Jump to content


Photo

"CoolWebSearch" nothing works


  • Please log in to reply
34 replies to this topic

#1 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 23 May 2004 - 09:47 PM

I have been infected with "CoolWebSearch". I used Spybot, AdAware and CWShredder and nothing will get rid of it. I tried to upload any updates for CWShredder and the first site it attempts to connect to always fails, the second always connects. I used HighjackThis and this is my log info...

Logfile of HijackThis v1.97.7
Scan saved at 10:45:25 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Timo Sutton\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [dswave] C:\WINDOWS\System32\dswave.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

I don't know if this helps but I found a file in my Documents and Settingings/Cookie folder that I can't erase. It generates text documents of everything I do. I've been erasing the texts but it doesn't do much. The file is called "INDEX.DAT"

Hopefully you people can help me.

#2 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 05:23 AM

Nocturnicus

First please put Hijack This in a permanent folder (not a temporary one).

Fix from hijack This:
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKCU\..\Run: [dswave] C:\WINDOWS\System32\dswave.exe

Do this by closing all browser windows, placing a checkmark before the above items and clicking the Fix-button.

Then please make a copy of
- C:\WINDOWS\System32\idctup20.exe
under a different name and then delete it.
Send the copy to me (e-mail in Forum profile) for analysis.
Also delete:
- C:\WINDOWS\System32\dswave.exe

Then run CWShredder again in Windows Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode'). Have no other programs running. Report whether it found anything.

Do the text files in the Cookie folder take a different form than the normal cookies, which have the form '<name>@aaa.com.txt'? The index.dat file is a normal file containing the index of cookies. You can manage cookies (the ones you want and the ones you don't want) with a program like AnalogX Cookiewall.
_______
Wiskonst

Edited by Wiskonst, 24 May 2004 - 06:03 AM.


#3 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 24 May 2004 - 09:49 AM

Thanks for the quick response.

I did what you asked but I am unsure as to how I attach the file to the email. I click on the email link in your profile but I dont see an attach key.

Also I ran CWShredder in safe made and found nothing. When I rebooted my computer back to normal mode my Antivirus picked up two trojans. I ran CWShredder again (in normal mode) and it found "CWS.Searchx" on my comp.

Please let me know how to attach that file to the email. Also, should I post a new log from hijackthis?

#4 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 09:59 AM

Nocturnicus

Yes please post a new Hijack This log.

Did you let CWShredder fix the CWS.Searchx?
Keep a close eye on Coolwebsearch reappearing, which may happen with this variant. If so, we will help you further.

If you have no objection I will PM you an e-mail adress to send the file to.
_______
Wiskonst

#5 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 24 May 2004 - 10:25 AM

Wiskonst

I let CWShredder fix CWS.Searchx but am still recieving the same problems (homepage set on about:blank and tons of pop-ups on spyware).
I got your PM and just emailed you the file. Here's my latest Hijackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 11:24:51 AM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

Oh and I checked those files in the cookie folder and they are normal.
Thanks
Nocturnicus

#6 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 11:29 AM

Nocturnicus

Thank you for the file.

Also fix from Hijack This:
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

Delete file
- C:\WINDOWS\sysupd.exe

We must search for a hidden reinstaller.

Download UnrealCW and pv.zip. Unzip them to a folder (may be the same) and run runme.bat (not runme9x) by doubleclicking on it.
In a dos-window a menu will be visible. Choose option 6 (Appinit contents).
A textfile comes up; paste that textfile here.
_______
Wiskonst

#7 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 24 May 2004 - 11:43 AM

Wiskonst

I fixed "O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe" from highjackthis but the file - "C:\WINDOWS\sysupd.exe" wasn't there. I conducted a search of my computer for the file name but it came back empty. Also, what do I do with the file "idctup20copy.exe"? Should I keep it in my computer or should I delete it?

Here is the text from runme.bat

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Thanks
Nocturnicus

#8 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 12:24 PM

Nocturnicus

You can delete the copy of idctup20.exe . I have received it OK.

If you cannot find file sysupd.exe, leave it for the moment (have you set display hidden files though?).

Download Find All and CopyLock and unzip them to a folder.
Run find_all.bat by doubleclicking on it and let it finish.
Post the resulting textfile here.
_______
Wiskonst

#9 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 24 May 2004 - 12:39 PM

Wiskonst

I downloaded CopyLock but the link to FindAll just keeps saying the page cannot be found. Is it a problem on my end or theirs?

Nocturnicus

#10 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 01:40 PM

Nocturnicus

The link to Find All is broken. Would you try here?
_______
Wiskonst

#11 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 24 May 2004 - 01:48 PM

Wiskonst

Here is the resulting text file:

Possible bad file(s) found... (locked)
\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8EF3228-8AC1-4CF9-A106-7F57164A36A6}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{760C8334-C54F-4D49-9212-A1C2F21F945A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{760C8334-C54F-4D49-9212-A1C2F21F945A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"




Nocturnicus

#12 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 03:08 PM

Nocturnicus

Perform the following operations with all browser windows closed (save this post to a file and print it):

Go to Start > Run and type 'regedt32' (without quotes).
Select window 'HKEY_LOCAL_MACHINE'.
In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.
In Explorer select 'Browser Helper Objects'.
In menu Security choose Edit Permissions. A dialog appears.
The upper listpane must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.
Then click the Advanced button below. A second panel appears.
Here uncheck 'Inherit from parents the permissions ...' and click OK.
In the main dialog also uncheck 'Inherit from parents ...' and click OK.
Close Regedt32.

Start CopyLock.
Check 'Show source paths' and 'Allow downgrade' and click Add. Choose 'Files to rename'.
Browse to C:\WINDOWS\System32\ and search for file CTL.DLL . If you do not see it select an arbitrary file and click Add. Shift-Tab to the sourcefile box and edit the filename to read 'C:\WINDOWS\System32\CTL.DLL' instead of the arbitrary file.
In the destination box type 'C:\WINDOWS\System32\jump.txt' and click OK.
In the main panel click Apply. If all goes well a message says '1 file successfully replaced'. Click OK and close CopyLock.

In Explorer drag (without copy) the file 'jump.txt' to an other folder.

Download Cleanup.reg and save it to a folder. Activate it by doubleclicking. Confirm the merge when asked.

Then let Hijack This make a log and post it here.
_______
Wiskonst

#13 Aciduss

Aciduss

    Member

  • New Member
  • Pip
  • 1 posts

Posted 24 May 2004 - 03:38 PM

I have the same problem. I've tryed it all... plase help.

#14 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 04:21 PM

Aciduss

We know it's difficult waiting but can you start a thread of your own?
_______
Wiskonst

#15 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 24 May 2004 - 04:43 PM

Ok I ran Regedt32 and made the upperlistpane empty and unchecked the two places that say "Inherit from parents....."

I hit a snag with CopyLock. I looked for the file CTL.DLL and it wasn't there. I tried clicking on other items but after clicking add and shift-tabbing to the sourcefile box I could not change the filename.

I have to go pick someone up from the airport so I'll be gone for an hour or so if traffic is ok. I'll try again with any suggestions you have when I get back. I'm going to leave my computer running so nothing gets reinstalled.

Once again thanks for all the help so far. This is really above and beyond any expectations I had of service.

-Nocturnicus

#16 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 05:25 PM

Nocturnicus

We have some other tries.

Start UnrealCW downloaded earlier (for now run it in normal mode) and in the box under 'Name DLL' type 'CTL.DLL' (without quotes).
Then click button CLSIDs. Wait till the button above Exit reads 'Ready'. Leave UnrealCW active and look in it's folder for a file called 'delctl.d.reg'. Activate it by doubleclicking and confirm merge.
Do the same with Cleanup.reg.
Then, with the filename 'CTL.DLL' still in the box, click button Delete.
If the resulting message says 'Pending removal ... Please reboot', then reboot.

Then please a new Hijack This log.
_______
Wiskonst

#17 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 24 May 2004 - 07:53 PM

OK I'm back and I did what you said. I ran UnRealCW. It said that it could be only run in safe mode and to log on as an administrator but I left it in normal mode. When I got to the point where I hit delete I recieved the message "Invalid file name". Here's a current HijackThis log



Logfile of HijackThis v1.97.7
Scan saved at 8:49:46 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

#18 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 25 May 2004 - 06:01 AM

Hello Nocturnicus

Download Pcol.reg and place it the same folder as UnrealCW.
Could you download a new version of UnrealCW, unzip it (over the old files) and run it.
Type in the box 'ppodc.dll' (without quotes) and click CLSIDs. Wait for 'Ready' on the middle button.
Then type CTL.DLL in the box and click Delete.
The program will then ask you to reboot.
Before you do so, doubleclick Cleanup.reg, Pcol.reg, delppodc.reg and delctl.d.reg (the last three are in the same folder as UnrealCW), thereafter reboot.

In the folder of UnrealCW you will find a logfile 'UnrealCW.log'. Could you send that to my e-mail adress (after the reboot)?

Also download the Killbox and the Hijack Fixer and unzip them to a folder.
_______
Wiskonst

#19 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 08:03 AM

Good Morning Wiskonst

I did everything you said and emailed you UnRealCW.log.
Since CWShredder found CWS.Searchx on my computer again I did another scan with hijackthis. Also, when I try to update CWShredder it still denies me access to the first place but is ok in the second. IS that alright? Here is the new log

Logfile of HijackThis v1.97.7
Scan saved at 9:01:17 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

#20 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 25 May 2004 - 09:07 AM

Hello Nocturnicus

Thank you for the log.

There is a variant of Coolwebsearch that tries to hinder download of CWShredder, but normally it is not this one. What exactly are the two links you are using?

To permanently get rid of CWS.Searchx, use the Hijack Fixer (SpHjfix.exe).
Click 'Desinfection starten' (right button) and the program will ask you to reboot; do so.
During reboot you will see a window similar to the main window of Hijack Fixer.
Here click 'Desinfection abschliessen' (again right hand button). After a search the boot process will continue.

Then fix in Hijack This if it is still there:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

_______
Wiskonst

#21 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 10:16 AM

Hey Wiskonst

When I click on update CWShredder it first says Fetching from merijn.org. It then says unable to retrieve CWShredder update info, server may be unavailable. Then it downloads from spywareinfo.com and always works.

I ran Hijack Fixer and ran into a problem. After rebooting the program froze and stopped responding. I rebooted again and started Hijack Fixer again. It wouldn't let me start from the begining, it was still on the "Desinfection abschliessen" menu and froze again. I tried this a few times with always the same results.

I fixed the line
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
from Hijack This but when I opened Internet Explorer my homepage was still about:blank

-Nocturnicus

#22 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 11:04 AM

My computer is also acting incredibly slow now. I mean it takes about 10min to comepletely load these forum pages. I just got a message saying I was low on virtual memory and that some programs would be denied memory while windows enlarged my virtual memory.

#23 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 11:14 AM

Wiskonst

My computer is also acting incredibly slow now. I mean it takes about 10min to comepletely load these forum pages.

I just got a message saying I was low on virtual memory and that some programs would be denied memory while windows enlarged my virtual memory.

I ran Ad-Aware 6 and found 27 items on my computer. I deleted them all but it didnt change anything.


-Nocturnicus

#24 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 25 May 2004 - 12:45 PM

Nocturnicus

The about:blank is now set to the default about:blank which is allright.

The IP of merijn.org changes quite often lately. You better not use the Update button (which has a static link) in CWShredder but one of these links:
- http://aumha.org/dow.../cwshredder.zip or
- http://home.wanadoo..../cwshredder.zip.

First you might enlarge your virtual memory.
Open Control Panel (Start > Configuration > Control Panel) and choose pictogram System. Go to Tab Advanced and click the upper button. Then choose configure virtual memory. Choose a partition with enough space and set minimal virtual memory to a quarter of physical memory, and maximal to two to three times physical memory, at least several hundred MB's.
When memory is set Windows will ask to reboot.

Then let's try a general cleanup:
Download The Cleaner and do a scan with it.

Then try one more time to delete CTL.DLL (which is the central file of the infection) which may not have been done properly by Hijack Fixer.
Run the Killbox.
In the box 'Paste full path of file to delete' copy and paste 'C:\Windows\System32\CTL.DLL' (without quotes). In menu Action choose Delete on reboot. A panel opens 'PendingFilerenameOperations'. Here in menu File choose Add File. The CTL.DLL file will be added. Now in menu Action choose Process and Reboot.
When asked to reboot click OK.

Then please run Find_All.bat once more and post the result here.
_______
Wiskonst

#25 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 01:38 PM

Hey Wiskonst

I did everything you said in the last post. The C;eaner found and deleted three occurences of the Trojan "ABetterInternet" and one occurence of "CoolWebSearch"

I then ran Killbox and had it delete CTL.DLL (hopefully it worked this time)

Here is the log from Find_All

Possible bad file(s) found... (locked)
\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error
REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



#26 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 25 May 2004 - 02:54 PM

Nocturnicus

Alas it has not gone yet.

Again start Copy Lock.
Check 'Show Source Path' and 'Allow Downgrade' and click Add.
Choose Files to Rename. Browse to C:\Windows\System32. Type in the box below CLT.DLL and click Add. Does the proper name show up now in the Source box?
If so go ahead with Destination 'C:\Windows\System32\jump.txt', OK and Apply.
When asked to reboot, do so.
When succeeded, drag file jump.txt to an other folder.

Then please again run Find_All.bat and post the result here (only if CopyLock succeeded).

Could you give me the full path to the folder of UnrealCW?

You may also prepare installation of the Recovery Console.
If you have a Windows XP installation CD, insert it. Else browse to the reinstallation folder on your harddisk. Search for folder I386.
Go to Start > Run and type '<path to I386>\winnt32 /cmdcons' (without quotes, fill in the path to I386 you found).
The Recovery Console will be installed. We may need it if the attempts to delete CLT.DLL continue to fail.
_______
Wiskonst

#27 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 03:14 PM

Hey Wiskonst

Copy Lock worked fine. I moved "jump.txt" to the desktop for now.
Should I delete it?

What do you mean by the full path to the folder UnrealCW

do you mean C:/Documents and Settings/Timo Sutton/Desktop/UnrealCW

I have the installation CD for Windows XP if we need it.

Heres the log from Find_All.bat

Possible bad file(s) found... (locked)
REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



Thanks
-Nocturnicus

#28 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 25 May 2004 - 04:22 PM

Hello Nocturnicus

It's gone!

Could you perform the same procedure with CopyLock for file 'ppodc.dll' (also folder C:\Windows\System32)? Give it any name you like, place it in an other folder and delete it.

We need just an other Hijack This log to verify all remnants have been cleaned.
We don't need the Recovery Console at this moment.
The path to the UnrealCW folder is what I meant, thank you, but we won't need it either.

To be be on the safe side as far as 'Abetterinternet' (found by the Cleaner) is concerned, download and run Kill2me.

To do me one more favour, could you send me 'jump.txt' and after that delete it?
_______
Wiskonst

#29 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 07:10 PM

hello Wiskonst

Sorry about taking so long to respond, I had a meeting about a design group I'm trying to put together.

Anyway, I ran CopyLock and it said the file 'ppodc.dll' did not exist. Hopefully thats a good thing!

I also ran Kill2Me and it said I was clean.

Here is the latest KijackThis log. After I'm done posting here I will email you "jump.txt" Man I'm so happy it looks like this thing is finally gone. Thank you very much.

-Nocturnicus

Logfile of HijackThis v1.97.7
Scan saved at 8:10:40 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

#30 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 09:47 PM

Hey Wiskonst

I just checked my email and had a letter that had my email address as the sender with the title "Returned due to virus". Was that a return of the email I sent you? Just checking to see if you got it or not.

#31 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 26 May 2004 - 04:32 AM

Nocturnicus

Your Hijack This log is clean.

How is your PC and internet traffic behaving at the moment?

Sorry about the wrong instructions on CopyLock I gave at first.

At your first e-mail (5/24/2004) which had an executable as attachment I had a warning from Hotmail that it could be unsafe. My fault, I should have told you to zip it first. Could send it through to another e-mail adress of mine though. On the third one (jump.txt) I got no warning and it was received well. Thank you.

As a general precaution against this kind of hijackers I would recommend Spywareguard and Spywareblaster (both free). And of course a good firewall (Kerio Personal Firewall is free).

If any problems arise in the future feel free to post here again.
_______
Wiskonst

#32 roblzgti

roblzgti

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 May 2004 - 07:06 AM

I had exactly the same issue. Followed these instruction and it looks like the problem is solved.

Wiskonst, are you interested in my DLL too? It was originally called SPQL.DLL but I managed to get rid of it too.

Rob

#33 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 26 May 2004 - 07:34 AM

Roblzgti

In general it is not advisable to apply a remedy without knowing what variant of CWS you have. The different variants require different removal methods. But it seems you were lucky. You best post a Hijack This log in a topic of your own for final reviewal.
_______
Wiskonst

#34 Nocturnicus

Nocturnicus

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 09:11 AM

Thank you Wiskonst

Unfortunately I had deleted those sent files a little after I sent them to you. Could this be a problem? Other than that thank you for all the help. I'm going to uninstall all the programs we download and install that ones you recommended.

Once again thanks
Nocturnicus

#35 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 26 May 2004 - 10:59 AM

Nocturnicus

It is OK to delete the sent files.

Glad we could help!
_______
Wiskonst

Donate to Spywareinfo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button