeWire 4.0.5.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5\LimeWire.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm414
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B1} - http://www.zapros.com/find.htm (file missing)
O9 - Extra button: ENTERTAINMENT - {FE5A1910-F121-11d2-BE9E-01C04A7936B2} - http://www.zapros.com/av.htm (file missing)
O9 - Extra button: PILLS - {FE5A1910-F121-11d2-BE9E-01C04A7936B3} - http://www.zapros.com/med.htm (file missing)
O9 - Extra button: SECURITY - {FE5A1910-F121-11d2-BE9E-01C04A7936B4} - http://www.zapros.com/check.htm (file missing)
O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B5} - http://www.zapros.com (file missing)
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontal...protect/npx.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...360/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

#2 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 15 July 2004 - 03:47 PM

Also i cant get into regedit, it exits when i try to. Same with msconfig.

#3 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 15 July 2004 - 04:32 PM

top

#4 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 15 July 2004 - 07:04 PM

top

#5 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 15 July 2004 - 08:31 PM

top

#6 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 15 July 2004 - 09:51 PM

:weep:

#7 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 16 July 2004 - 04:44 PM

Why wont anyone respond??

Edited by obscenity, 16 July 2004 - 04:44 PM.


#8 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 16 July 2004 - 07:33 PM

top

#9 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 16 July 2004 - 09:37 PM

top

#10 XMit

XMit

    That Guy..you know..from that place..you know.

  • Full Member
  • Pip
  • 37 posts

Posted 16 July 2004 - 09:43 PM

Please be patient, case load is always high here and everyone is a volunteer. Someone will be with you as soon as they can.

#11 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 17 July 2004 - 04:23 PM

top

#12 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 17 July 2004 - 05:22 PM

top

#13 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 17 July 2004 - 08:32 PM

top

#14 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 17 July 2004 - 11:17 PM

top

#15 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 18 July 2004 - 02:08 PM

top

#16 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 18 July 2004 - 03:05 PM

top

#17 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 18 July 2004 - 05:55 PM

top

#18 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 18 July 2004 - 08:58 PM

top

#19 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 19 July 2004 - 04:58 PM

top

#20 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 19 July 2004 - 09:09 PM

top

#21 tallbballman21

tallbballman21

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 19 July 2004 - 09:32 PM

hey man i know how you feel im waitng for a reply too about 1 week now for me

#22 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 20 July 2004 - 04:46 PM

Glad i am not the only 1... :'(

#23 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 20 July 2004 - 04:49 PM

Just so you know, the typical order that posts are done are from the ones farthest back in queue. In essence, every time you bump, you put yourself back to the front where people are taken last...

#24 obscenity

obscenity

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 29 August 2004 - 12:22 AM

Still no reply eh? Well i finnaly got everything back to normal on my own.. [sarcasm]Thanks for the help SWI!!![/sarcasm]

Edited by obscenity, 29 August 2004 - 12:23 AM.


#25 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 26 September 2004 - 07:03 AM

I would like to apologize for the delay in service and offer you a Full Refund of your service fee... NO, better than that, I will send you double the service fee...

What, you didn't pay a service fee?? Oh right, we are all volunteers here and very busy trying to help people on our own time, so we don't have time to charge people for the FREE help we give...

Of course, you did everything you could to make it less likely that someone would help you... Bumping your topic repeatedly, not bothering to look around at the topic for people who have been waiting so that they could let our volunteers know that they have been waiting and topping it off with sarcasm....

I am delighted to see that you took advantage of our self learning program and fixed it yourself... congratulations...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button