Jump to content


Photo

CoolWebSearch - More Stubborn Than Usual


  • Please log in to reply
34 replies to this topic

#1 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 05 June 2004 - 04:14 PM

Hello. This is my first visit to this forum. I would like to say that I have read the disclaimer for posting topics here and the other necessary preliminaries.

About May 30 (I believe), a variant of CoolWebSearch slipped into my system. I have done many things necessary to eliminate this malware, but the best I've managed to do is temporarily remove it for the day.

I have the most recent version of Ad-Aware, which I have used to eliminate all bad registry keys and values. I have also used the most recent version of CWShredder (updated today) to check for any new variants that may have rooted themselves. CWShredder has removed any bad DLL files which have been placed in my system32 directory. "CWS.Searchx" is the variant which usually is regenerated. Also, more recently, "CWS.Msconfig" has been surfacing, and I'm not sure why. I have used these programs properly, by going into Safe Mode and running them with no browsers open.

Now for some additional details about my CoolWebSearch trojan. Usually I am able to eliminate it for a day, but it usually comes back at specific times the next day. Typically these times are 9:34 AM, 10:34 AM, 11:37 AM, and 12:37 PM. There may be new times that I am unaware of. My Installed Programs (Add/Remove Programs) and Startup Items (config.sys) appear to be clean of this malware.

Does anyone know why my variant simply refuses to be eliminated for good? Also, I am needing to know if it's absolutely necessary to download HijackThis to solve this problem... Any help would be appreciated.

My relevant system stats are: Windows XP Home, Internet Explorer 6.0, and the most recent security patches have been installed.

EDIT:

I have the latest version of HijackThis, and can provide a log when requested. I believe that I read somewhere that it's preferred that logs aren't given until asked... Maybe that was just for Ad-Aware and Spy-Bot...

Edited by Peach, 05 June 2004 - 08:37 PM.


#2 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 06 June 2004 - 12:54 AM

Okay, since others seem to be posting their logs even before being asked, I'm thinking that I may have misinterpreted one of the policies back there. This is my log from HijackThis. It's large, so I'm posting this in a new reply (here). Some of them I already recognize as malware. I do not know everything that needs to be eliminated to be sure that my CWS doesn't return. Note that there are two running processes of SVCHOST. I don't really know why. Additionally, I see Windows Messenger there, set to run in the background. Can I also remove that value so that I don't see it appear again when I reboot? I actually had my messenger completely gone from my system tray for months... It just recently returned...

EDIT: This is now a newer log file, after I cleaned out as much as I could on my own (after today's revival of the spyware).

Logfile of HijackThis v1.97.7
Scan saved at 1:20:21 AM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\ICQ\NDetect.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\ICQ\Icq.exe
C:\Spy-Bot\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {0385D2FC-BDF3-4BEF-BBD7-27214E757715} - C:\WINDOWS\System32\hfkko.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {29446605-19B2-4F2B-AE4A-09C2E438812A} - C:\WINDOWS\System32\jehbcba.dll (file missing)
O2 - BHO: (no name) - {521D62DF-8E63-4563-A195-ACADCF9E8C82} - C:\WINDOWS\System32\nkfd.dll (file missing)
O2 - BHO: (no name) - {5DB0C86E-F4F8-46EA-ACB4-3AB9D132C34F} - C:\WINDOWS\System32\mmflia.dll (file missing)
O2 - BHO: (no name) - {9B84228D-B1F2-46D2-9596-B3C8B1C4E40B} - C:\WINDOWS\System32\agcccbe.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8013.9166898148
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

Edited by Peach, 06 June 2004 - 03:33 AM.


#3 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 06 June 2004 - 07:10 PM

I'm not sure on the policy for bumping topics, but it's been two days since my first post, and this message is pretty deep.

#4 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 08 June 2004 - 04:26 AM

CRITICAL UPDATE! Please read carefully.

CWS is half dead now, but it's still somewhat there. I still need help in removing it completely. Recently, Casino Online, which may be associated with CWS, has invaded my system. The culprit file appears to be CSRemndr.exe, which I have already removed as much as I could without help, but it does like to return much like CWS, only it can fully activate itself without running a browser or even being present. It appears that I may need help removing this from my system as well. I do not know if it is related to CWS at all. What's really strange is that I never really had these kinds of problems in the past. I've been an IE user for over 8 years. I'm not exactly in the position to change the browser either, so perhaps I should patch some stuff up by switching VM Java to Sun Java. Additionally, ever since my CWS problem, I've been having virtual memory problems. I'm thinking that it may be related. No matter what I set the minimum paging at, I eventually receive a low virtual memory alert. My system has also been working a bit too hard on some simpler programs...

I am including an updated log file to aid in the removal of my adware trojans (and anything else that might be causing problems, like Windows Messenger). Any assistance from an experienced individual would be appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 2:07:46 AM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ICQ\NDetect.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Spy-Bot\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {0385D2FC-BDF3-4BEF-BBD7-27214E757715} - C:\WINDOWS\System32\hfkko.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {29446605-19B2-4F2B-AE4A-09C2E438812A} - C:\WINDOWS\System32\jehbcba.dll (file missing)
O2 - BHO: (no name) - {521D62DF-8E63-4563-A195-ACADCF9E8C82} - C:\WINDOWS\System32\nkfd.dll (file missing)
O2 - BHO: (no name) - {5DB0C86E-F4F8-46EA-ACB4-3AB9D132C34F} - C:\WINDOWS\System32\mmflia.dll (file missing)
O2 - BHO: (no name) - {9B84228D-B1F2-46D2-9596-B3C8B1C4E40B} - C:\WINDOWS\System32\agcccbe.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8013.9166898148
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

#5 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 09 June 2004 - 12:47 AM

A bump and another update...

After its being silent for a while, CWS returned with the bad dll and all. Interestingly enough, the bad dll was unknown to both Norton and CWShredder. I had to remove it manually. However, Ad-Aware terminated the bad registry entries associated. In addition, I took it into my own hands to use HijackThis to kill off hidden registry entries that I knew were bad, including the Casino Online one. However, I do not believe that my problem is solved. There must still be some bad files or registry entries listed in the above log which are reactivating CWS or Casino Online. Please be sure to read my above messages. I really am hoping to get these problems fixed before my college vacation is over...! Thanks.

EDIT:

I have always been suspicious of the nwiz.exe forced install as shown in my previous logs. Sure enough, XoftSpy detected it as type of malware worm called Bat/Mumu-A (and I'm unable to remove it through XoftSpy because I do not have registration with them). Here's the strange part: the file appears to have been created and modified one year ago (before the life of this computer), and it was signed by the NVIDIA Corporation. I have an NVIDIA video card, by the way. I am confused by this file.

Edited by Peach, 09 June 2004 - 01:20 AM.


#6 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 09 June 2004 - 03:33 PM

Executing 12-hour bump policy.

#7 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 09 June 2004 - 04:13 PM

Peach

To check for hidden reinstallers or remnants download Find All and unzip it to a folder. Run Find_All.cmd by doubleclicking on it. It will produce a textfile. Post the textfile here.
_______
Wiskonst

#8 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 09 June 2004 - 04:33 PM

Thanks for getting back with me. This is the output log file from that program:



--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Wed Jun 09 14:32:15 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k
Total: 81 948 430 336 [76G] - Free: 66 166 288 384 [62G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
2:32pm up 0 days, 1:06

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
412 smss.exe
532 csrss.exe Title:
556 winlogon.exe Title: NetDDE Agent
636 services.exe Svcs: Eventlog,PlugPlay
648 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
852 svchost.exe Svcs: RpcSs
912 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S
ellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,win
gmt,WmdmPmSp
1012 svchost.exe Svcs: Dnscache
1080 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1532 ccSetMgr.exe Svcs: ccSetMgr
1540 explorer.exe Title: Program Manager
1588 ccEvtMgr.exe Svcs: ccEvtMgr
1812 LEXBCES.EXE Svcs: LexBceS
1844 htpatch.exe Title: test2
1920 spoolsv.exe Svcs: Spooler
1996 CTSysVol.exe Title: Creative Volume Control
2032 LEXPPS.EXE Title:
2036 CTHELPER.EXE Title: CtHelper - Apollo
172 CTDVDDET.exe Title: CTDVDDET
256 ccApp.exe Title:
1048 NDetect.exe Title: ICQ Agent
1224 CCPROXY.EXE Svcs: ccProxy
1236 MtdAcq.exe Title: ReFfInS
1364 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1500 NAVAPSVC.EXE Svcs: navapsvc
1240 NPROTECT.EXE Svcs: NProtectService
1940 nvsvc32.exe Svcs: NVSvc
496 pctspk.exe Svcs: Pctspk
676 SAVScan.exe Svcs: SAVScan
1452 symlcsvc.exe Svcs: Symantec Core LC
1860 MsPMSPSv.exe Svcs: WMDM PMSP Service
356 SNDSrvc.exe Svcs: SNDSrvc
2420 IEXPLORE.EXE Title: SWI Forums -> CoolWebSearch - More Stubborn Than Usual - Microsoft Internet Explorer
3176 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3380 ntvdm.exe
3372 msmsgs.exe Title:
3452 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [PEACHTOADSTOOL\Peach], is a member of:

BUILTIN\Administrators
\Everyone
PEACHTOADSTOOL\None

User is a member of group PEACHTOADSTOOL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
PEACHTOADSTOOL\Peach:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
File not found - C:\WINDOWS\System32\Drivers\etc\hosts
------
»»Rehash:

»Strings found:

Wed Jun 09 14:32:49 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-09-2004 findallappinit.reg
A C:\Spy-Bot\Find-All\winBackup.hiv
A C:\Spy-Bot\Find-All\Fileslist\drivers.txt
A C:\Spy-Bot\Find-All\Fileslist\modules.txt
A C:\Spy-Bot\Find-All\Fileslist\services.txt
A C:\Spy-Bot\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#9 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 09 June 2004 - 06:28 PM

Peach

Lock the BHO keys as follows:

Go to Start > Run and type 'regedt32' (without quotes).
Select window 'HKEY_LOCAL_MACHINE'.
In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.
In Explorer select 'Browser Helper Objects'.
In menu Security choose Edit Permissions. A dialog appears.
The upper listpane must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.
Then click the Advanced button below. A second panel appears.
Here uncheck 'Inherit from parents the permissions ...' and click OK.
In the main dialog also uncheck 'Inherit from parents ...' and click OK.
Close Regedt32.

Then remove the central DLL as follows:

Download UnrealCW and unzip it to a folder.
Start UnrealCW.exe . In the box under 'DLL name' type 'SQL.DLL' (without quotes).
Click button Delete. A message should appear reading 'Pending removal ...\SQL.DLL'.
Now press the reset button on the computercase, thereby rebooting skipping the Windows shutdown procedure.
Upon reboot let Scandisk finish.
When back in Windows please run Find_All.cmd again and post the result.

BTW nwiz.exe is legitimate (nVidia).
_______
Wiskonst

#10 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 09 June 2004 - 06:49 PM

Wait... Let me be sure that I understand this correctly... Currently I have a window titled "Permissions for Browser Helper Objects" which contains the following in the upper pane:

Administrators (PEACHTOADSTOOL\Administrators)
CREATOR OWNER
(some odd non-binary code)
SYSTEM
Users (PEACHTOADSTOOL\Users)

You're wanting me to eliminate all of these? These appear like critical components, but I'll do it if you verify that it's what you're suggesting should be expunged.

Additionally, the button on my tower is a shut-down button, which initiates the shut down sequence for Windows. I have to actually hold it down to skip the process and have a near-immediate power off. Also, ScanDisk (namely CheckDisk, since this is XP Home) will not run unless I set it up to.

Finally, why would nwiz.exe have to install every boot...?

#11 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 10 June 2004 - 07:20 AM

Peach

The disabling of the holders of rights on the BHO keys is necessary to stop Coolwebsearch from spreading further and changing the name of it's central DLL.
Disable them only on the BHO keys though.
We will restore the rights when Coolwebsearch is removed.

If your PC does not have a reset button, then use the shutdown button in such a way that the Windows shutdown procedure is skipped. The reason is this: UnrealCW adds a program to the Windows boot procedure that will delete the central DLL of Coolwebsearch. Some variants of CWS however might remove the deletion program again during the Windows shutdown procedure. Hence the hard reboot.
The run of Checkdisk is not necessary.

You may be right on nwiz.exe; it is not necessary to start it every boot.
You can fix the line in Hijack This.
_______
Wiskonst

#12 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 10 June 2004 - 01:52 PM

I have done what you said, and I now have a new log from Find-All.

By the way, Windows Messenger resurfaced (because I did a force shutdown without unchecking the startup item), and some program is using it again, making it so that I cannot close it (I really hate that...there's no need for any program of mine to be using it).

I really hope that the removal of this malware will also fix my virtual memory problem... It's an issue that has arisen only recently...

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Thu Jun 10 11:46:18 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k
Total: 81 948 430 336 [76G] - Free: 66 071 334 912 [62G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
11:46am up 0 days, 0:10

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
476 smss.exe
560 csrss.exe Title:
588 winlogon.exe Title: NetDDE Agent
672 services.exe Svcs: Eventlog,PlugPlay
684 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
896 svchost.exe Svcs: RpcSs
1156 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S
ellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,win
gmt,WmdmPmSp
1300 svchost.exe Svcs: Dnscache
1312 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1576 ccSetMgr.exe Svcs: ccSetMgr
1596 explorer.exe Title: Program Manager
1624 ccEvtMgr.exe Svcs: ccEvtMgr
1864 LEXBCES.EXE Svcs: LexBceS
1912 spoolsv.exe Svcs: Spooler
1948 LEXPPS.EXE Title:
200 htpatch.exe Title: test2
236 CTSysVol.exe Title: Creative Volume Control
252 CTHELPER.EXE Title: CtHelper - Apollo
248 CTDVDDET.exe Title: CTDVDDET
520 ccApp.exe Title:
716 NDetect.exe Title: ICQ Agent
1136 CCPROXY.EXE Svcs: ccProxy
1144 MtdAcq.exe Title: ReFfInS
1280 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1508 msmsgs.exe Title:
1436 NAVAPSVC.EXE Svcs: navapsvc
1668 NPROTECT.EXE Svcs: NProtectService
548 nvsvc32.exe Svcs: NVSvc
696 pctspk.exe Svcs: Pctspk
712 SAVScan.exe Svcs: SAVScan
540 symlcsvc.exe Svcs: Symantec Core LC
1488 MsPMSPSv.exe Svcs: WMDM PMSP Service
1288 SNDSrvc.exe Svcs: SNDSrvc
2500 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2892 ntvdm.exe
2768 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [PEACHTOADSTOOL\Peach], is a member of:

BUILTIN\Administrators
\Everyone
PEACHTOADSTOOL\None

User is a member of group PEACHTOADSTOOL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
PEACHTOADSTOOL\Peach:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
File not found - C:\WINDOWS\System32\Drivers\etc\hosts
------
»»Rehash:

»Strings found:

Thu Jun 10 11:46:42 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-09-2004 findallappinit.reg
A C:\Spy-Bot\Find-All\winBackup.hiv
A C:\Spy-Bot\Find-All\Fileslist\drivers.txt
A C:\Spy-Bot\Find-All\Fileslist\modules.txt
A C:\Spy-Bot\Find-All\Fileslist\services.txt
A C:\Spy-Bot\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#13 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 10 June 2004 - 05:22 PM

By the way, I think that I have a new variant of CWS mixed in with the SearchX. A bad dll file was generated today that was unrecognized by CWShredder. I have the latest update from CWShredder too (unless a new one was released today)...

#14 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 11 June 2004 - 04:42 AM

Peach

The removal of the DLL did not succeed.
We should remove the registry entries first.

Again run UnrealCW and type in the box 'SQL.DLL'.
Now click button CLSIDs and wait till the middle button reads 'Ready'.
In the folder of UnrealCW find file 'delSQL.d.reg'. Close all browserwindows, doubleclick on it and confirm the registry merge. Then with text 'SQL.DLL' still in the box click button Delete.
Again I must ask you to do a hard reboot and to post the result of Find_All.cmd .

You can uninstall the MSN Messenger from Control Panel > Add/Remove Programs.
As for your virtual memory: have you tried setting the maximum value (at 2 to 4 times RAM)?
_______
Wiskonst

#15 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 11 June 2004 - 01:22 PM

Okay, I followed your procedure exactly...

By the way: yes, my minimum virtual memory is set at double actual RAM and my maximum is set at quadruple actual RAM. Virtual memory was not a problem in the past... Oh, and it's Windows Messenger that has recently resurfaced, not MSN Messenger, so there is no entry in Add/Remove Programs for it.

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Fri Jun 11 10:51:56 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k
Total: 81 948 430 336 [76G] - Free: 66 064 211 968 [62G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
10:51am up 0 days, 0:07

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
416 smss.exe
464 csrss.exe Title:
496 winlogon.exe Title: NetDDE Agent
544 services.exe Svcs: Eventlog,PlugPlay
556 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
744 svchost.exe Svcs: RpcSs
792 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,Schedule,seclogon,SENS,ShellHWD
tection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time,winmgmt,WmdmPmSp,w
auserv,WZCSV
896 svchost.exe Svcs: Dnscache
908 svchost.exe Svcs: LmHosts,WebClient
1108 ccSetMgr.exe Svcs: ccSetMgr
1132 explorer.exe Title: Program Manager
1152 ccEvtMgr.exe Svcs: ccEvtMgr
1356 LEXBCES.EXE Svcs: LexBceS
1420 spoolsv.exe Svcs: Spooler
1428 LEXPPS.EXE Title:
1636 CCPROXY.EXE Svcs: ccProxy
1660 htpatch.exe Title: test2
1716 CTSysVol.exe Title: Creative Volume Control
1736 CTHELPER.EXE Title: CtSpkHlp
1744 CTDVDDET.exe Title: CTDVDDET
1776 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1844 ccApp.exe Title:
1956 NAVAPSVC.EXE Svcs: navapsvc
2024 NDetect.exe Title: ICQ Agent
236 MtdAcq.exe Title: ReFfInS
244 NPROTECT.EXE Svcs: NProtectService
476 nvsvc32.exe Svcs: NVSvc
620 pctspk.exe Svcs: Pctspk
1044 SAVScan.exe Svcs: SAVScan
1388 symlcsvc.exe Svcs: Symantec Core LC
1724 MsPMSPSv.exe Svcs: WMDM PMSP Service
3136 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3256 ntvdm.exe
3532 msmsgs.exe Title:
3664 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [PEACHTOADSTOOL\Peach], is a member of:

BUILTIN\Administrators
\Everyone
PEACHTOADSTOOL\None

User is a member of group PEACHTOADSTOOL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
PEACHTOADSTOOL\Peach:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
File not found - C:\WINDOWS\System32\Drivers\etc\hosts
------
»»Rehash:

»Strings found:

Fri Jun 11 10:52:13 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-09-2004 findallappinit.reg
A C:\Spy-Bot\Find-All\winBackup.hiv
A C:\Spy-Bot\Find-All\Fileslist\drivers.txt
A C:\Spy-Bot\Find-All\Fileslist\modules.txt
A C:\Spy-Bot\Find-All\Fileslist\services.txt
A C:\Spy-Bot\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#16 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 12 June 2004 - 01:53 AM

Hope I didn't lose you there, Wiskonst. This topic has been silent all day. <G>

#17 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 12 June 2004 - 04:04 AM

Peach

Sorry to reply late. Have been busy.

The deletion of the DLL still has not succeeded.

Download dllfix and unzip it to a folder (file is selfunzipper).
Run Start.bat by doubleclicking.
Choose option 2 (Run Fix).
Then choose option 1 (Enter DLL name manually).
You will see the sentence: 'Enter full name and hit Enter C:\Windows\System32\'
At the end of the sentence at the red cursor type 'SQL.DLL' (without quotes) and hit the Enter key.
You will see a message 'Restart in 14 seconds'. Let the reboot go on.
During reboot you will see a DOS window. Folder C:\Windows\System32 is scanned in two passes.

After completion of the boot please a new Find_All result plus the log.txt you find in the dllfix folder.

To disable Windows Messenger Service look here.
The virtual memory problems may have to do with CWS.
_______
Wiskonst

Edited by Wiskonst, 12 June 2004 - 04:08 AM.


#18 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 12 June 2004 - 05:22 AM

This is the log file from DLL Fix. I'll post the Find-All log in a separate post.

As for the Windows Messenger thread, I actually saw that thread a while back. I was seeing it as related to the "Messenger" from the administrative services in which I've disabled long ago. According to the thread, Windows Messenger is the same as MSN Messenger. Interesting. Well, this one came with XP Home. I'll read into the thread a little deeper at a later time...

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.01 060504
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Sat 06/12/2004
02:58 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Running from C:\Spy-Bot\dllfix
Scanning for Locked File
If this repeats 4 times than you may have another
Locked File not related to About:blank Hijack
Unlocking Locked File

C:\WINDOWS\System32\SQL.DLL
Scanning For main hijacker.
Processing File Manually
C:\WINDOWS\system32\SQL.DLL
Md5 Check of C:\WINDOWS\system32\SQL.DLL

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249
Md5 matched known baddies.
Processing and Deleting File.
Processing ACL of: <\\?\C:\WINDOWS\system32\SQL.DLL>

SetACL finished successfully.

File was successfully Deleted.
Please Run Hijackthis or Cwshredder to finish cleanup.


Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

#19 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 12 June 2004 - 05:30 AM

I believe that the same problem has occurred. Find-All can't seem to find SQL.DLL. Quite frankly, neither can I. However, the FixDLL log looked pretty good. However, I didn't run CWShredder nor HijackThis afterward. Should I have? (I use it a lot, actually, to keep the CWS at bay.)

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10 -6/08 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Sat Jun 12 03:25:45 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Peach's Hard Drive" (60D2:FBBB) - FS:NTFS clusters:4k
Total: 81 948 430 336 [76G] - Free: 66 037 559 296 [62G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q824145;Q832894;Q837009;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4487 shp 520,192 08-29-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
3:25am up 0 days, 0:22

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
420 smss.exe
468 csrss.exe Title:
492 winlogon.exe Title: NetDDE Agent
536 services.exe Svcs: Eventlog,PlugPlay
548 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
712 svchost.exe Svcs: RpcSs
760 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S
ellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,win
gmt,WmdmPmSp
872 svchost.exe Svcs: Dnscache
896 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1012 ccSetMgr.exe Svcs: ccSetMgr
1072 explorer.exe Title: Program Manager
1112 ccEvtMgr.exe Svcs: ccEvtMgr
1272 LEXBCES.EXE Svcs: LexBceS
1300 spoolsv.exe Svcs: Spooler
1344 LEXPPS.EXE Title:
1444 CCPROXY.EXE Svcs: ccProxy
1472 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1504 NAVAPSVC.EXE Svcs: navapsvc
1564 NPROTECT.EXE Svcs: NProtectService
1592 nvsvc32.exe Svcs: NVSvc
1604 pctspk.exe Svcs: Pctspk
1740 SAVScan.exe Svcs: SAVScan
1804 symlcsvc.exe Svcs: Symantec Core LC
1836 MsPMSPSv.exe Svcs: WMDM PMSP Service
1192 htpatch.exe Title: test2
864 CTSysVol.exe Title: Creative Volume Control
916 CTHELPER.EXE Title: CtHelper - Apollo
840 CTDVDDET.exe Title: CTDVDDET
912 ccApp.exe Title:
1792 NDetect.exe Title: ICQ Agent
1948 MtdAcq.exe Title: ReFfInS
2824 SNDSrvc.exe Svcs: SNDSrvc
3160 IEXPLORE.EXE Title: SWI Forums -> CoolWebSearch - More Stubborn Than Usual - Microsoft Internet Explorer
2164 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2768 ntvdm.exe
2584 msmsgs.exe Title:
756 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : Appinit_Dlls

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [PEACHTOADSTOOL\Peach], is a member of:

BUILTIN\Administrators
\Everyone
PEACHTOADSTOOL\None

User is a member of group PEACHTOADSTOOL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
PEACHTOADSTOOL\Peach:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
File not found - C:\WINDOWS\System32\Drivers\etc\hosts
------
»»Rehash:

»Strings found:

Sat Jun 12 03:26:00 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-09-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-09-2004 findallappinit.reg
A C:\Spy-Bot\Find-All\winBackup.hiv
A C:\Spy-Bot\Find-All\Fileslist\drivers.txt
A C:\Spy-Bot\Find-All\Fileslist\modules.txt
A C:\Spy-Bot\Find-All\Fileslist\services.txt
A C:\Spy-Bot\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#20 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 12 June 2004 - 08:05 AM

Peach

Allright, SQL.DLL has gone.

Now please do a run with CWShredder in Safe Mode (Fix button). And still in Safe Mode a scan with Ad Aware.
This should clear out any remnants.

Then in normal mode produce a Hijack This log.

Windows Messenger Service is, as you earlier said, not the same as MSN Messenger (I earlier didn't know which one you meant). WMS is responsable for popups coming directly over the internet. You can disable it as per the instructions on the page I pointed to, but you would not have it locally then (sometimes f.i. the printer uses the service to warn when you're low on ink or paper). To disable only the internet messages you need a firewall and close ports 135 to 139 and 1026.
You earlier disabled WMS, but it is possible one of the hijackers switched it back on again. It should be solved once the Hijack This log is clean.
_______
Wiskonst

#21 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 12 June 2004 - 01:27 PM

That seemed to work nicely. The program located the core and revealed it, and Ad-Aware detected it and cleaned it out. I also cleared out the quarantined items to be sure that it won't return...

If perchance the hijacker is gone, you might want to stick around for the next couple days to be sure that it doesn't return. This one has been tricky like that...

I have a few more things to mention, but first, the Hijack This log...

Logfile of HijackThis v1.97.7
Scan saved at 11:27:51 AM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ICQ\NDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Spy-Bot\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8013.9166898148
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{8BBBF7BF-4503-494B-AE8B-53477EBB6B0E}: NameServer = 66.146.0.1,66.146.0.2

#22 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 12 June 2004 - 01:33 PM

I always wondered how bad tracking cookies really are. It's something that almost everyone automatically downloads on a regular basis, but I don't know just how much privacy is compromised with them.

Now, we'll need to be sure that I'm protected against future hijacking. I'm assuming that I need to remove VM and replace it with Sun Java? I already downloaded the critical updates from Microsoft. Is that enough, or should I be doing more? Also, take note that I have Norton Internet Security Professional. If I should be using its firewall to guard against future attacks, let me know. Oh, and the NetBIOS and NetBIOS Name incoming ports are already blocked...

#23 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 12 June 2004 - 04:13 PM

Peach

The cleaning up is not yet complete; there are still remnants of CWS.
The removal from the registry of references to the CWS files can be done with UnrealCW.
Start UnrealCW and type in the box 'hfkko.dll', click the CLSID button and wait for 'Ready'. Then in the UnrealCW folder find file delhfkko.reg, doubleclick it and confirm the merge.
Do the same with the following dll's and regfiles:
- jehbcba.dll deljehbc.reg
- nkfd.dll delnkfd.reg
- mmflia.dll delmmfli.reg
- agcccbe.dll delagccc.reg
Exit UnrealCW.

In the temp folder there is still the sp.html belonging to CWS.

Fix from Hijack This:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Peach\LOCALS~1\Temp\sp.html

Do this by closing all browser windows, placing a checkmark in front of the above items and clicking the Fix-button.

Then remove all files from
C:\DOCUME~1\Peach\LOCALS~1\Temp
If some files cannot be deleted because they are in use delete them in Safe Mode.

It is best to also clean the other temporary folders:
- C:\Windows\Temp
- C:\Windows\Temporary Internet Files

With that the cleanup should be complete.

We will restore the BHO keys we locked in the beginning.
Start Regedt32 and browse to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer.
Select Browser Helper Objects. In menu Security choose Permissions.
In the dialog click the Advanced button and in the Advanced panel check 'Inherit from parents ...'. Click Apply. In the listpane above the same list of permissionholders should appear as was previously there.
Click OK and on the main panel also check 'Inherit ...'. Click OK and close Regedt32.

Most tracking cookies only track your surfing behaviour, but that can be reason enough to refuse them.
A free cookie manager is AnalogX Cookiewall.

As a general precaution against hijackers we recommend Spywareguard and Spywareblaster (both free). Spywareblaster can block installation of a number of hijackers, among which most variants of Coolwebsearch.

To replace MS Java with Sun Java is certainly advisable. Find instructions to do so here.

For ports to be closed in the firewall see this list of ports used by trojans.

Success

PS Can you send me the UnrealCW logfile (UnrealCW.log)? Use the e-mail link in my profile.
_______
Wiskonst

#24 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 12 June 2004 - 04:44 PM

Okay, I took care of unrecognized files in the C:\WINDOWS\TEMP directory, but as for the files within Documents and Settings, is there anything that should remain? I mean, I don't want to lose cookies that I actually do use, nor my History components...

I haven't gone any further from this point... I'm awaiting any word from you...

Oh, and that site for a list of ports... I don't understand much German, and AltaVista's Babelfish isn't very good at translating... Should I just block ALL of those? Also, Norton's firewall stealths unused ports, making them invisible from the outside...

EDIT:

I want to say that I appreciate the help in which you have provided for me.

Edited by Peach, 12 June 2004 - 04:45 PM.


#25 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 13 June 2004 - 05:50 AM

Peach

The files in C:\Documents and Settings\<name>\Local Settings\Temp are all disposable.
Find your cookies in C:\Documents and Settings\<name>\Cookies and
your history in C:\Documents and Settings\<name>\Local Settings\History .
If these folders are not set right look in the Registry Editor under key
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders.

Sorry about not being clear on the list of ports: all of them are used by trojans or hacker programs. So they should be either closed or set to stealth (on port 21 make an exception for your FTP program). If Norton has already done so, OK.
You can do a leaktest if you want.
_______
Wiskonst

#26 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 June 2004 - 01:57 PM

There's a problem. The "Inherit from Parents" has already re-checked itself, and there are no permissions. I receive two different errors... The first error is when I try to click on Browser Helper Objects. It says, "Cannot open Browser Helper Objects: Error while opening key." The second error is when I try to go to permissions. It says that I cannot view the permissions, but I can change them...

I'm having an idea of what I need to do to fix this, but since I'm not heavily experienced in this part, I'm going to wait until you tell me what needs to be done... Basically, given your current instructions, things aren't returning to normal...

#27 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 13 June 2004 - 04:13 PM

Peach

Download Registrar Lite (link "download") and install it.
Log into Windows XP as Administrator and run Registrar Lite.
Browse to the Browser Helper Objects key (click on the plus-signs) and select it.
In menu Security choose Take Ownership. Confirm on the message "You have successfully ...".
Start Regedt32 (still logged in as Administrator) and perform the unlocking of the BHO keys, first on the Advanced panel. If the 'Inherit ...' box is already checked, first uncheck it; a dialog will appear with a.o. a button Copy. Click that and the list of right-holders should appear. Now check the 'Inherit ...' box and click OK. On the main panel select all entries in the listpane and at the 'Full Access' item check the left box.
That should work.
_______
Wiskonst

#28 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 June 2004 - 07:24 PM

I'm unable to switch to "Administrator" because this is the main administrator account. Administrator only shows up when going into Safe Mode. Everything seems to be in order, though.

Thanks awfully for all of your help. CWS hasn't returned since the purge a couple days ago. Also, my virtual memory problems appear to be fixed. CWS caused a lot of trouble! If only Norton would put more priority in removing malware trojans...

I will soon look into the additional program links that you have provided. I have a couple issues that I have been wondering about, if you don't mind...

For a long while, I've had some bizarre View problems for Windows Explorer. Typically I like "List" for viewing my files, and "Icons" for Control Panel. The Folder Options appear to have the correct settings. What made sense to me is that all folders would be applied with "List" view and Control Panel would be changed to "Icon" view without applying to all other folders. "Remember each folder's view settings" is checked accordingly. However, Control Panel likes to return to "List" view after a reboot. I'm not sure why. What's even more strange is that once in a while, a random folder will become a random view that I never use, like "Details" or "Thumbnails."

Also, after a year of using XP, I never found a way to have Explorer memorize my starting directory (I like to start in the C drive, not My Documents)... After taking a PC class you'd think that I'd know all this stuff. LOL...

#29 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 14 June 2004 - 05:38 AM

Peach

Everything seems to be in order, though.

Yes, but would you at some time want to add a BHO of your own choice, you would not be able to do so with the BHO keys locked.
You could try the same procedure logged in as yourself with administrator rights.
The step of taking ownership in Registrar Lite is important.

Also in Windows 2000 Explorer seems to remember the 'Each folder view settings' only for a limited number of folders.
For the Control Panel try setting the view to the view you want, then close the Panel before shutting down Windows (some windows only save their settings at closing time).
It was Microsoft's choice to program it that way.

For the Explorer to open with a specified folder opened, change the command line parameters in the shortcut.
Right-click on the shortcut, choose properties.
In the first box type:
C:\Windows\Explorer /e,<folder>
for instance C:\Windows\Explorer /e,D:\images

Good luck
_______
Wiskonst

#30 jseville

jseville

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 07:54 AM

http://www.spywarein...chronicles.html This is where there is the article on CWS and its evolution. There you will find SearchX article immediately followed by short article on "yellowpagesearch" which is coupled w/ SearchX and is not visible to hijackthis and cannot be solved w/ CWShredder as acknowledged by the author of CWShredder. The article has good pointers on about 30 CWS variants--save it to your computer for future reference.

I am trying to deal w/ it myself after months of frustration and am hoping for input after you all solve problem so we know this is really the solution since you are talking about solutions a bit different than what I read in post/replies to a user named "piman" yesterday. That article discussed dll.fix and prcview logs and I've posted them in my post under user jseville.

Jay

#31 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 June 2004 - 12:49 PM

Wiskonst - Do you mean the "Target" or "Start In" field? I'm thinking this will not change anything for right-clicking Start and choosing "Explore," or simply using the Windows key + E hotkeys. Interestingly enough, each shortcut starts in its own directory. As for the Control Panel part, yeah, I did close the Control Panel prior to soft reboot or shutdown. Sounds like either XP is buggy or I need to reinstall it.

Jay - This is an experience that I will never forget for all of my life. If you're having to deal with SearchX, then this thread may provide you with an answer to how to remove it. I did not begin to truly purge it until it was exposed by FixDLL, for then Ad-Aware was able to remove the executable. Yes, the solutions in this post are quite different than anything that I've read from other posts related to CoolWebSearch. It's clear to me that I had a very stubborn variant.

#32 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 14 June 2004 - 03:41 PM

Peach

If you're having to deal with SearchX, then this thread may provide you with an answer to how to remove it.

Let the honor go to Shadowwar, writer of dllfix, and Freeatlast, writer of the first part of it, Find All.

On Explorer:
I meant the Target field.
I presume you meant with 'starting directory' the folder that is opened when Explorer starts. You cannot change the Start>right-click>Explore shortcut but you can change any other Explorer shortcut in the Start menu or on the Desktop.

I have a small request: could you zip the files in the UnrealCW\backup folder and send them to me, along with the UnrealCW log. Use the e-mail adress in my profile.
There is still an issue with a possible hijack of the XML-protocol, which I can find out with the backup files.
_______
Wiskonst

Donate to Spywareinfo

#33 Peach

Peach

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 June 2004 - 04:16 PM

I would, but regardless which method I use to access information on your e-mail, I am always given an e-mail form, and it does not allow attachments. If you were seeing something pertaining to about:blank, it's possible that it's something that I set myself. My homepage is always about:blank.

EDIT:

Oh, yeah... I suppose that I did forget to credit the utility programmers. <G>

Edited by Peach, 14 June 2004 - 04:17 PM.


#34 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 14 June 2004 - 04:26 PM

Peach

I will PM you an e-mail adress to send the files to.
It is not something in the Hijack This log, but in the Find All log.
Probably allright though.

Thank you in advance.
_______
Wiskonst

#35 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 15 June 2004 - 02:33 PM

Peach

The XML protocol is allright. :)

_______
Wiskonst




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button