Jump to content


Photo

coolwebsearch? HELP!


  • Please log in to reply
31 replies to this topic

#1 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 06:08 PM

No idea where it came from. Thought it was Prolivation again, but CWShredder says it's coolwebsearch.
I ran the latest CWShredder, 3 times, said it fixed it, didn't.
Now I've got so many pop-ups, I can't hardly use the 'pooter.
My AdAware keeps throwing an event log up, and this got past AdAware, AdWatch, Norton, SpyBot, Privacy Guardian.
I do what the tutorials say, nothing works.
Anybody able to help?
Thanks.
Attached HiJackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.largescal...orums/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 6.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [Yys3j.exe] c:\temp\Yys3j.exe
O4 - HKLM\..\Run: [B.exe] c:\temp\B.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [yvrfaqmqtwgsn] C:\WINDOWS\System32\upuqwyp.exe
O4 - HKLM\..\Run: [0FEj39g] dunmapi.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [HoxtRVM2e] skdjwia.exe
O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe
O4 - HKCU\..\RunOnce: [PGhist] C:\Program Files\Privacy Guardian\PgHist.exe WinguidesPG
O4 - Global Startup: Adaware Bootup.lnk = ?
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7582.3450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 caruch6392

caruch6392

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 10 June 2004 - 06:21 PM

next time please properly post your log (you dont have the process list that comes with a properly saved log) but i'll do it anyway

take all this out:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.largescal...orums/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 6.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

for this next entry please try this site for more removal instructions: removal

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

DEFINATELY get rid of this:

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

and this:

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll

this too:

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

this is for error reporting for windows (but windows never crashes right :whistle: ) take it off:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

wow here's a lot of crap to take off..i fix people's computers and i saw iehost once taking up 100% of cpu it was nuts: (most of these entries are prolly random file name generator spyware)



O4 - HKLM\..\Run: [Yys3j.exe] c:\temp\Yys3j.exe
O4 - HKLM\..\Run: [B.exe] c:\temp\B.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [yvrfaqmqtwgsn] C:\WINDOWS\System32\upuqwyp.exe
O4 - HKLM\..\Run: [0FEj39g] dunmapi.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [HoxtRVM2e] skdjwia.exe


you'll always hear me talking about how i hate these pop up stopper programs ( i use google toolbar) but if it's working for you just keep it on but PLEASE take off the second one:

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [HoxtRVM2e] skdjwia.exe

NEVER USE THESE INTERNET "boosters" they are all crap:

O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

this goes too:

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

these go too:

O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll

these are ALWAYS bad please take them off:

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - FTP Prefix:
O13 - Gopher Prefix:

take this off too:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab



hope this helps {SoW}Rob
UPDATE and run adaware adware
UPDATE and run spybot spybot search and destroy
UPDATE and run cwshredder cwshredder
update and use spyware blaster spywareblaster
a nifty little program a squared 2 a squared 2
free virus scanner avg anti-virus
another free antivirus Avast!

dont forget to do windows updates windows updates

my pontiac grand prix gt
Posted Image

http://www.cardomain...id/fallen_blade

#3 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 06:55 PM

Thought I had done it properly....I see I dropped the top part....no idea why, maybe the danged AdAware waring popped up and dropped it off (just happened again).
I am beta testing the BrowseBlast, so it has to stay, and for dial-up, it does work.
The AutoUpDater....is that Microsoft? Do I really dump it?

Between R-1 and O2, you say to try this site...the one we're on?


This computer is second hand. It has all sorts of stuff I have been deleting for months.

I ended up with a problem that makes it often difficult to go upstairs, so this was donated to me.

I'll re-post momentarily.

TOC

#4 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:05 PM

I did all that, it about killed AdAware, pixelated, says I am not current.
Not it makes me log into my own computer.
I had 2 programs loaded into desktop by this thing, it sure looks like Prolivation.
Anyway, here's the brand-new log after cleaning:

Logfile of HijackThis v1.97.7
Scan saved at 5:03:35 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - Global Startup: Adaware Bootup.lnk = ?
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7582.3450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:15 PM

I have been running all scans all afternoon, and before we started this, AdAware caught 6.
After I cleaned the stuff out, it cught 68.
The system has slowed up so much I am afraid it might just cease.
If this is like the Prolivation I had months ago, there must be a hidden dll file that is re-launching this stuff.
Any idea wher I go to look, and are we sure it's coolwebsearch?
Thanks.
TOC

#6 drkl0rd2000

drkl0rd2000

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 10 June 2004 - 07:15 PM

The following needs removed, once done repost a new log see if we got it all.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

----assume this is browse blast so if you use do not remove---------------
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
--------------------------------------------------------------------------------

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

Edited by drkl0rd2000, 10 June 2004 - 07:16 PM.


#7 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:26 PM

Now it's something new.
"about:blank".
Whatever this is, it keeps morphing.
It was coolwebsearch, them prolivation, now about:blank.
Almost like something we deleted opened it up to all sorts of stuff.
Thanks.
TOC

#8 drkl0rd2000

drkl0rd2000

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 10 June 2004 - 07:29 PM

About blank is a good sign it means you have deleted your starting page which had been hijacked to reset your homepage to be what you want go to the website you want as homepage then do the following.

Tools
Internet options

and right there on that tab will be the following options

use current
use default
use blank


Right now your set as blank due to all the cleaning we just done. post a final log after you get your page reset too please.

Edited by drkl0rd2000, 10 June 2004 - 07:30 PM.


#9 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:38 PM

I cannot delete R0, main page. My AdWatch throws up a warning every time.
Is this where the problem is?
I am a little worried about turning the AdWatch off.......
If that's what it takes....
Every time I look at this Hijack Log, it's different. Without cleaning. It was different now from after the last cleaning.
That SearchHook missing looks like something I read about "about:blank"

Logfile of HijackThis v1.97.7
Scan saved at 5:35:39 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Privacy Guardian\pg.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - Global Startup: Adaware Bootup.lnk = ?
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7582.3450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#10 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:40 PM

Whenever I ry to reset my home page from "about:blank", AdWatch tells me it has detected an attempted Registry Change, even right now, so something is still hidden somewhere.
TOC

#11 drkl0rd2000

drkl0rd2000

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 10 June 2004 - 07:42 PM

Axe these 2, disable adwatch if needed to delete these afterwards you should be able to set your homepage and be back up and running.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

#12 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:44 PM

Sorry, I just saw th one about resetting home page.
I know how to do it, and I can set to current once I select it, but as soon as I try to apply, AdAware says "Registry Change".
I think (therefore I am?) (I think) that some hidden part is triggering this, but youse guys are the ex-purts, so......
Sure different than Drum Memory and all them Nixie Tubes and visible registers......
TOC

#13 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:49 PM

Okay, did it. Got rid of the Hook, but the R0 WON'T go away, even with AdWatch killed. And, as soon as I turned AdWatch back on, it said "Registry Modification Detected".
At least the pop-ups seem to be gone, and the every 15 seconds warning from AdAware....
So, how do we fix the R0 from the back?
TOC

#14 drkl0rd2000

drkl0rd2000

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 10 June 2004 - 07:51 PM

Changing the home page may give that error in adwatch because one of the things it monitors for is webpage hijacking (changing the starting page). That said disable adwatch before you change the starting homepage and you should be golden

You might also click on the search button and then click customize in the search window and set your search page to whatever you prefer then reboot the machine to make sure that message from adwatch does not come up again

#15 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:52 PM

Nope.
I still cannot reset my home page, "Registry Modification Detected".
Is this just a function of AdWatch?
I am getting a little paranoid about running anything on the 'net with it off........
TOC

#16 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:55 PM

Disabled AdWatch, set it, applied, ok, turned AdWatch back on, told me it had detected a registry modification at the exact time I turned it back on.....
I will try doing a re-boot.
TOC

#17 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 07:58 PM

I just re-ran HiJack This, and as you can see, more stuff has magically added itself to the files.
Those 2 R1's were not there 10 minutes ago, and the R0 is still......
Arrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrgggggggggggggggggghhhhhhhhhhhhhhh.
I know, deep breath............
TOC

Logfile of HijackThis v1.97.7
Scan saved at 5:57:23 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Privacy Guardian\pg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - Global Startup: Adaware Bootup.lnk = ?
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7582.3450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#18 drkl0rd2000

drkl0rd2000

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 10 June 2004 - 08:19 PM

I'd turn off the adwatch, reset the homepage to www.yahoo.com then reset the search sidebar page as described above. Reboot the PC and see if you get that error anymore.

but reboot the PC do not restart the ad-aware or adwatch until you reboot see if it clears that message up.

Edited by drkl0rd2000, 10 June 2004 - 08:21 PM.


#19 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 10 June 2004 - 08:40 PM

Turned off AdWatch, reset both places to yaywho, rebooted, back to "about:blank".
Recheck HiJackThis, same as last post.
TOC

#20 drkl0rd2000

drkl0rd2000

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 10 June 2004 - 08:45 PM

removed

Edited by drkl0rd2000, 10 June 2004 - 10:11 PM.


#21 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 10 June 2004 - 09:35 PM

Do NOT follow the 3rd QUOTE part of that fix.. you can't anyway because you don't have those items, but don't get confused trying to...

Also, please do not try to fix the O10s that both people have suggested you fix, you could lose your web access if you do... They are part of "SlipStream Internet Accelerator Server" which is valid and they need to be removed another way if you are not using that program...

This is probably legit, but I would fix it just to clean things up so we can sort this out... You can install it again later if you want it...

O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227

If you agree to get rid of thiis, you will also need to use Add/Remove Programs to remove it:

C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe

You have been running HJT from a Temporary folder and it is possible that your backups have been lost. I suggest that you move HJT to a folder that you create like C:\HJT and move any files that are labeled as backups that are in the temp folder so that you have them if you need them. Once you are clean and things are running smoothly for a while, you can delete them...

Go ahead and fix these, I am not entirely sure they are bad, but I want to see if CWS is still hiding back there...

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Let's see where you are at after you do the stuff mentioned so far... Post a fresh log after a reboot and give as much detail as possible about any problems you are still having....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#22 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 11 June 2004 - 11:20 AM

Looking at this all night, I think you've got it.
All fnctions seem to be normal, and I do believe after some testing that the "about:blank" is a function of AdWatch.
I have been through the tutorials AGAIN and see it is supposed to do something it won't....ask me to allow a process and add it to the allowed process list.
Never asks, and I can't, so even auto-complete has a problem.
Danged Technology, anyway.
Thanks.
Worked.
TOC

#23 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 11 June 2004 - 10:21 PM

about:blank is not a function of AdAware or AdWatch, it is usually an indicator of a CWS infection and it has a tendency to hide and reappear later... Did you run the fixes suggested?? If so, please post another log after reboot so we can see how you are doing.....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#24 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 June 2004 - 02:12 PM

This is odd.
I have determined that AdWatch is creating my inability to delete these problems.......I turn off AdWatch, clean the problems, re-boot, and when I turn AdWatch back on, it re-imposes all the infected files right back where they were.
I have been on the lavasoft forums, trying to figure out why the stuff I am supposed to have isn't there, and how to get it to quit fighting me.
One thing is the allowed process list. Suposed to have a window pop up asking if I want to allow the process...never happens. It even blocks the "do you want to remember this password" window.
Anybody ever see this?
TOC

#25 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 June 2004 - 02:16 PM

Budfred- I have done all the fixes, many, many times. The R1 and R0 keep getting re-installed by AdWatch, every time I turn it back on.
I have asked on the lavasoft forums, no answer yet. I even e-mailed support twice Thursday and no reply.
Here's the latest, after many cleanings:

Logfile of HijackThis v1.97.7
Scan saved at 12:16:30 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - Global Startup: Adaware Bootup.lnk = ?
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7582.3450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#26 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 June 2004 - 02:21 PM

This is with AdWatch off, and cleaned logfile:

Logfile of HijackThis v1.97.7
Scan saved at 12:21:30 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - Global Startup: Adaware Bootup.lnk = ?
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7582.3450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#27 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 June 2004 - 02:26 PM

As soon as I turn AdWatch on, this is what happens (got a popup window "Registry Modification Detected")
If I remove the Windows Automatic Update, it throws that back, too, so I just gave up trying.
The other one will come back in a short while....at least it did all night.
I have no idea what the R1 Proxy Server is...
Perplexing.
TOC


Logfile of HijackThis v1.97.7
Scan saved at 12:23:12 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\TEMP\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.m
crosoft.com;activex.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - Global Startup: Adaware Bootup.lnk = ?
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\browse~2\sliplsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7582.3450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#28 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 12 June 2004 - 03:55 PM

Okay, I see what is going on... You need to clean out the memory in AdWatch and this may mean that you have to uninstall it. I don't use it, so I can't give you a lot of detail. It is designed to keep malware from changing your settings, so when you change them voluntarily, it resets them... After you purge AdWatch, turn it off, do the fixes and turn it back on to take a shot of the now cleaned system. That should make it restore to the clean system if there are any problems later...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#29 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 June 2004 - 04:18 PM

Okay. There is the root of the problem.
AdWatch. The lavasoft site has been unavailable so far today, so I don't have a clue....
I can't turn anything off or purge any memory or add anything to a logfile.
Nothing. This has to be the most worthless softeware you have to buy I have seen yet.
Okay, I'll un-install it, clean again, purge and re-install.
Then I'll be back!
Thanks!
TOC

#30 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 12 June 2004 - 04:27 PM

Actually it is great at doing what it is supposed to do, that is the problem here... If it were malware trying to change your settings, you would think it was the greatest thing around.... :D :D
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#31 Curmudgeon

Curmudgeon

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 June 2004 - 05:28 PM

Bulfred- I would agree with you except for one thing.
After the last HiJack, I bought the add-on of AdWatch to AdAware, and it runs continuously every time I fire up.
It let this infection in in the first place. Went right past it.
Then it won't let me fix it.
They tell you it does things that just aren't there, you go to the "?" and it says there is no information.
I am in the middle of clearing it out now.
TOC

#32 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 12 June 2004 - 08:09 PM

You may need to check the LavaSoft forums for people that know more about it... I suspect what may have happened is that the infection was already there and AdWatch got caught in the middle... Some of the scumbuckets who write this malware specifically target some of the products, like AdAware, that fight them, but AdWatch isn't used widely enough to be a likely target, so there are other things going on with this...

I like to install a full suite of security stuff on a clean install so that I know that I am protected from the beginning and any problems that occur are clearly due to the malware.... Don't always have the luxury of doing that though.... :D
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button