• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Curmudgeon

coolwebsearch? HELP!

32 posts in this topic

No idea where it came from. Thought it was Prolivation again, but CWShredder says it's coolwebsearch.

I ran the latest CWShredder, 3 times, said it fixed it, didn't.

Now I've got so many pop-ups, I can't hardly use the 'pooter.

My AdAware keeps throwing an event log up, and this got past AdAware, AdWatch, Norton, SpyBot, Privacy Guardian.

I do what the tutorials say, nothing works.

Anybody able to help?

Thanks.

Attached HiJackThis log:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.largescalecentral.com/LSCForums/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 6.0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [Yys3j.exe] c:\temp\Yys3j.exe

O4 - HKLM\..\Run: [b.exe] c:\temp\B.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [yvrfaqmqtwgsn] C:\WINDOWS\System32\upuqwyp.exe

O4 - HKLM\..\Run: [0FEj39g] dunmapi.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

O4 - HKCU\..\Run: [HoxtRVM2e] skdjwia.exe

O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe

O4 - HKCU\..\RunOnce: [PGhist] C:\Program Files\Privacy Guardian\PgHist.exe WinguidesPG

O4 - Global Startup: Adaware Bootup.lnk = ?

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/

O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - FTP Prefix:

O13 - Gopher Prefix:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/317d3290b9eb0f8b6300/netzip/RdxIE2.cab

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7582.3450231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

next time please properly post your log (you dont have the process list that comes with a properly saved log) but i'll do it anyway

 

take all this out:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.largescalecentral.com/LSCForums/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 6.0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

 

for this next entry please try this site for more removal instructions: removal

 

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

 

DEFINATELY get rid of this:

 

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

 

and this:

 

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

 

this too:

 

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

 

this is for error reporting for windows (but windows never crashes right :whistle: ) take it off:

 

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

 

wow here's a lot of crap to take off..i fix people's computers and i saw iehost once taking up 100% of cpu it was nuts: (most of these entries are prolly random file name generator spyware)

 

 

 

O4 - HKLM\..\Run: [Yys3j.exe] c:\temp\Yys3j.exe

O4 - HKLM\..\Run: [b.exe] c:\temp\B.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [yvrfaqmqtwgsn] C:\WINDOWS\System32\upuqwyp.exe

O4 - HKLM\..\Run: [0FEj39g] dunmapi.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

O4 - HKCU\..\Run: [HoxtRVM2e] skdjwia.exe

 

 

you'll always hear me talking about how i hate these pop up stopper programs ( i use google toolbar) but if it's working for you just keep it on but PLEASE take off the second one:

 

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

O4 - HKCU\..\Run: [HoxtRVM2e] skdjwia.exe

 

NEVER USE THESE INTERNET "boosters" they are all crap:

 

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

 

this goes too:

 

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

 

these go too:

 

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

 

these are ALWAYS bad please take them off:

 

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/

O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - FTP Prefix:

O13 - Gopher Prefix:

 

take this off too:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/317d3290b9eb0f8b6300/netzip/RdxIE2.cab

 

 

 

hope this helps {SoW}Rob

Share this post


Link to post
Share on other sites

Thought I had done it properly....I see I dropped the top part....no idea why, maybe the danged AdAware waring popped up and dropped it off (just happened again).

I am beta testing the BrowseBlast, so it has to stay, and for dial-up, it does work.

The AutoUpDater....is that Microsoft? Do I really dump it?

 

Between R-1 and O2, you say to try this site...the one we're on?

 

 

This computer is second hand. It has all sorts of stuff I have been deleting for months.

 

I ended up with a problem that makes it often difficult to go upstairs, so this was donated to me.

 

I'll re-post momentarily.

 

TOC

Share this post


Link to post
Share on other sites

I did all that, it about killed AdAware, pixelated, says I am not current.

Not it makes me log into my own computer.

I had 2 programs loaded into desktop by this thing, it sure looks like Prolivation.

Anyway, here's the brand-new log after cleaning:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:03:35 PM, on 6/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperServer\DKService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - Global Startup: Adaware Bootup.lnk = ?

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/

O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7582.3450231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I have been running all scans all afternoon, and before we started this, AdAware caught 6.

After I cleaned the stuff out, it cught 68.

The system has slowed up so much I am afraid it might just cease.

If this is like the Prolivation I had months ago, there must be a hidden dll file that is re-launching this stuff.

Any idea wher I go to look, and are we sure it's coolwebsearch?

Thanks.

TOC

Share this post


Link to post
Share on other sites

The following needs removed, once done repost a new log see if we got it all.

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

 

----assume this is browse blast so if you use do not remove---------------

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

--------------------------------------------------------------------------------

 

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/

O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

Edited by drkl0rd2000

Share this post


Link to post
Share on other sites

Now it's something new.

"about:blank".

Whatever this is, it keeps morphing.

It was coolwebsearch, them prolivation, now about:blank.

Almost like something we deleted opened it up to all sorts of stuff.

Thanks.

TOC

Share this post


Link to post
Share on other sites

About blank is a good sign it means you have deleted your starting page which had been hijacked to reset your homepage to be what you want go to the website you want as homepage then do the following.

 

Tools

Internet options

 

and right there on that tab will be the following options

 

use current

use default

use blank

 

 

Right now your set as blank due to all the cleaning we just done. post a final log after you get your page reset too please.

Edited by drkl0rd2000

Share this post


Link to post
Share on other sites

I cannot delete R0, main page. My AdWatch throws up a warning every time.

Is this where the problem is?

I am a little worried about turning the AdWatch off.......

If that's what it takes....

Every time I look at this Hijack Log, it's different. Without cleaning. It was different now from after the last cleaning.

That SearchHook missing looks like something I read about "about:blank"

 

Logfile of HijackThis v1.97.7

Scan saved at 5:35:39 PM, on 6/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperServer\DKService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Privacy Guardian\pg.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - Global Startup: Adaware Bootup.lnk = ?

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7582.3450231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Whenever I ry to reset my home page from "about:blank", AdWatch tells me it has detected an attempted Registry Change, even right now, so something is still hidden somewhere.

TOC

Share this post


Link to post
Share on other sites

Axe these 2, disable adwatch if needed to delete these afterwards you should be able to set your homepage and be back up and running.

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

Share this post


Link to post
Share on other sites

Sorry, I just saw th one about resetting home page.

I know how to do it, and I can set to current once I select it, but as soon as I try to apply, AdAware says "Registry Change".

I think (therefore I am?) (I think) that some hidden part is triggering this, but youse guys are the ex-purts, so......

Sure different than Drum Memory and all them Nixie Tubes and visible registers......

TOC

Share this post


Link to post
Share on other sites

Okay, did it. Got rid of the Hook, but the R0 WON'T go away, even with AdWatch killed. And, as soon as I turned AdWatch back on, it said "Registry Modification Detected".

At least the pop-ups seem to be gone, and the every 15 seconds warning from AdAware....

So, how do we fix the R0 from the back?

TOC

Share this post


Link to post
Share on other sites

Changing the home page may give that error in adwatch because one of the things it monitors for is webpage hijacking (changing the starting page). That said disable adwatch before you change the starting homepage and you should be golden

 

You might also click on the search button and then click customize in the search window and set your search page to whatever you prefer then reboot the machine to make sure that message from adwatch does not come up again

Share this post


Link to post
Share on other sites

Nope.

I still cannot reset my home page, "Registry Modification Detected".

Is this just a function of AdWatch?

I am getting a little paranoid about running anything on the 'net with it off........

TOC

Share this post


Link to post
Share on other sites

Disabled AdWatch, set it, applied, ok, turned AdWatch back on, told me it had detected a registry modification at the exact time I turned it back on.....

I will try doing a re-boot.

TOC

Share this post


Link to post
Share on other sites

I just re-ran HiJack This, and as you can see, more stuff has magically added itself to the files.

Those 2 R1's were not there 10 minutes ago, and the R0 is still......

Arrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrgggggggggggggggggghhhhhhhhhhhhhhh.

I know, deep breath............

TOC

 

Logfile of HijackThis v1.97.7

Scan saved at 5:57:23 PM, on 6/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperServer\DKService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Privacy Guardian\pg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - Global Startup: Adaware Bootup.lnk = ?

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7582.3450231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I'd turn off the adwatch, reset the homepage to www.yahoo.com then reset the search sidebar page as described above. Reboot the PC and see if you get that error anymore.

 

but reboot the PC do not restart the ad-aware or adwatch until you reboot see if it clears that message up.

Edited by drkl0rd2000

Share this post


Link to post
Share on other sites

Turned off AdWatch, reset both places to yaywho, rebooted, back to "about:blank".

Recheck HiJackThis, same as last post.

TOC

Share this post


Link to post
Share on other sites

Do NOT follow the 3rd QUOTE part of that fix.. you can't anyway because you don't have those items, but don't get confused trying to...

 

Also, please do not try to fix the O10s that both people have suggested you fix, you could lose your web access if you do... They are part of "SlipStream Internet Accelerator Server" which is valid and they need to be removed another way if you are not using that program...

 

This is probably legit, but I would fix it just to clean things up so we can sort this out... You can install it again later if you want it...

 

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

 

If you agree to get rid of thiis, you will also need to use Add/Remove Programs to remove it:

 

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

 

You have been running HJT from a Temporary folder and it is possible that your backups have been lost. I suggest that you move HJT to a folder that you create like C:\HJT and move any files that are labeled as backups that are in the temp folder so that you have them if you need them. Once you are clean and things are running smoothly for a while, you can delete them...

 

Go ahead and fix these, I am not entirely sure they are bad, but I want to see if CWS is still hiding back there...

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

 

Let's see where you are at after you do the stuff mentioned so far... Post a fresh log after a reboot and give as much detail as possible about any problems you are still having....

Share this post


Link to post
Share on other sites

Looking at this all night, I think you've got it.

All fnctions seem to be normal, and I do believe after some testing that the "about:blank" is a function of AdWatch.

I have been through the tutorials AGAIN and see it is supposed to do something it won't....ask me to allow a process and add it to the allowed process list.

Never asks, and I can't, so even auto-complete has a problem.

Danged Technology, anyway.

Thanks.

Worked.

TOC

Share this post


Link to post
Share on other sites

about:blank is not a function of AdAware or AdWatch, it is usually an indicator of a CWS infection and it has a tendency to hide and reappear later... Did you run the fixes suggested?? If so, please post another log after reboot so we can see how you are doing.....

Share this post


Link to post
Share on other sites

This is odd.

I have determined that AdWatch is creating my inability to delete these problems.......I turn off AdWatch, clean the problems, re-boot, and when I turn AdWatch back on, it re-imposes all the infected files right back where they were.

I have been on the lavasoft forums, trying to figure out why the stuff I am supposed to have isn't there, and how to get it to quit fighting me.

One thing is the allowed process list. Suposed to have a window pop up asking if I want to allow the process...never happens. It even blocks the "do you want to remember this password" window.

Anybody ever see this?

TOC

Share this post


Link to post
Share on other sites

Budfred- I have done all the fixes, many, many times. The R1 and R0 keep getting re-installed by AdWatch, every time I turn it back on.

I have asked on the lavasoft forums, no answer yet. I even e-mailed support twice Thursday and no reply.

Here's the latest, after many cleanings:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:16:30 PM, on 6/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperServer\DKService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - Global Startup: Adaware Bootup.lnk = ?

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7582.3450231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

This is with AdWatch off, and cleaned logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:21:30 PM, on 6/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperServer\DKService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - Global Startup: Adaware Bootup.lnk = ?

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7582.3450231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

As soon as I turn AdWatch on, this is what happens (got a popup window "Registry Modification Detected")

If I remove the Windows Automatic Update, it throws that back, too, so I just gave up trying.

The other one will come back in a short while....at least it did all night.

I have no idea what the R1 Proxy Server is...

Perplexing.

TOC

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:23:12 PM, on 6/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperServer\DKService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m

crosoft.com;activex.microsoft.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - Global Startup: Adaware Bootup.lnk = ?

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7582.3450231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Okay, I see what is going on... You need to clean out the memory in AdWatch and this may mean that you have to uninstall it. I don't use it, so I can't give you a lot of detail. It is designed to keep malware from changing your settings, so when you change them voluntarily, it resets them... After you purge AdWatch, turn it off, do the fixes and turn it back on to take a shot of the now cleaned system. That should make it restore to the clean system if there are any problems later...

Share this post


Link to post
Share on other sites

Okay. There is the root of the problem.

AdWatch. The lavasoft site has been unavailable so far today, so I don't have a clue....

I can't turn anything off or purge any memory or add anything to a logfile.

Nothing. This has to be the most worthless softeware you have to buy I have seen yet.

Okay, I'll un-install it, clean again, purge and re-install.

Then I'll be back!

Thanks!

TOC

Share this post


Link to post
Share on other sites

Actually it is great at doing what it is supposed to do, that is the problem here... If it were malware trying to change your settings, you would think it was the greatest thing around.... :D:D

Share this post


Link to post
Share on other sites

Bulfred- I would agree with you except for one thing.

After the last HiJack, I bought the add-on of AdWatch to AdAware, and it runs continuously every time I fire up.

It let this infection in in the first place. Went right past it.

Then it won't let me fix it.

They tell you it does things that just aren't there, you go to the "?" and it says there is no information.

I am in the middle of clearing it out now.

TOC

Share this post


Link to post
Share on other sites

You may need to check the LavaSoft forums for people that know more about it... I suspect what may have happened is that the infection was already there and AdWatch got caught in the middle... Some of the scumbuckets who write this malware specifically target some of the products, like AdAware, that fight them, but AdWatch isn't used widely enough to be a likely target, so there are other things going on with this...

 

I like to install a full suite of security stuff on a clean install so that I know that I am protected from the beginning and any problems that occur are clearly due to the malware.... Don't always have the luxury of doing that though.... :D

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0