• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Nocturnicus

"CoolWebSearch" nothing works

35 posts in this topic

I have been infected with "CoolWebSearch". I used Spybot, AdAware and CWShredder and nothing will get rid of it. I tried to upload any updates for CWShredder and the first site it attempts to connect to always fails, the second always connects. I used HighjackThis and this is my log info...

 

Logfile of HijackThis v1.97.7

Scan saved at 10:45:25 PM, on 5/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Timo Sutton\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [dswave] C:\WINDOWS\System32\dswave.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

 

I don't know if this helps but I found a file in my Documents and Settingings/Cookie folder that I can't erase. It generates text documents of everything I do. I've been erasing the texts but it doesn't do much. The file is called "INDEX.DAT"

 

Hopefully you people can help me.

Share this post


Link to post
Share on other sites

Nocturnicus

 

First please put Hijack This in a permanent folder (not a temporary one).

 

Fix from hijack This:

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

O4 - HKCU\..\Run: [dswave] C:\WINDOWS\System32\dswave.exe

 

Do this by closing all browser windows, placing a checkmark before the above items and clicking the Fix-button.

 

Then please make a copy of

- C:\WINDOWS\System32\idctup20.exe

under a different name and then delete it.

Send the copy to me (e-mail in Forum profile) for analysis.

Also delete:

- C:\WINDOWS\System32\dswave.exe

 

Then run CWShredder again in Windows Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode'). Have no other programs running. Report whether it found anything.

 

Do the text files in the Cookie folder take a different form than the normal cookies, which have the form '<name>@aaa.com.txt'? The index.dat file is a normal file containing the index of cookies. You can manage cookies (the ones you want and the ones you don't want) with a program like AnalogX Cookiewall.

_______

Wiskonst

Edited by Wiskonst

Share this post


Link to post
Share on other sites

Thanks for the quick response.

 

I did what you asked but I am unsure as to how I attach the file to the email. I click on the email link in your profile but I dont see an attach key.

 

Also I ran CWShredder in safe made and found nothing. When I rebooted my computer back to normal mode my Antivirus picked up two trojans. I ran CWShredder again (in normal mode) and it found "CWS.Searchx" on my comp.

 

Please let me know how to attach that file to the email. Also, should I post a new log from hijackthis?

Share this post


Link to post
Share on other sites

Nocturnicus

 

Yes please post a new Hijack This log.

 

Did you let CWShredder fix the CWS.Searchx?

Keep a close eye on Coolwebsearch reappearing, which may happen with this variant. If so, we will help you further.

 

If you have no objection I will PM you an e-mail adress to send the file to.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst

 

I let CWShredder fix CWS.Searchx but am still recieving the same problems (homepage set on about:blank and tons of pop-ups on spyware).

I got your PM and just emailed you the file. Here's my latest Hijackthis log.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:24:51 AM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

 

Oh and I checked those files in the cookie folder and they are normal.

Thanks

Nocturnicus

Share this post


Link to post
Share on other sites

Nocturnicus

 

Thank you for the file.

 

Also fix from Hijack This:

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

 

Delete file

- C:\WINDOWS\sysupd.exe

 

We must search for a hidden reinstaller.

 

Download UnrealCW and pv.zip. Unzip them to a folder (may be the same) and run runme.bat (not runme9x) by doubleclicking on it.

In a dos-window a menu will be visible. Choose option 6 (Appinit contents).

A textfile comes up; paste that textfile here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst

 

I fixed "O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe" from highjackthis but the file - "C:\WINDOWS\sysupd.exe" wasn't there. I conducted a search of my computer for the file name but it came back empty. Also, what do I do with the file "idctup20copy.exe"? Should I keep it in my computer or should I delete it?

 

Here is the text from runme.bat

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Thanks

Nocturnicus

Share this post


Link to post
Share on other sites

Nocturnicus

 

You can delete the copy of idctup20.exe . I have received it OK.

 

If you cannot find file sysupd.exe, leave it for the moment (have you set display hidden files though?).

 

Download Find All and CopyLock and unzip them to a folder.

Run find_all.bat by doubleclicking on it and let it finish.

Post the resulting textfile here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst

 

I downloaded CopyLock but the link to FindAll just keeps saying the page cannot be found. Is it a problem on my end or theirs?

 

Nocturnicus

Share this post


Link to post
Share on other sites

Nocturnicus

 

The link to Find All is broken. Would you try here?

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst

 

Here is the resulting text file:

 

Possible bad file(s) found... (locked)

\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8EF3228-8AC1-4CF9-A106-7F57164A36A6}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{760C8334-C54F-4D49-9212-A1C2F21F945A}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{760C8334-C54F-4D49-9212-A1C2F21F945A}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

 

Nocturnicus

Share this post


Link to post
Share on other sites

Nocturnicus

 

Perform the following operations with all browser windows closed (save this post to a file and print it):

 

Go to Start > Run and type 'regedt32' (without quotes).

Select window 'HKEY_LOCAL_MACHINE'.

In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.

In Explorer select 'Browser Helper Objects'.

In menu Security choose Edit Permissions. A dialog appears.

The upper listpane must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.

Then click the Advanced button below. A second panel appears.

Here uncheck 'Inherit from parents the permissions ...' and click OK.

In the main dialog also uncheck 'Inherit from parents ...' and click OK.

Close Regedt32.

 

Start CopyLock.

Check 'Show source paths' and 'Allow downgrade' and click Add. Choose 'Files to rename'.

Browse to C:\WINDOWS\System32\ and search for file CTL.DLL . If you do not see it select an arbitrary file and click Add. Shift-Tab to the sourcefile box and edit the filename to read 'C:\WINDOWS\System32\CTL.DLL' instead of the arbitrary file.

In the destination box type 'C:\WINDOWS\System32\jump.txt' and click OK.

In the main panel click Apply. If all goes well a message says '1 file successfully replaced'. Click OK and close CopyLock.

 

In Explorer drag (without copy) the file 'jump.txt' to an other folder.

 

Download Cleanup.reg and save it to a folder. Activate it by doubleclicking. Confirm the merge when asked.

 

Then let Hijack This make a log and post it here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Aciduss

 

We know it's difficult waiting but can you start a thread of your own?

_______

Wiskonst

Share this post


Link to post
Share on other sites

Ok I ran Regedt32 and made the upperlistpane empty and unchecked the two places that say "Inherit from parents....."

 

I hit a snag with CopyLock. I looked for the file CTL.DLL and it wasn't there. I tried clicking on other items but after clicking add and shift-tabbing to the sourcefile box I could not change the filename.

 

I have to go pick someone up from the airport so I'll be gone for an hour or so if traffic is ok. I'll try again with any suggestions you have when I get back. I'm going to leave my computer running so nothing gets reinstalled.

 

Once again thanks for all the help so far. This is really above and beyond any expectations I had of service.

 

-Nocturnicus

Share this post


Link to post
Share on other sites

Nocturnicus

 

We have some other tries.

 

Start UnrealCW downloaded earlier (for now run it in normal mode) and in the box under 'Name DLL' type 'CTL.DLL' (without quotes).

Then click button CLSIDs. Wait till the button above Exit reads 'Ready'. Leave UnrealCW active and look in it's folder for a file called 'delctl.d.reg'. Activate it by doubleclicking and confirm merge.

Do the same with Cleanup.reg.

Then, with the filename 'CTL.DLL' still in the box, click button Delete.

If the resulting message says 'Pending removal ... Please reboot', then reboot.

 

Then please a new Hijack This log.

_______

Wiskonst

Share this post


Link to post
Share on other sites

OK I'm back and I did what you said. I ran UnRealCW. It said that it could be only run in safe mode and to log on as an administrator but I left it in normal mode. When I got to the point where I hit delete I recieved the message "Invalid file name". Here's a current HijackThis log

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 8:49:46 PM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ppodc.dll/sp.html (obfuscated)

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

Share this post


Link to post
Share on other sites

Hello Nocturnicus

 

Download Pcol.reg and place it the same folder as UnrealCW.

Could you download a new version of UnrealCW, unzip it (over the old files) and run it.

Type in the box 'ppodc.dll' (without quotes) and click CLSIDs. Wait for 'Ready' on the middle button.

Then type CTL.DLL in the box and click Delete.

The program will then ask you to reboot.

Before you do so, doubleclick Cleanup.reg, Pcol.reg, delppodc.reg and delctl.d.reg (the last three are in the same folder as UnrealCW), thereafter reboot.

 

In the folder of UnrealCW you will find a logfile 'UnrealCW.log'. Could you send that to my e-mail adress (after the reboot)?

 

Also download the Killbox and the Hijack Fixer and unzip them to a folder.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Good Morning Wiskonst

 

I did everything you said and emailed you UnRealCW.log.

Since CWShredder found CWS.Searchx on my computer again I did another scan with hijackthis. Also, when I try to update CWShredder it still denies me access to the first place but is ok in the second. IS that alright? Here is the new log

 

Logfile of HijackThis v1.97.7

Scan saved at 9:01:17 AM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\AIM95\aim.exe

C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

Share this post


Link to post
Share on other sites

Hello Nocturnicus

 

Thank you for the log.

 

There is a variant of Coolwebsearch that tries to hinder download of CWShredder, but normally it is not this one. What exactly are the two links you are using?

 

To permanently get rid of CWS.Searchx, use the Hijack Fixer (SpHjfix.exe).

Click 'Desinfection starten' (right button) and the program will ask you to reboot; do so.

During reboot you will see a window similar to the main window of Hijack Fixer.

Here click 'Desinfection abschliessen' (again right hand button). After a search the boot process will continue.

 

Then fix in Hijack This if it is still there:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

_______

Wiskonst

Share this post


Link to post
Share on other sites

Hey Wiskonst

 

When I click on update CWShredder it first says Fetching from merijn.org. It then says unable to retrieve CWShredder update info, server may be unavailable. Then it downloads from spywareinfo.com and always works.

 

I ran Hijack Fixer and ran into a problem. After rebooting the program froze and stopped responding. I rebooted again and started Hijack Fixer again. It wouldn't let me start from the begining, it was still on the "Desinfection abschliessen" menu and froze again. I tried this a few times with always the same results.

 

I fixed the line

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

from Hijack This but when I opened Internet Explorer my homepage was still about:blank

 

-Nocturnicus

Share this post


Link to post
Share on other sites

My computer is also acting incredibly slow now. I mean it takes about 10min to comepletely load these forum pages. I just got a message saying I was low on virtual memory and that some programs would be denied memory while windows enlarged my virtual memory.

Share this post


Link to post
Share on other sites

Wiskonst

 

My computer is also acting incredibly slow now. I mean it takes about 10min to comepletely load these forum pages.

 

I just got a message saying I was low on virtual memory and that some programs would be denied memory while windows enlarged my virtual memory.

 

I ran Ad-Aware 6 and found 27 items on my computer. I deleted them all but it didnt change anything.

 

 

-Nocturnicus

Share this post


Link to post
Share on other sites

Nocturnicus

 

The about:blank is now set to the default about:blank which is allright.

 

The IP of merijn.org changes quite often lately. You better not use the Update button (which has a static link) in CWShredder but one of these links:

- http://aumha.org/downloads/cwshredder.zip or

- http://home.wanadoo.nl/jfh.turin/mirror/cwshredder.zip.

 

First you might enlarge your virtual memory.

Open Control Panel (Start > Configuration > Control Panel) and choose pictogram System. Go to Tab Advanced and click the upper button. Then choose configure virtual memory. Choose a partition with enough space and set minimal virtual memory to a quarter of physical memory, and maximal to two to three times physical memory, at least several hundred MB's.

When memory is set Windows will ask to reboot.

 

Then let's try a general cleanup:

Download The Cleaner and do a scan with it.

 

Then try one more time to delete CTL.DLL (which is the central file of the infection) which may not have been done properly by Hijack Fixer.

Run the Killbox.

In the box 'Paste full path of file to delete' copy and paste 'C:\Windows\System32\CTL.DLL' (without quotes). In menu Action choose Delete on reboot. A panel opens 'PendingFilerenameOperations'. Here in menu File choose Add File. The CTL.DLL file will be added. Now in menu Action choose Process and Reboot.

When asked to reboot click OK.

 

Then please run Find_All.bat once more and post the result here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Hey Wiskonst

 

I did everything you said in the last post. The C;eaner found and deleted three occurences of the Trojan "ABetterInternet" and one occurence of "CoolWebSearch"

 

I then ran Killbox and had it delete CTL.DLL (hopefully it worked this time)

 

Here is the log from Find_All

 

Possible bad file(s) found... (locked)

\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

Share this post


Link to post
Share on other sites

Nocturnicus

 

Alas it has not gone yet.

 

Again start Copy Lock.

Check 'Show Source Path' and 'Allow Downgrade' and click Add.

Choose Files to Rename. Browse to C:\Windows\System32. Type in the box below CLT.DLL and click Add. Does the proper name show up now in the Source box?

If so go ahead with Destination 'C:\Windows\System32\jump.txt', OK and Apply.

When asked to reboot, do so.

When succeeded, drag file jump.txt to an other folder.

 

Then please again run Find_All.bat and post the result here (only if CopyLock succeeded).

 

Could you give me the full path to the folder of UnrealCW?

 

You may also prepare installation of the Recovery Console.

If you have a Windows XP installation CD, insert it. Else browse to the reinstallation folder on your harddisk. Search for folder I386.

Go to Start > Run and type '<path to I386>\winnt32 /cmdcons' (without quotes, fill in the path to I386 you found).

The Recovery Console will be installed. We may need it if the attempts to delete CLT.DLL continue to fail.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Hey Wiskonst

 

Copy Lock worked fine. I moved "jump.txt" to the desktop for now.

Should I delete it?

 

What do you mean by the full path to the folder UnrealCW

 

do you mean C:/Documents and Settings/Timo Sutton/Desktop/UnrealCW

 

I have the installation CD for Windows XP if we need it.

 

Heres the log from Find_All.bat

 

Possible bad file(s) found... (locked)

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

Thanks

-Nocturnicus

Share this post


Link to post
Share on other sites

Hello Nocturnicus

 

It's gone!

 

Could you perform the same procedure with CopyLock for file 'ppodc.dll' (also folder C:\Windows\System32)? Give it any name you like, place it in an other folder and delete it.

 

We need just an other Hijack This log to verify all remnants have been cleaned.

We don't need the Recovery Console at this moment.

The path to the UnrealCW folder is what I meant, thank you, but we won't need it either.

 

To be be on the safe side as far as 'Abetterinternet' (found by the Cleaner) is concerned, download and run Kill2me.

 

To do me one more favour, could you send me 'jump.txt' and after that delete it?

_______

Wiskonst

Share this post


Link to post
Share on other sites

hello Wiskonst

 

Sorry about taking so long to respond, I had a meeting about a design group I'm trying to put together.

 

Anyway, I ran CopyLock and it said the file 'ppodc.dll' did not exist. Hopefully thats a good thing!

 

I also ran Kill2Me and it said I was clean.

 

Here is the latest KijackThis log. After I'm done posting here I will email you "jump.txt" Man I'm so happy it looks like this thing is finally gone. Thank you very much.

 

-Nocturnicus

 

Logfile of HijackThis v1.97.7

Scan saved at 8:10:40 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\The Cleaner\tca.exe

C:\Program Files\The Cleaner\tcm.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Timo Sutton\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

Share this post


Link to post
Share on other sites

Hey Wiskonst

 

I just checked my email and had a letter that had my email address as the sender with the title "Returned due to virus". Was that a return of the email I sent you? Just checking to see if you got it or not.

Share this post


Link to post
Share on other sites

Nocturnicus

 

Your Hijack This log is clean.

 

How is your PC and internet traffic behaving at the moment?

 

Sorry about the wrong instructions on CopyLock I gave at first.

 

At your first e-mail (5/24/2004) which had an executable as attachment I had a warning from Hotmail that it could be unsafe. My fault, I should have told you to zip it first. Could send it through to another e-mail adress of mine though. On the third one (jump.txt) I got no warning and it was received well. Thank you.

 

As a general precaution against this kind of hijackers I would recommend Spywareguard and Spywareblaster (both free). And of course a good firewall (Kerio Personal Firewall is free).

 

If any problems arise in the future feel free to post here again.

_______

Wiskonst

Share this post


Link to post
Share on other sites

I had exactly the same issue. Followed these instruction and it looks like the problem is solved.

 

Wiskonst, are you interested in my DLL too? It was originally called SPQL.DLL but I managed to get rid of it too.

 

Rob

Share this post


Link to post
Share on other sites

Roblzgti

 

In general it is not advisable to apply a remedy without knowing what variant of CWS you have. The different variants require different removal methods. But it seems you were lucky. You best post a Hijack This log in a topic of your own for final reviewal.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Thank you Wiskonst

 

Unfortunately I had deleted those sent files a little after I sent them to you. Could this be a problem? Other than that thank you for all the help. I'm going to uninstall all the programs we download and install that ones you recommended.

 

Once again thanks

Nocturnicus

Share this post


Link to post
Share on other sites

Nocturnicus

 

It is OK to delete the sent files.

 

Glad we could help!

_______

Wiskonst

 

Donate to Spywareinfo

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0