• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Peach

CoolWebSearch - More Stubborn Than Usual

35 posts in this topic

Hello. This is my first visit to this forum. I would like to say that I have read the disclaimer for posting topics here and the other necessary preliminaries.

 

About May 30 (I believe), a variant of CoolWebSearch slipped into my system. I have done many things necessary to eliminate this malware, but the best I've managed to do is temporarily remove it for the day.

 

I have the most recent version of Ad-Aware, which I have used to eliminate all bad registry keys and values. I have also used the most recent version of CWShredder (updated today) to check for any new variants that may have rooted themselves. CWShredder has removed any bad DLL files which have been placed in my system32 directory. "CWS.Searchx" is the variant which usually is regenerated. Also, more recently, "CWS.Msconfig" has been surfacing, and I'm not sure why. I have used these programs properly, by going into Safe Mode and running them with no browsers open.

 

Now for some additional details about my CoolWebSearch trojan. Usually I am able to eliminate it for a day, but it usually comes back at specific times the next day. Typically these times are 9:34 AM, 10:34 AM, 11:37 AM, and 12:37 PM. There may be new times that I am unaware of. My Installed Programs (Add/Remove Programs) and Startup Items (config.sys) appear to be clean of this malware.

 

Does anyone know why my variant simply refuses to be eliminated for good? Also, I am needing to know if it's absolutely necessary to download HijackThis to solve this problem... Any help would be appreciated.

 

My relevant system stats are: Windows XP Home, Internet Explorer 6.0, and the most recent security patches have been installed.

 

EDIT:

 

I have the latest version of HijackThis, and can provide a log when requested. I believe that I read somewhere that it's preferred that logs aren't given until asked... Maybe that was just for Ad-Aware and Spy-Bot...

Edited by Peach

Share this post


Link to post
Share on other sites

Okay, since others seem to be posting their logs even before being asked, I'm thinking that I may have misinterpreted one of the policies back there. This is my log from HijackThis. It's large, so I'm posting this in a new reply (here). Some of them I already recognize as malware. I do not know everything that needs to be eliminated to be sure that my CWS doesn't return. Note that there are two running processes of SVCHOST. I don't really know why. Additionally, I see Windows Messenger there, set to run in the background. Can I also remove that value so that I don't see it appear again when I reboot? I actually had my messenger completely gone from my system tray for months... It just recently returned...

 

EDIT: This is now a newer log file, after I cleaned out as much as I could on my own (after today's revival of the spyware).

 

Logfile of HijackThis v1.97.7

Scan saved at 1:20:21 AM, on 6/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\htpatch.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\ICQ\NDetect.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE

C:\Program Files\ICQ\Icq.exe

C:\Spy-Bot\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: (no name) - {0385D2FC-BDF3-4BEF-BBD7-27214E757715} - C:\WINDOWS\System32\hfkko.dll (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {29446605-19B2-4F2B-AE4A-09C2E438812A} - C:\WINDOWS\System32\jehbcba.dll (file missing)

O2 - BHO: (no name) - {521D62DF-8E63-4563-A195-ACADCF9E8C82} - C:\WINDOWS\System32\nkfd.dll (file missing)

O2 - BHO: (no name) - {5DB0C86E-F4F8-46EA-ACB4-3AB9D132C34F} - C:\WINDOWS\System32\mmflia.dll (file missing)

O2 - BHO: (no name) - {9B84228D-B1F2-46D2-9596-B3C8B1C4E40B} - C:\WINDOWS\System32\agcccbe.dll (file missing)

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8013.9166898148

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

O17 - HKLM\System\CS2\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

Edited by Peach

Share this post


Link to post
Share on other sites

I'm not sure on the policy for bumping topics, but it's been two days since my first post, and this message is pretty deep.

Share this post


Link to post
Share on other sites

CRITICAL UPDATE! Please read carefully.

 

CWS is half dead now, but it's still somewhat there. I still need help in removing it completely. Recently, Casino Online, which may be associated with CWS, has invaded my system. The culprit file appears to be CSRemndr.exe, which I have already removed as much as I could without help, but it does like to return much like CWS, only it can fully activate itself without running a browser or even being present. It appears that I may need help removing this from my system as well. I do not know if it is related to CWS at all. What's really strange is that I never really had these kinds of problems in the past. I've been an IE user for over 8 years. I'm not exactly in the position to change the browser either, so perhaps I should patch some stuff up by switching VM Java to Sun Java. Additionally, ever since my CWS problem, I've been having virtual memory problems. I'm thinking that it may be related. No matter what I set the minimum paging at, I eventually receive a low virtual memory alert. My system has also been working a bit too hard on some simpler programs...

 

I am including an updated log file to aid in the removal of my adware trojans (and anything else that might be causing problems, like Windows Messenger). Any assistance from an experienced individual would be appreciated.

 

Logfile of HijackThis v1.97.7

Scan saved at 2:07:46 AM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\htpatch.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ICQ\NDetect.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Spy-Bot\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: (no name) - {0385D2FC-BDF3-4BEF-BBD7-27214E757715} - C:\WINDOWS\System32\hfkko.dll (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {29446605-19B2-4F2B-AE4A-09C2E438812A} - C:\WINDOWS\System32\jehbcba.dll (file missing)

O2 - BHO: (no name) - {521D62DF-8E63-4563-A195-ACADCF9E8C82} - C:\WINDOWS\System32\nkfd.dll (file missing)

O2 - BHO: (no name) - {5DB0C86E-F4F8-46EA-ACB4-3AB9D132C34F} - C:\WINDOWS\System32\mmflia.dll (file missing)

O2 - BHO: (no name) - {9B84228D-B1F2-46D2-9596-B3C8B1C4E40B} - C:\WINDOWS\System32\agcccbe.dll (file missing)

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8013.9166898148

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

O17 - HKLM\System\CS2\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

Share this post


Link to post
Share on other sites

A bump and another update...

 

After its being silent for a while, CWS returned with the bad dll and all. Interestingly enough, the bad dll was unknown to both Norton and CWShredder. I had to remove it manually. However, Ad-Aware terminated the bad registry entries associated. In addition, I took it into my own hands to use HijackThis to kill off hidden registry entries that I knew were bad, including the Casino Online one. However, I do not believe that my problem is solved. There must still be some bad files or registry entries listed in the above log which are reactivating CWS or Casino Online. Please be sure to read my above messages. I really am hoping to get these problems fixed before my college vacation is over...! Thanks.

 

EDIT:

 

I have always been suspicious of the nwiz.exe forced install as shown in my previous logs. Sure enough, XoftSpy detected it as type of malware worm called Bat/Mumu-A (and I'm unable to remove it through XoftSpy because I do not have registration with them). Here's the strange part: the file appears to have been created and modified one year ago (before the life of this computer), and it was signed by the NVIDIA Corporation. I have an NVIDIA video card, by the way. I am confused by this file.

Edited by Peach

Share this post


Link to post
Share on other sites

Peach

 

To check for hidden reinstallers or remnants download Find All and unzip it to a folder. Run Find_All.cmd by doubleclicking on it. It will produce a textfile. Post the textfile here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Thanks for getting back with me. This is the output log file from that program:

 

 

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

 

»»»»»»Find-All recent updates:»»»»»»

*Size of Windows key

*Winlogon\notify

*UserInit value

*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)

*Versions of major keys and windows files

*list of active services and drivers (\'FilesList')

*Note:

If using 'Find-All' to clean, be sure to include the link to your

post in the forum!! (I keep recieving files I don't know where they came from...0-0...)

*Note: Reg backup restore will not work if current user

doesn't have 'Admin privileges'! (view »»Group/user section)

 

 

Wed Jun 09 14:32:15 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k

Total: 81 948 430 336 [76G] - Free: 66 166 288 384 [62G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s):

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

2:32pm up 0 days, 1:06

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

412 smss.exe

532 csrss.exe Title:

556 winlogon.exe Title: NetDDE Agent

636 services.exe Svcs: Eventlog,PlugPlay

648 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

852 svchost.exe Svcs: RpcSs

912 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S

ellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,win

gmt,WmdmPmSp

1012 svchost.exe Svcs: Dnscache

1080 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1532 ccSetMgr.exe Svcs: ccSetMgr

1540 explorer.exe Title: Program Manager

1588 ccEvtMgr.exe Svcs: ccEvtMgr

1812 LEXBCES.EXE Svcs: LexBceS

1844 htpatch.exe Title: test2

1920 spoolsv.exe Svcs: Spooler

1996 CTSysVol.exe Title: Creative Volume Control

2032 LEXPPS.EXE Title:

2036 CTHELPER.EXE Title: CtHelper - Apollo

172 CTDVDDET.exe Title: CTDVDDET

256 ccApp.exe Title:

1048 NDetect.exe Title: ICQ Agent

1224 CCPROXY.EXE Svcs: ccProxy

1236 MtdAcq.exe Title: ReFfInS

1364 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access

1500 NAVAPSVC.EXE Svcs: navapsvc

1240 NPROTECT.EXE Svcs: NProtectService

1940 nvsvc32.exe Svcs: NVSvc

496 pctspk.exe Svcs: Pctspk

676 SAVScan.exe Svcs: SAVScan

1452 symlcsvc.exe Svcs: Symantec Core LC

1860 MsPMSPSv.exe Svcs: WMDM PMSP Service

356 SNDSrvc.exe Svcs: SNDSrvc

2420 IEXPLORE.EXE Title: SWI Forums -> CoolWebSearch - More Stubborn Than Usual - Microsoft Internet Explorer

3176 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3380 ntvdm.exe

3372 msmsgs.exe Title:

3452 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]

@="Web assistant"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

 

»»Group/user settings:

 

 

User: [PEACHTOADSTOOL\Peach], is a member of:

 

BUILTIN\Administrators

\Everyone

PEACHTOADSTOOL\None

 

User is a member of group PEACHTOADSTOOL\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

PEACHTOADSTOOL\Peach:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

File not found - C:\WINDOWS\System32\Drivers\etc\hosts

------

»»Rehash:

 

»Strings found:

 

Wed Jun 09 14:32:49 2004 -- ++Find-All backups:

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-09-2004 findallappinit.reg

A C:\Spy-Bot\Find-All\winBackup.hiv

A C:\Spy-Bot\Find-All\Fileslist\drivers.txt

A C:\Spy-Bot\Find-All\Fileslist\modules.txt

A C:\Spy-Bot\Find-All\Fileslist\services.txt

A C:\Spy-Bot\Find-All\Fileslist\windows.txt

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Peach

 

Lock the BHO keys as follows:

 

Go to Start > Run and type 'regedt32' (without quotes).

Select window 'HKEY_LOCAL_MACHINE'.

In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.

In Explorer select 'Browser Helper Objects'.

In menu Security choose Edit Permissions. A dialog appears.

The upper listpane must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.

Then click the Advanced button below. A second panel appears.

Here uncheck 'Inherit from parents the permissions ...' and click OK.

In the main dialog also uncheck 'Inherit from parents ...' and click OK.

Close Regedt32.

 

Then remove the central DLL as follows:

 

Download UnrealCW and unzip it to a folder.

Start UnrealCW.exe . In the box under 'DLL name' type 'SQL.DLL' (without quotes).

Click button Delete. A message should appear reading 'Pending removal ...\SQL.DLL'.

Now press the reset button on the computercase, thereby rebooting skipping the Windows shutdown procedure.

Upon reboot let Scandisk finish.

When back in Windows please run Find_All.cmd again and post the result.

 

BTW nwiz.exe is legitimate (nVidia).

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wait... Let me be sure that I understand this correctly... Currently I have a window titled "Permissions for Browser Helper Objects" which contains the following in the upper pane:

 

Administrators (PEACHTOADSTOOL\Administrators)

CREATOR OWNER

(some odd non-binary code)

SYSTEM

Users (PEACHTOADSTOOL\Users)

 

You're wanting me to eliminate all of these? These appear like critical components, but I'll do it if you verify that it's what you're suggesting should be expunged.

 

Additionally, the button on my tower is a shut-down button, which initiates the shut down sequence for Windows. I have to actually hold it down to skip the process and have a near-immediate power off. Also, ScanDisk (namely CheckDisk, since this is XP Home) will not run unless I set it up to.

 

Finally, why would nwiz.exe have to install every boot...?

Share this post


Link to post
Share on other sites

Peach

 

The disabling of the holders of rights on the BHO keys is necessary to stop Coolwebsearch from spreading further and changing the name of it's central DLL.

Disable them only on the BHO keys though.

We will restore the rights when Coolwebsearch is removed.

 

If your PC does not have a reset button, then use the shutdown button in such a way that the Windows shutdown procedure is skipped. The reason is this: UnrealCW adds a program to the Windows boot procedure that will delete the central DLL of Coolwebsearch. Some variants of CWS however might remove the deletion program again during the Windows shutdown procedure. Hence the hard reboot.

The run of Checkdisk is not necessary.

 

You may be right on nwiz.exe; it is not necessary to start it every boot.

You can fix the line in Hijack This.

_______

Wiskonst

Share this post


Link to post
Share on other sites

I have done what you said, and I now have a new log from Find-All.

 

By the way, Windows Messenger resurfaced (because I did a force shutdown without unchecking the startup item), and some program is using it again, making it so that I cannot close it (I really hate that...there's no need for any program of mine to be using it).

 

I really hope that the removal of this malware will also fix my virtual memory problem... It's an issue that has arisen only recently...

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

 

»»»»»»Find-All recent updates:»»»»»»

*Size of Windows key

*Winlogon\notify

*UserInit value

*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)

*Versions of major keys and windows files

*list of active services and drivers (\'FilesList')

*Note:

If using 'Find-All' to clean, be sure to include the link to your

post in the forum!! (I keep recieving files I don't know where they came from...0-0...)

*Note: Reg backup restore will not work if current user

doesn't have 'Admin privileges'! (view »»Group/user section)

 

 

Thu Jun 10 11:46:18 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k

Total: 81 948 430 336 [76G] - Free: 66 071 334 912 [62G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s):

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

11:46am up 0 days, 0:10

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

476 smss.exe

560 csrss.exe Title:

588 winlogon.exe Title: NetDDE Agent

672 services.exe Svcs: Eventlog,PlugPlay

684 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

896 svchost.exe Svcs: RpcSs

1156 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S

ellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,win

gmt,WmdmPmSp

1300 svchost.exe Svcs: Dnscache

1312 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1576 ccSetMgr.exe Svcs: ccSetMgr

1596 explorer.exe Title: Program Manager

1624 ccEvtMgr.exe Svcs: ccEvtMgr

1864 LEXBCES.EXE Svcs: LexBceS

1912 spoolsv.exe Svcs: Spooler

1948 LEXPPS.EXE Title:

200 htpatch.exe Title: test2

236 CTSysVol.exe Title: Creative Volume Control

252 CTHELPER.EXE Title: CtHelper - Apollo

248 CTDVDDET.exe Title: CTDVDDET

520 ccApp.exe Title:

716 NDetect.exe Title: ICQ Agent

1136 CCPROXY.EXE Svcs: ccProxy

1144 MtdAcq.exe Title: ReFfInS

1280 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access

1508 msmsgs.exe Title:

1436 NAVAPSVC.EXE Svcs: navapsvc

1668 NPROTECT.EXE Svcs: NProtectService

548 nvsvc32.exe Svcs: NVSvc

696 pctspk.exe Svcs: Pctspk

712 SAVScan.exe Svcs: SAVScan

540 symlcsvc.exe Svcs: Symantec Core LC

1488 MsPMSPSv.exe Svcs: WMDM PMSP Service

1288 SNDSrvc.exe Svcs: SNDSrvc

2500 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2892 ntvdm.exe

2768 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

 

»»Group/user settings:

 

 

User: [PEACHTOADSTOOL\Peach], is a member of:

 

BUILTIN\Administrators

\Everyone

PEACHTOADSTOOL\None

 

User is a member of group PEACHTOADSTOOL\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

PEACHTOADSTOOL\Peach:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

File not found - C:\WINDOWS\System32\Drivers\etc\hosts

------

»»Rehash:

 

»Strings found:

 

Thu Jun 10 11:46:42 2004 -- ++Find-All backups:

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-09-2004 findallappinit.reg

A C:\Spy-Bot\Find-All\winBackup.hiv

A C:\Spy-Bot\Find-All\Fileslist\drivers.txt

A C:\Spy-Bot\Find-All\Fileslist\modules.txt

A C:\Spy-Bot\Find-All\Fileslist\services.txt

A C:\Spy-Bot\Find-All\Fileslist\windows.txt

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

By the way, I think that I have a new variant of CWS mixed in with the SearchX. A bad dll file was generated today that was unrecognized by CWShredder. I have the latest update from CWShredder too (unless a new one was released today)...

Share this post


Link to post
Share on other sites

Peach

 

The removal of the DLL did not succeed.

We should remove the registry entries first.

 

Again run UnrealCW and type in the box 'SQL.DLL'.

Now click button CLSIDs and wait till the middle button reads 'Ready'.

In the folder of UnrealCW find file 'delSQL.d.reg'. Close all browserwindows, doubleclick on it and confirm the registry merge. Then with text 'SQL.DLL' still in the box click button Delete.

Again I must ask you to do a hard reboot and to post the result of Find_All.cmd .

 

You can uninstall the MSN Messenger from Control Panel > Add/Remove Programs.

As for your virtual memory: have you tried setting the maximum value (at 2 to 4 times RAM)?

_______

Wiskonst

Share this post


Link to post
Share on other sites

Okay, I followed your procedure exactly...

 

By the way: yes, my minimum virtual memory is set at double actual RAM and my maximum is set at quadruple actual RAM. Virtual memory was not a problem in the past... Oh, and it's Windows Messenger that has recently resurfaced, not MSN Messenger, so there is no entry in Add/Remove Programs for it.

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

 

»»»»»»Find-All recent updates:»»»»»»

*Size of Windows key

*Winlogon\notify

*UserInit value

*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)

*Versions of major keys and windows files

*list of active services and drivers (\'FilesList')

*Note:

If using 'Find-All' to clean, be sure to include the link to your

post in the forum!! (I keep recieving files I don't know where they came from...0-0...)

*Note: Reg backup restore will not work if current user

doesn't have 'Admin privileges'! (view »»Group/user section)

 

 

Fri Jun 11 10:51:56 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k

Total: 81 948 430 336 [76G] - Free: 66 064 211 968 [62G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s):

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

10:51am up 0 days, 0:07

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

416 smss.exe

464 csrss.exe Title:

496 winlogon.exe Title: NetDDE Agent

544 services.exe Svcs: Eventlog,PlugPlay

556 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

744 svchost.exe Svcs: RpcSs

792 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,Schedule,seclogon,SENS,ShellHWD

tection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time,winmgmt,WmdmPmSp,w

auserv,WZCSV

896 svchost.exe Svcs: Dnscache

908 svchost.exe Svcs: LmHosts,WebClient

1108 ccSetMgr.exe Svcs: ccSetMgr

1132 explorer.exe Title: Program Manager

1152 ccEvtMgr.exe Svcs: ccEvtMgr

1356 LEXBCES.EXE Svcs: LexBceS

1420 spoolsv.exe Svcs: Spooler

1428 LEXPPS.EXE Title:

1636 CCPROXY.EXE Svcs: ccProxy

1660 htpatch.exe Title: test2

1716 CTSysVol.exe Title: Creative Volume Control

1736 CTHELPER.EXE Title: CtSpkHlp

1744 CTDVDDET.exe Title: CTDVDDET

1776 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access

1844 ccApp.exe Title:

1956 NAVAPSVC.EXE Svcs: navapsvc

2024 NDetect.exe Title: ICQ Agent

236 MtdAcq.exe Title: ReFfInS

244 NPROTECT.EXE Svcs: NProtectService

476 nvsvc32.exe Svcs: NVSvc

620 pctspk.exe Svcs: Pctspk

1044 SAVScan.exe Svcs: SAVScan

1388 symlcsvc.exe Svcs: Symantec Core LC

1724 MsPMSPSv.exe Svcs: WMDM PMSP Service

3136 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3256 ntvdm.exe

3532 msmsgs.exe Title:

3664 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

 

»»Group/user settings:

 

 

User: [PEACHTOADSTOOL\Peach], is a member of:

 

BUILTIN\Administrators

\Everyone

PEACHTOADSTOOL\None

 

User is a member of group PEACHTOADSTOOL\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

PEACHTOADSTOOL\Peach:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

File not found - C:\WINDOWS\System32\Drivers\etc\hosts

------

»»Rehash:

 

»Strings found:

 

Fri Jun 11 10:52:13 2004 -- ++Find-All backups:

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-09-2004 findallappinit.reg

A C:\Spy-Bot\Find-All\winBackup.hiv

A C:\Spy-Bot\Find-All\Fileslist\drivers.txt

A C:\Spy-Bot\Find-All\Fileslist\modules.txt

A C:\Spy-Bot\Find-All\Fileslist\services.txt

A C:\Spy-Bot\Find-All\Fileslist\windows.txt

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Peach

 

Sorry to reply late. Have been busy.

 

The deletion of the DLL still has not succeeded.

 

Download dllfix and unzip it to a folder (file is selfunzipper).

Run Start.bat by doubleclicking.

Choose option 2 (Run Fix).

Then choose option 1 (Enter DLL name manually).

You will see the sentence: 'Enter full name and hit Enter C:\Windows\System32\'

At the end of the sentence at the red cursor type 'SQL.DLL' (without quotes) and hit the Enter key.

You will see a message 'Restart in 14 seconds'. Let the reboot go on.

During reboot you will see a DOS window. Folder C:\Windows\System32 is scanned in two passes.

 

After completion of the boot please a new Find_All result plus the log.txt you find in the dllfix folder.

 

To disable Windows Messenger Service look here.

The virtual memory problems may have to do with CWS.

_______

Wiskonst

Edited by Wiskonst

Share this post


Link to post
Share on other sites

This is the log file from DLL Fix. I'll post the Find-All log in a separate post.

 

As for the Windows Messenger thread, I actually saw that thread a while back. I was seeing it as related to the "Messenger" from the administrative services in which I've disabled long ago. According to the thread, Windows Messenger is the same as MSN Messenger. Interesting. Well, this one came with XP Home. I'll read into the thread a little deeper at a later time...

 

CWSDLL/Searchx Appinit Fix By Shadowwar

Version 3.01 060504

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Sat 06/12/2004

02:58 AM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Deleting Filter text

Running from C:\Spy-Bot\dllfix

Scanning for Locked File

If this repeats 4 times than you may have another

Locked File not related to About:blank Hijack

Unlocking Locked File

 

C:\WINDOWS\System32\SQL.DLL

Scanning For main hijacker.

Processing File Manually

C:\WINDOWS\system32\SQL.DLL

Md5 Check of C:\WINDOWS\system32\SQL.DLL

 

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249

Md5 matched known baddies.

Processing and Deleting File.

Processing ACL of: <\\?\C:\WINDOWS\system32\SQL.DLL>

 

SetACL finished successfully.

 

File was successfully Deleted.

Please Run Hijackthis or Cwshredder to finish cleanup.

 

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

Share this post


Link to post
Share on other sites

I believe that the same problem has occurred. Find-All can't seem to find SQL.DLL. Quite frankly, neither can I. However, the FixDLL log looked pretty good. However, I didn't run CWShredder nor HijackThis afterward. Should I have? (I use it a lot, actually, to keep the CWS at bay.)

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

 

»»»»»»Find-All recent updates:»»»»»»

*Size of Windows key

*Winlogon\notify

*UserInit value

*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)

*Versions of major keys and windows files

*list of active services and drivers (\'FilesList')

*Note:

If using 'Find-All' to clean, be sure to include the link to your

post in the forum!! (I keep recieving files I don't know where they came from...0-0...)

*Note: Reg backup restore will not work if current user

doesn't have 'Admin privileges'! (view »»Group/user section)

 

 

Sat Jun 12 03:25:45 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k

Total: 81 948 430 336 [76G] - Free: 66 037 559 296 [62G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s):

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

3:25am up 0 days, 0:22

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

4 System

420 smss.exe

468 csrss.exe Title:

492 winlogon.exe Title: NetDDE Agent

536 services.exe Svcs: Eventlog,PlugPlay

548 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

712 svchost.exe Svcs: RpcSs

760 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S

ellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,win

gmt,WmdmPmSp

872 svchost.exe Svcs: Dnscache

896 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1012 ccSetMgr.exe Svcs: ccSetMgr

1072 explorer.exe Title: Program Manager

1112 ccEvtMgr.exe Svcs: ccEvtMgr

1272 LEXBCES.EXE Svcs: LexBceS

1300 spoolsv.exe Svcs: Spooler

1344 LEXPPS.EXE Title:

1444 CCPROXY.EXE Svcs: ccProxy

1472 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access

1504 NAVAPSVC.EXE Svcs: navapsvc

1564 NPROTECT.EXE Svcs: NProtectService

1592 nvsvc32.exe Svcs: NVSvc

1604 pctspk.exe Svcs: Pctspk

1740 SAVScan.exe Svcs: SAVScan

1804 symlcsvc.exe Svcs: Symantec Core LC

1836 MsPMSPSv.exe Svcs: WMDM PMSP Service

1192 htpatch.exe Title: test2

864 CTSysVol.exe Title: Creative Volume Control

916 CTHELPER.EXE Title: CtHelper - Apollo

840 CTDVDDET.exe Title: CTDVDDET

912 ccApp.exe Title:

1792 NDetect.exe Title: ICQ Agent

1948 MtdAcq.exe Title: ReFfInS

2824 SNDSrvc.exe Svcs: SNDSrvc

3160 IEXPLORE.EXE Title: SWI Forums -> CoolWebSearch - More Stubborn Than Usual - Microsoft Internet Explorer

2164 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2768 ntvdm.exe

2584 msmsgs.exe Title:

756 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"Appinit_Dlls"=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : Appinit_Dlls

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

 

»»Group/user settings:

 

 

User: [PEACHTOADSTOOL\Peach], is a member of:

 

BUILTIN\Administrators

\Everyone

PEACHTOADSTOOL\None

 

User is a member of group PEACHTOADSTOOL\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

PEACHTOADSTOOL\Peach:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

File not found - C:\WINDOWS\System32\Drivers\etc\hosts

------

»»Rehash:

 

»Strings found:

 

Sat Jun 12 03:26:00 2004 -- ++Find-All backups:

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-09-2004 findallappinit.reg

A C:\Spy-Bot\Find-All\winBackup.hiv

A C:\Spy-Bot\Find-All\Fileslist\drivers.txt

A C:\Spy-Bot\Find-All\Fileslist\modules.txt

A C:\Spy-Bot\Find-All\Fileslist\services.txt

A C:\Spy-Bot\Find-All\Fileslist\windows.txt

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Peach

 

Allright, SQL.DLL has gone.

 

Now please do a run with CWShredder in Safe Mode (Fix button). And still in Safe Mode a scan with Ad Aware.

This should clear out any remnants.

 

Then in normal mode produce a Hijack This log.

 

Windows Messenger Service is, as you earlier said, not the same as MSN Messenger (I earlier didn't know which one you meant). WMS is responsable for popups coming directly over the internet. You can disable it as per the instructions on the page I pointed to, but you would not have it locally then (sometimes f.i. the printer uses the service to warn when you're low on ink or paper). To disable only the internet messages you need a firewall and close ports 135 to 139 and 1026.

You earlier disabled WMS, but it is possible one of the hijackers switched it back on again. It should be solved once the Hijack This log is clean.

_______

Wiskonst

Share this post


Link to post
Share on other sites

That seemed to work nicely. The program located the core and revealed it, and Ad-Aware detected it and cleaned it out. I also cleared out the quarantined items to be sure that it won't return...

 

If perchance the hijacker is gone, you might want to stick around for the next couple days to be sure that it doesn't return. This one has been tricky like that...

 

I have a few more things to mention, but first, the Hijack This log...

 

Logfile of HijackThis v1.97.7

Scan saved at 11:27:51 AM, on 6/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\htpatch.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ICQ\NDetect.exe

C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Spy-Bot\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8013.9166898148

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

O17 - HKLM\System\CS2\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

Share this post


Link to post
Share on other sites

I always wondered how bad tracking cookies really are. It's something that almost everyone automatically downloads on a regular basis, but I don't know just how much privacy is compromised with them.

 

Now, we'll need to be sure that I'm protected against future hijacking. I'm assuming that I need to remove VM and replace it with Sun Java? I already downloaded the critical updates from Microsoft. Is that enough, or should I be doing more? Also, take note that I have Norton Internet Security Professional. If I should be using its firewall to guard against future attacks, let me know. Oh, and the NetBIOS and NetBIOS Name incoming ports are already blocked...

Share this post


Link to post
Share on other sites

Peach

 

The cleaning up is not yet complete; there are still remnants of CWS.

The removal from the registry of references to the CWS files can be done with UnrealCW.

Start UnrealCW and type in the box 'hfkko.dll', click the CLSID button and wait for 'Ready'. Then in the UnrealCW folder find file delhfkko.reg, doubleclick it and confirm the merge.

Do the same with the following dll's and regfiles:

- jehbcba.dll deljehbc.reg

- nkfd.dll delnkfd.reg

- mmflia.dll delmmfli.reg

- agcccbe.dll delagccc.reg

Exit UnrealCW.

 

In the temp folder there is still the sp.html belonging to CWS.

 

Fix from Hijack This:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

 

Do this by closing all browser windows, placing a checkmark in front of the above items and clicking the Fix-button.

 

Then remove all files from

C:\DOCUME~1\Peach\LOCALS~1\Temp

If some files cannot be deleted because they are in use delete them in Safe Mode.

 

It is best to also clean the other temporary folders:

- C:\Windows\Temp

- C:\Windows\Temporary Internet Files

 

With that the cleanup should be complete.

 

We will restore the BHO keys we locked in the beginning.

Start Regedt32 and browse to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer.

Select Browser Helper Objects. In menu Security choose Permissions.

In the dialog click the Advanced button and in the Advanced panel check 'Inherit from parents ...'. Click Apply. In the listpane above the same list of permissionholders should appear as was previously there.

Click OK and on the main panel also check 'Inherit ...'. Click OK and close Regedt32.

 

Most tracking cookies only track your surfing behaviour, but that can be reason enough to refuse them.

A free cookie manager is AnalogX Cookiewall.

 

As a general precaution against hijackers we recommend Spywareguard and Spywareblaster (both free). Spywareblaster can block installation of a number of hijackers, among which most variants of Coolwebsearch.

 

To replace MS Java with Sun Java is certainly advisable. Find instructions to do so here.

 

For ports to be closed in the firewall see this list of ports used by trojans.

 

Success

 

PS Can you send me the UnrealCW logfile (UnrealCW.log)? Use the e-mail link in my profile.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Okay, I took care of unrecognized files in the C:\WINDOWS\TEMP directory, but as for the files within Documents and Settings, is there anything that should remain? I mean, I don't want to lose cookies that I actually do use, nor my History components...

 

I haven't gone any further from this point... I'm awaiting any word from you...

 

Oh, and that site for a list of ports... I don't understand much German, and AltaVista's Babelfish isn't very good at translating... Should I just block ALL of those? Also, Norton's firewall stealths unused ports, making them invisible from the outside...

 

EDIT:

 

I want to say that I appreciate the help in which you have provided for me.

Edited by Peach

Share this post


Link to post
Share on other sites

Peach

 

The files in C:\Documents and Settings\<name>\Local Settings\Temp are all disposable.

Find your cookies in C:\Documents and Settings\<name>\Cookies and

your history in C:\Documents and Settings\<name>\Local Settings\History .

If these folders are not set right look in the Registry Editor under key

HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders.

 

Sorry about not being clear on the list of ports: all of them are used by trojans or hacker programs. So they should be either closed or set to stealth (on port 21 make an exception for your FTP program). If Norton has already done so, OK.

You can do a leaktest if you want.

_______

Wiskonst

Share this post


Link to post
Share on other sites

There's a problem. The "Inherit from Parents" has already re-checked itself, and there are no permissions. I receive two different errors... The first error is when I try to click on Browser Helper Objects. It says, "Cannot open Browser Helper Objects: Error while opening key." The second error is when I try to go to permissions. It says that I cannot view the permissions, but I can change them...

 

I'm having an idea of what I need to do to fix this, but since I'm not heavily experienced in this part, I'm going to wait until you tell me what needs to be done... Basically, given your current instructions, things aren't returning to normal...

Share this post


Link to post
Share on other sites

Peach

 

Download Registrar Lite (link "download") and install it.

Log into Windows XP as Administrator and run Registrar Lite.

Browse to the Browser Helper Objects key (click on the plus-signs) and select it.

In menu Security choose Take Ownership. Confirm on the message "You have successfully ...".

Start Regedt32 (still logged in as Administrator) and perform the unlocking of the BHO keys, first on the Advanced panel. If the 'Inherit ...' box is already checked, first uncheck it; a dialog will appear with a.o. a button Copy. Click that and the list of right-holders should appear. Now check the 'Inherit ...' box and click OK. On the main panel select all entries in the listpane and at the 'Full Access' item check the left box.

That should work.

_______

Wiskonst

Share this post


Link to post
Share on other sites

I'm unable to switch to "Administrator" because this is the main administrator account. Administrator only shows up when going into Safe Mode. Everything seems to be in order, though.

 

Thanks awfully for all of your help. CWS hasn't returned since the purge a couple days ago. Also, my virtual memory problems appear to be fixed. CWS caused a lot of trouble! If only Norton would put more priority in removing malware trojans...

 

I will soon look into the additional program links that you have provided. I have a couple issues that I have been wondering about, if you don't mind...

 

For a long while, I've had some bizarre View problems for Windows Explorer. Typically I like "List" for viewing my files, and "Icons" for Control Panel. The Folder Options appear to have the correct settings. What made sense to me is that all folders would be applied with "List" view and Control Panel would be changed to "Icon" view without applying to all other folders. "Remember each folder's view settings" is checked accordingly. However, Control Panel likes to return to "List" view after a reboot. I'm not sure why. What's even more strange is that once in a while, a random folder will become a random view that I never use, like "Details" or "Thumbnails."

 

Also, after a year of using XP, I never found a way to have Explorer memorize my starting directory (I like to start in the C drive, not My Documents)... After taking a PC class you'd think that I'd know all this stuff. LOL...

Share this post


Link to post
Share on other sites

Peach

 

Everything seems to be in order, though.

Yes, but would you at some time want to add a BHO of your own choice, you would not be able to do so with the BHO keys locked.

You could try the same procedure logged in as yourself with administrator rights.

The step of taking ownership in Registrar Lite is important.

 

Also in Windows 2000 Explorer seems to remember the 'Each folder view settings' only for a limited number of folders.

For the Control Panel try setting the view to the view you want, then close the Panel before shutting down Windows (some windows only save their settings at closing time).

It was Microsoft's choice to program it that way.

 

For the Explorer to open with a specified folder opened, change the command line parameters in the shortcut.

Right-click on the shortcut, choose properties.

In the first box type:

C:\Windows\Explorer /e,<folder>

for instance C:\Windows\Explorer /e,D:\images

 

Good luck

_______

Wiskonst

Share this post


Link to post
Share on other sites

http://www.spywareinfo.com/~merijn/cwschronicles.html This is where there is the article on CWS and its evolution. There you will find SearchX article immediately followed by short article on "yellowpagesearch" which is coupled w/ SearchX and is not visible to hijackthis and cannot be solved w/ CWShredder as acknowledged by the author of CWShredder. The article has good pointers on about 30 CWS variants--save it to your computer for future reference.

 

I am trying to deal w/ it myself after months of frustration and am hoping for input after you all solve problem so we know this is really the solution since you are talking about solutions a bit different than what I read in post/replies to a user named "piman" yesterday. That article discussed dll.fix and prcview logs and I've posted them in my post under user jseville.

 

Jay

Share this post


Link to post
Share on other sites

Wiskonst - Do you mean the "Target" or "Start In" field? I'm thinking this will not change anything for right-clicking Start and choosing "Explore," or simply using the Windows key + E hotkeys. Interestingly enough, each shortcut starts in its own directory. As for the Control Panel part, yeah, I did close the Control Panel prior to soft reboot or shutdown. Sounds like either XP is buggy or I need to reinstall it.

 

Jay - This is an experience that I will never forget for all of my life. If you're having to deal with SearchX, then this thread may provide you with an answer to how to remove it. I did not begin to truly purge it until it was exposed by FixDLL, for then Ad-Aware was able to remove the executable. Yes, the solutions in this post are quite different than anything that I've read from other posts related to CoolWebSearch. It's clear to me that I had a very stubborn variant.

Share this post


Link to post
Share on other sites

Peach

 

If you're having to deal with SearchX, then this thread may provide you with an answer to how to remove it.

Let the honor go to Shadowwar, writer of dllfix, and Freeatlast, writer of the first part of it, Find All.

 

On Explorer:

I meant the Target field.

I presume you meant with 'starting directory' the folder that is opened when Explorer starts. You cannot change the Start>right-click>Explore shortcut but you can change any other Explorer shortcut in the Start menu or on the Desktop.

 

I have a small request: could you zip the files in the UnrealCW\backup folder and send them to me, along with the UnrealCW log. Use the e-mail adress in my profile.

There is still an issue with a possible hijack of the XML-protocol, which I can find out with the backup files.

_______

Wiskonst

 

Donate to Spywareinfo

Share this post


Link to post
Share on other sites

I would, but regardless which method I use to access information on your e-mail, I am always given an e-mail form, and it does not allow attachments. If you were seeing something pertaining to about:blank, it's possible that it's something that I set myself. My homepage is always about:blank.

 

EDIT:

 

Oh, yeah... I suppose that I did forget to credit the utility programmers. <G>

Edited by Peach

Share this post


Link to post
Share on other sites

Peach

 

I will PM you an e-mail adress to send the files to.

It is not something in the Hijack This log, but in the Find All log.

Probably allright though.

 

Thank you in advance.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Peach

 

The XML protocol is allright. :)

 

_______

Wiskonst

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0