Jump to content


Photo

CWS.searchx trouble..help!!


  • This topic is locked This topic is locked
15 replies to this topic

#1 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 July 2004 - 01:21 PM

CWshredder works for maybe a day or two, but it just keeps coming back. Any help with this will be greatly appreciated.

Logfile of HijackThis v1.98.0
Scan saved at 1:37:52 PM, on 7/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 04:12 PM

To anyone other than the originator of this topic: do not use this thread to try to fix your system or anyone elses by copying it - this is not an automatic fix and requires the logs to be properly interpreted.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 July 2004 - 04:17 PM

I am running windows 98...you said that is for 2K/XP only, should I still run it or not?

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 04:22 PM

:oops: My mistake :weee: Do this instead.

Download StartDreck from here. Unzip to its own folder and start the program:

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes

Press 'Ok'. Press 'Save' and select the location to save the log file (default is the same folder as the application). Post the log in this thread.
Posted Image

#5 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 July 2004 - 04:34 PM

I'm really not much of a computer whiz, and this isn't working. When I try and unzip it it says "A required .DLL file, VB40032.DLL, was not found." You said unzip to its own folder, I don't really know how to do that, so it may be the problem. Everything listed that i am able to unzip are text files written in German or something, so I'm lost.

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 04:42 PM

Are you using Winzip to try to unzip it?

Go here: http://www.winzip.com/downwz.htm
Posted Image

#7 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 July 2004 - 04:56 PM

Yes, I'm using WinZip 9.0

#8 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 July 2004 - 07:45 PM

ah-ha!! I figured it out, here is the log.


StartDreck (build 2.1.5 public BETA) - 2004-07-18 @ 20:42:32
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
*msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
舞unOnce
聞efault User
舞un
*msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SoundMan=SOUNDMAN.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*LoadQM=loadqm.exe
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
舞unServicesOnce
**enpf=rundll32 C:\WINDOWS\SYSTEM\KBDKNMJ.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FFCFE2BD=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF9659=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFA1C9=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE1B99=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE4129=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE4469=C:\WINDOWS\RUNDLL32.EXE
*FFFEB449=C:\WINDOWS\EXPLORER.EXE
*FFFD8FF5=C:\WINDOWS\TASKMON.EXE
*FFFD31F5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFC0429=C:\WINDOWS\SOUNDMAN.EXE
*FFFC1765=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFFCF9AD=C:\WINDOWS\LOADQM.EXE
*FFFC2569=C:\WINDOWS\RUNDLL32.EXE
*FFFBFF15=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFFB7039=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFFBC4A1=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
*FFFCBC01=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFBBC2D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFA5165=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF83CAD=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF347C5=C:\MY DOCUMENTS\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#9 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 July 2004 - 11:02 PM

Looks like your not here...Can anyone else help me on this problem?

I have some more info if it's needed. Whenever i run CWshredder, it puts files in the recycle bin named IKFKKO.DLL, read me, and sp. The problem shows up again every night at about 11:00, as long as the computer is running at that time. I also am getting pop-ups that say my computer has spyware.

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 19 July 2004 - 01:00 AM

Gotta sleep at some time :p Download Win98Fix.zip from here.

Unzip to its own folder. Open Folder and double click on RunFix.reg file. Hit 'Yes' to merge it into your registry. Restart your computer. The bad file should now be visible so you can delete it.

Browse to c:\windows\system\KBDKNMJ.DLL then delete it. Rescan with HJT and post a new log when done.
Posted Image

#11 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 July 2004 - 01:08 AM

Ahhhhhhhhhh :techsupport:


When I click on the link to download Win98Fix.zip from that site, a page says it is a missing or deleted site. But there rest of the links on there work normally. :techsupport:

Does this happen to you too?

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 19 July 2004 - 01:52 AM

Do this instead.

Reboot to DOS. Change Directory ('cd') to the C:\Windows\System folder. Delete ('del') the KBDKNMJ.DLL.

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#13 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 July 2004 - 01:18 PM

Ok I did everything you said, heres the log, looks like a lot changed.

Logfile of HijackThis v1.98.0
Scan saved at 2:14:13 PM, on 7/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 19 July 2004 - 01:52 PM

Looks OK now - how is it running?
Posted Image

#15 RandomGuy01

RandomGuy01

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 July 2004 - 02:48 PM

Its working fine now, but it will be a day or two before im sure that it won't come back. If it does, I'll post again.


Thank you very very much for helping me with this!! :D :D :D

#16 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 19 July 2004 - 03:17 PM

You're welcome - glad to help :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button