Jump to content


Photo

Stubborn CWS - help please!


  • This topic is locked This topic is locked
46 replies to this topic

#1 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 11 June 2004 - 11:22 PM

Greetings,

I have been infected with a particularly stubborn CWS hijacker. I have run Spybot S&D, Ad-aware, SpySweeper and HijackThis, but it keeps reinstalling.

Here is my HijackThis log...

Logfile of HijackThis v1.97.7
Scan saved at 3:54:08 p.m., on 12/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\explorer.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...bad/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Can someone please tell me how to delete the malicious files? It looks to me like hdcf.dll is the culprit. Is this correct?

Cheers, Beeza

#2 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 11 June 2004 - 11:33 PM

I forgot to say that CWShredder doesn't get rid of it either. Urggh.

Beeza

#3 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 14 June 2004 - 08:55 PM

BUJMP

#4 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 14 June 2004 - 09:07 PM

beeza, i also may have the same strain. take a look at my strain... a user Wiskonst has been assiting nicely


-Jon

#5 QuantumSlip

QuantumSlip

    Member

  • New Member
  • Pip
  • 2 posts

Posted 14 June 2004 - 09:21 PM

just wondering, i had a similar problem and i finally made it go away, or at least i thought i did for now... open control panel, administrative tools, services, and see if you have something called Network Security Service.

#6 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 14 June 2004 - 09:50 PM

Hi QuantumSlip

I had a look and I don't have anything called Network Security Service there. You got me worried now, should I? Or is it good that I don't?!!

Cheers, Beeza :-)

#7 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 14 June 2004 - 10:02 PM

Hi Jon,

Yep, I remember reading your post before my very first post and recognising that I seem to have the exact same strain as you.

I hate the grief it's causing me, but in a strange way I have to admire the cleverness of it too. If only the dunderhead creators would turn their efforts to useful activities!

I am tempted to try and fix it myself based on what Wiskonst has been advising you, but I'm a bit worried about stuffing it up. Thought I'd better wait until I got expert advice. However, these guys seem to be snowed under with people like us, so I might give it a go soon.

Cheers, Beeza :-)

#8 QuantumSlip

QuantumSlip

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 June 2004 - 12:12 AM

Hi QuantumSlip

I had a look and I don't have anything called Network Security Service there. You got me worried now, should I? Or is it good that I don't?!!

Cheers, Beeza :-)

yea, after digging around i found out that wasnt the cause of the problems... for now it's gone for me, but im not surprised if it comes back :( the only thing that i can think of other than removing all those files/reg entries/etc. was to repair the Winsock; try a utility called WinsockXPFix.exe; should be easy to find on google. Run this after removing all the malware that you can find. if that doesnt work.... hope someone else can figure this out

Edited by QuantumSlip, 15 June 2004 - 12:13 AM.


#9 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 June 2004 - 06:19 AM

BUMP

#10 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 June 2004 - 01:13 AM

BUMP.

Below are 3 updated HijackThis logs, one before cleaning all eight dodgy items (R1-HKCU, R1-HKLM, R0-HKLM, and 02-BHO entries), one straight after cleaning those items, and the last one after shutting down and CWS has come back.

My computer is running like a dog and I really want to get this fixed. Can anyone help?

Cheers, Beeza

LOG #1, BEFORE CLEANING...

Logfile of HijackThis v1.97.7
Scan saved at 12:16:53 a.m., on 18/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {94E5AC60-2025-462D-B07B-3417C60C0EEC} - C:\WINDOWS\System32\edm.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...bad/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



LOG #2, AFTER CLEANING...

Logfile of HijackThis v1.97.7
Scan saved at 12:18:21 a.m., on 18/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...bad/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



LOG #3, AFTER SHUTTING DOWN OVERNIGHT AND USING PC ALL DAY, BACK IT CAME...

Logfile of HijackThis v1.97.7
Scan saved at 5:57:49 p.m., on 18/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {12226606-AF09-4DA0-A561-D4386C49EB61} - C:\WINDOWS\System32\momo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...bad/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#11 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 18 June 2004 - 03:45 AM

Well Beeza... I'm not sure if this is good news or bad news but I have the same EXACT hijacker you do. I haven't been able to eliminate mine totally but I have kept it at bay until there is a solid way to eliminate it completely.
I'll share what I've done so far and hopefully it will help.
Safemode boot:
find jscript.dll and jsproxy.dll and added "rename-" in the front (ie: rename-jscript.dll) in the C:\Windows\system32 folder. Do the same for the folder Java in C:\Windows. This will not hurt your system in the least and when it's figured out how to fix this you can just remove the "rename-" part.
I also uninstalled Sun's Java so that my system is not running Java at all.
I had read that CoolWWWSearch uses security holes in Microsoft's Java Virtual Machine to get onto your computer. As a test I reinstalled Sun Java and sure enough my homepage was being hit left and right.
Ok... onto Spybot which I see you have... make sure it's updated and make sure teatimer.exe is running (great little tool and looks like it's already running). To find that click "mode" and choose "advanced" ->"Tools" ->"Resident".
IETweeks: "Lock Hosts file read-only as protection against hijackers"
Under Spybot-S&D click "Immunize" and you already have the Browser helper running.

Uninstall Sun Java... do the reboot that it calls for and come back into safemode.

Run CWShredder newest version 1.59.0 even if it says none found scroll back up and double check. (I find that it removed CWS.Searchx even tho' it says none found)
Run Spybot-S&D and fix the problems that it finds.
Run Adaware 6 with latest update (seems like a new update every couple days) and repair any problems it finds.
Launch Hijack this again:
Your browser pages should be fixed and edm.dll should be gone if not check them off. Check the install engine program and see if it's a program that should be running. (I'm not sure but you may, if not check that one)
WildTangent, if it is still there click that one. WildTangent gets installed with Bearshare and or Kazaa and is Adware. Pretty much harmless but a pest non the less so you can check that one.
You should be good to go (so to speak) and holding CWS at bay. Tea Timer will ask you about adding entries, if in doubt click disallow. I watch to see if it's adding or deleting an entry and allow all deletes and allow only the allows that are setting my homepage to the normal google page. If you hit a page and you get a popup asking to download Microsoft Virtual Java Machine click cancel (that's what I do anyway).
The only BHO you want running in your case is the SDHelper.

A strange thing I've noticed with this Hijacker is when it comes back it knocks out my virus scanner, Tea Timer and AdWatch 3.0. They're still running in the background but no longer show up in the icon tray. And I've caught a DOS window pop up and only flash for a second just before it happens but it's a quick fix from there. I launch HJT and check off the stuff that don't belong and click fix. But I can sometimes go a day or so before I get hit with out suffering in perfomance. I've heard this hijack has bogged some peoples computers down to a crawl. The experts on this board as well as myself are trying to track down an effective way to delete the problem (pssst.. they will probably come up with it first) but in the meantime this bandaid is working for me.

Hope this helps!
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#12 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 18 June 2004 - 03:52 AM

Oh and my page redirection lands me here : http://s1di.ewizard....x.php?aid=20038
Probably the same as yours. But I can get that page a few times if I really try and never have anything show up in HJT. ::shrug::
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#13 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 09:23 AM

:) Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

Please keep an eye on this message for a resolution shortly.

#14 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 09:33 AM

  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {12226606-AF09-4DA0-A561-D4386C49EB61} - C:\WINDOWS\System32\momo.dll
  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"
    • DIRECTORIES
      • Nothing Yet
    • FILES
      • C:\WINDOWS\System32\momo.dll
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#15 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 June 2004 - 12:40 PM

Hi PGPhantom,

Many thanks for your help. It's 5:30 am here and I've been up all night, but I'm VERY happy to be knocking this damn CWS thing on the head :bounce:

I'm gonna stay up a bit longer to hopefully catch your reply. I've done all the things you suggested. One observation: I had a lot of sub-folders in the temp directory. I went through them and cleaned up anything I knew was okay to do so, but left a lot behind. Is that okay, or should I have just deleted everything?

Here's my updated HJT log...

Logfile of HijackThis v1.97.7
Scan saved at 5:28:48 a.m., on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...bad/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Cheers, Beeza :-)

#16 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 18 June 2004 - 12:41 PM

Over 24 hours and still symtom free! I would venture to guess that it is correct that this version needs JAVA to multiply. I have taken a complete snapshot of my system with Iolo's System Mechanic while it's clean and will take another snapshot if the symptoms return and make a comparison. If and when the symptoms return Beeza, which personal experience with this denotes it will, give my bandaid solution a try.
This strain of CWS pretty much has a mind of it's own and should be named CWS.Temp\sp.html Hijacker or CWS.Ewizard Hijack. I'll start my own topic and post my HJT log so people can see the bandaid is working. If you try my bandaid and it works as well for you as it has for me make sure you post your log and tell people. There are alot of people suffering from this and if a cure isn't right around the corner, making the symptoms disappear is a good thing.

Best of Luck
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#17 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 01:29 PM

Your log looks clean :)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#18 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 June 2004 - 02:18 PM

Thank you PGPhantom,

I'm a very happy chappy ;D

I had already done most of the oher things you recommended, and am now doing the rest. I have got rid of CWS before and it comes back, so don't be surprised if you hear from me again!


BCGovtMartyr,

Thanks for your comments. Yep, we have the same strain alright. I think I know where I got mine too. I got given a CD with photos but I couldn't read it. Needed a Sonic UDF reader or something. The link was dead, so I Googled them and found a Japanese Sonic website with Sonic UDF reader download. I don't know whether it was the website or on the back of the download, but I'm pretty sure that's where I got hit.

Cheers, Beeza :-)

#19 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 18 June 2004 - 02:35 PM

I know where mine came from Beeza. I was doing a search for something on the net, clicked a link and poof I got shot to a porn site. Having children in the house and moving about I quickly closed the Window(s) that popped up but it was too late. Damage was done. Of the 4 PC's I have running here this is the only one infected (of course it has to be the server and the fastest one here ::sigh::). Hopefully there will be a cure here soon. These guys are awesome in their tireless venture of finding a cure. Kudoo's guys!
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#20 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 02:47 PM

Glad to of been of help :)

It has been our pleasure to help you :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.

#21 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 22 June 2004 - 06:37 PM

Reopened at request of Beeza.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#22 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 09:57 PM

Beeza - What problems are you still having?

#23 bryanmtaylor

bryanmtaylor

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 10:23 PM

I've got this EXACT same CWS problem too! Beeza, do you get a bunch of popups advertising spyware removal software of all things?

Thanks for the assistance PG Phantom... I'm going to try it out and see if it cures my ills. My HijackThis log is posted in a new topic.

#24 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 03:49 PM

Hi PGPhantom,

Well, the fix lasted all of 2 hours and I've been having all sorts of problems since then. For a while IE wasn't even working and I couldn't access internet.

What I've found is that I can delete all malicious files and have a completely clean HJT log, then open IE and SpywareGuard kicks into action as CWS tries to install new BHOs. I restore all the old BHOs but as BCGovtMartyr has noted, there's still an sp.html file in temp, and sometimes a dll file with a randomly generated name, e.g. jfpifab.dll in windows/system32.

Sometimes after restoring the old BHOs with SpywareGuard, I can't access internet. I basically have to reboot when this happens. It's almost as though this variant of CWS knows that you've removed it, so disables IE to spite you. Either that or I'm doing something wrong when SpywareGuard kicks into action.

URGH!... It happened half way through writing this post. I opened a new window... couldn't find server, couldn't find anything. From bitter experience I knew what to do: copy this post to word doc and save, then reboot and start again. But before I did I ran HJT and the log was clean. Go figure.

Below I have posted two logs. The first one is after I first turned my PC on this morning - clean log. Next I opened IE and watched Spyguard kick into action as CWS tried to install new BHOs. I denied all the changes and restored the old BHOs, then ran HJT again. You'll see the top 3 entries on that log are all CWS that Spyguard didn't remove. I remove them with HJT but it doesn't make any difference. It always comes back.

The other thing I've found is that sometimes my PC freezes for several minutes (100% CPU usages) as CWS reinstalls itself.

I'm also having problems with my PC running out of virtual memory and slowing down to a crawl. Never had these problems before.

I wish I knew where on my system this CWS is hiding. It lurks out of sight in the shadows, occasionally throwing its sp.html and BHO bandits out to wreak havoc, but always remaining hidden itself so it can continue to control the proceedings. If someone can work out how it does it, a tool can be developed to identify and remove it.

Anyway, enough of my frustrated ramblings. Here are the two logs. I'm not sure what to do next so any help you can give me is much appreciated. I might try the bandaid solution BCGovtMartyr talked about too.

Cheers, Beeza


Logfile of HijackThis v1.97.7
Scan saved at 7:37:22 a.m., on 25/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Logfile of HijackThis v1.97.7
Scan saved at 7:39:59 a.m., on 25/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#25 piperh

piperh

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 June 2004 - 04:13 PM

I think I have this same thing happening..what I have noticed is that my new AVG virus scanner keeps popping up a dll file virus that you can't see anywhere so therefore can't delete (even in safe dos mode but it may be hidden) and It seems to be active whenever I open IE or my virus scanner or outlook..

I'm keeping an eye out here to see if you stumble across a solution (or maybe to see if AVG might catch and fix yours but even in dos mode it finds the dll file but can't open it to check it)

E

#26 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 25 June 2004 - 07:18 AM

New findings...

I have found that when I turn on PC and open IE and watch SpywareGuard kick into action as CWS does its nasty thing, I restore the old BHOs and take a note of the name of the dll file in system32.

Then I close IE and do that all over again. Then I run HJT and delete the remaining BHOs. Then I open Windows Explorer and delete sp.html from Temp and the dll file from Windows/System32.

After that I have trouble-free browsing for hours. Next time I reboot I have to go through the whole damn thing again, but as a temporary make-good it seems to work.

Still looking forward to hearing from PGPhantom though to see if you have any guidance on how to rid my machine of CWS for good.

Cheers, Beeza :-)

#27 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 25 June 2004 - 09:49 AM

Can you post an updated HijackThis log, and DO NOT reboot, sign off etc until you hear back from me. I would like to get that file that keeps causing this problem. When you do get the message, write down the file name and post it here as well.

#28 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 25 June 2004 - 05:53 PM

Hi PGPhantom,

It's 10:45am on a sunny Saturday morning here in New Zealand. I just turned my PC on. So far IE is clean, but I could probably force CWS back by searching for a page that doesn't exist, or opening and closing IE a few times. Or just waiting. Anyway, here's my updated log. I'll keep the PC on and check a few times during the day to see if you've replied. Many thanks for your help.

Cheers, Beeza :-)

Logfile of HijackThis v1.97.7
Scan saved at 10:49:31 a.m., on 26/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#29 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 25 June 2004 - 08:17 PM

Your log is looking clean :)

However ... Please take all my recommendations below and install, run update etc as listed.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Last thing ... The following is a recommended maintenance regime for Windows XP:
  • The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.
  • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:
    • Office documents
    • Email data - Messages and address book
    • Games saves.
    • Digital Photos and other artwork.
    • Moveis that you have created or edited.
    • MP3's and other music files.
    • Browser favorites and bookmarks.
    • Downloaded files/programs.
    • Passwords, security codes etc for anything that is password protected like Quicken.
    • Activation codes for applications doownloaded and registered.
  • Do not go without an anti-virus program. Free ones include:
  • Be sure to run a periodic Trojan Scan with any of the following programs:
  • Use a Firewall such as ZoneAlarm
  • Regularly scan for adware and spyware using the following programs:
  • Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".
  • Update your system. Go to Microsoft Windows Update and download all critical updates for your system.
  • Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".
  • Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.
  • As bad as it may sound - Once a year reinstall your O/S from scratch - i.e. Reformat your hard drive but be 100% certain that you have backed everything up as listed above. <= Obviously this should not be done except by professionals etc.


#30 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 26 June 2004 - 02:08 AM

Hi PGPhantom,

The log looks clean but CWS is still lurking. I came back a few hours ago and couldn't get anything online. Email would work, but not IE. I closed and reopened a few times but no CWS and no internet either, and clean logs too. So I closed IE and did other stuff for 2 hours. Tried again and bingo, internet available. Log still clean.

Then searched for a URL which turned out to be non-existent and IE redirected to http://s1di.d8t.biz/...x.php?aid=20038

Log is still clean and sp.html is NOT in the temp file. Blowed if I know where it's hiding, but it is lurking somewhere. However, Google toolbar successfully blocked the supposed anti-spyware pop-up that invariably comes with http://s1di.d8t.biz/...x.php?aid=20038

I know that if IE redirects then full blown CWS will come back. Hope you can help with advice

Now, on to your suggestions...

Spywareblaster: I downloaded this recently but don't appear to have installed it yet. Will do that now.

SpywareGuard: Done. I installed this a week or so ago and it is running well. Hasn't got rid of CWS though, but does help keep it in check (to a degree).

Ad-aware: Done. Installed and running well for a couple of weeks now. Hasn't got rid of CWS though.

Spybot: Done. Installed and running well for about a week now. Hasn't got rid of CWS though.

IE-Spyad: Done. I installed this a few days ago.

MVPS Hosts file: Will do this now.

Google Toolbar: Done. I've had this for some time now. Love it.

Directory Cleansing: Half done. I empty the following folders every time I shut down - Temp folder, Temporary Internet Folder, Recycle Bin. I'll create shortcuts for the other ones and include them in that routine too.

Backup: I regularly copy my user files to external media, but am not good at doing full backups. Wil do as you suggest from now on though.

Anti-Virus: Done. I use Norton Anti-Virus and update my definitions weekly with LiveUpdater. I'm thinking of changing to NOD32 when my LiveUpdater subscription runs out. Any comments?

Trojan Scan: Done. I installed Trojan Hunter a few days ago.

Firewall: Done. I have had Zone Alarm in the past and really like it. Haven't had it on this machine though, but installed it a couple of weeks ago.

Adware Scans: I now use all three programs you recommend. Have for about a week.

Defrag: I defrag about once a month.

Update: I always update Windows and Office with the most recent patches. I've also used a few of Steve Gibson's apps (www.grc.com) to secure my computer more.

Disk Clean: I've never done this. Will do now.

Icon Cache: I've never done this either. Will do now.

Reinstall O/S: Strewth, that's a major! One thing I hate about Norton and LiveUpdate is that you have to buy another copy if you reinstall your O/S. That's one reason I'm thinking of changing. I'm not sure I'm brave enough to do this, but I'll schedule it in with my tech support for Christmas.

Cheers, Beeza :-)

#31 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 26 June 2004 - 12:20 PM

I would like to see if the following produces anything? We may just be chasing a red herring but it does not harm anything to try:

Please download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results into this message for further review.

#32 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 26 June 2004 - 08:22 PM

Hi PGPhantom,

Thanks for that recommendation. I'll do that now. Before I do though, here are some important findings...

Yesterday IE turned to crap again. Couldn't access internet or anything. I ran HJT and got a clean log. I looked in Temp and it was clean. Then I ran Ad-aware and it picked up 7 CWS files, reg entries, etc!!! Before I deleted them, I ran HJT again and it was still clean! I saved logs of each - see below.

When I booted up today, IE would not work. I ran HJT and it was clean. Then I ran Ad-aware and it was clean. Then I tried to run SpywareGuard LiveUpdate but it kept freezing / timing out. So I ran SpywareGuard but got this error message...

"Error Reading SpywareGuard Definitions! The file may be corrupt, or another program may have tampered with them. Run LiveUpdate to download the latest SpywareGuard definitions."

So I ran Ad-aware again but this time checked for updates first, and downloaded the most recent update. Then ran a scan and picked up 3 CWS files. Before I deleted them I ran another HJT scan and it was clean. I deleted the CWS entries and IE is now working. I've posted that log below too.

SUMMARY
CWS seems to have:
1) Disabled SpywareGuard
2) Affected HJT so that it shows clean logs even though CWS is active

I'm wondering whether CWS is able to (a) detect the presence of SpywareGuard and (b) detect when its components are being removed by HJT and/or Spybot, and then both corrupts all those progs and hides itself within one of them?

Look forward to your thoughts. I'll download FINDnFIX now and report back.

Cheers, Beeza :-)



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, 26 June 2004 10:17:21 p.m.

Created with Ad-aware Personal, free for private use.
Using reference-file :01R315 06.06.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file


26-06-2004 10:17:21 p.m. - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 25-06-2004 10:32:43 p.m.
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 25-06-2004 10:32:46 p.m.
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 25-06-2004 10:32:47 p.m.
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 25-06-2004 10:32:48 p.m.
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 10:17:21 a.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 25-06-2004 10:32:48 p.m.
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 10:17:21 a.m.
Last modified : 28/08/2002 3:41:26 p.m.

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 25-06-2004 10:32:49 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 9:57:50 a.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 25-06-2004 10:32:49 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 9:57:50 a.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 25-06-2004 10:32:51 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 9:57:50 a.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 25-06-2004 10:32:51 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 9:57:50 a.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 25-06-2004 10:32:52 p.m.
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 9:34:10 a.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:11 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 25-06-2004 10:32:52 p.m.
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 13/11/2002 3:44:02 a.m.
Last accessed : 26/06/2004 9:34:00 a.m.
Last modified : 13/11/2002 3:44:02 a.m.

#:12 [userinit.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 25-06-2004 10:32:59 p.m.
BasePriority : Normal
FileSize : 21 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : Userinit Logon Application
InternalName : userinit
OriginalFilename : USERINIT.EXE
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 10:17:22 a.m.
Last modified : 28/08/2002 3:41:28 p.m.

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 25-06-2004 10:32:59 p.m.
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 11/05/2003 9:12:10 a.m.
Last accessed : 26/06/2004 10:17:22 a.m.
Last modified : 11/05/2003 9:12:10 a.m.

#:14 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 25-06-2004 10:33:00 p.m.
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 14/11/2002 6:41:26 a.m.
Last accessed : 26/06/2004 9:34:10 a.m.
Last modified : 14/11/2002 6:41:26 a.m.

#:15 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ThreadCreationTime : 25-06-2004 10:33:01 p.m.
BasePriority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 3/06/2004 1:09:15 p.m.
Last accessed : 26/06/2004 10:17:22 a.m.
Last modified : 15/06/2004 4:47:36 p.m.

#:16 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 25-06-2004 10:33:03 p.m.
BasePriority : Normal
FileSize : 152 KB
FileVersion : 3,0,0,1607
ProductVersion : 7,0,0,1607
Copyright : Copyright 1999-2002, Intel Corporation
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
OriginalFilename : IGFXTRAY.EXE
ProductName : Intel® Common User Interface
Created on : 1/10/2002 4:54:15 a.m.
Last accessed : 26/06/2004 9:34:30 a.m.
Last modified : 14/05/2002 8:29:02 a.m.

#:17 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 25-06-2004 10:33:04 p.m.
BasePriority : Normal
FileSize : 112 KB
FileVersion : 3,0,0,1607
ProductVersion : 7,0,0,1607
Copyright : Copyright 1999-2002, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel® Common User Interface
Created on : 1/10/2002 4:54:08 a.m.
Last accessed : 26/06/2004 9:34:30 a.m.
Last modified : 14/05/2002 8:20:50 a.m.

#:18 [imontray.exe]
FilePath : C:\Program Files\Intel\Intel® Active Monitor\
ThreadCreationTime : 25-06-2004 10:33:04 p.m.
BasePriority : Normal
FileSize : 32 KB
FileVersion : 1.1.7.136
ProductVersion : 1, 0, 0, 1
Copyright : Copyright © 2000
FileDescription : imontray MFC Application
InternalName : imontray
OriginalFilename : imontray.EXE
ProductName : imontray Application
Created on : 1/10/2002 4:57:41 a.m.
Last accessed : 26/06/2004 9:34:00 a.m.
Last modified : 3/05/2002 3:10:20 a.m.

#:19 [em_exec.exe]
FilePath : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\
ThreadCreationTime : 25-06-2004 10:33:05 p.m.
BasePriority : Normal
FileSize : 34 KB
FileVersion : 9.41.33
ProductVersion : 9.41.1
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 8/11/2002 4:27:24 a.m.
Last accessed : 26/06/2004 9:34:30 a.m.
Last modified : 18/09/2001 8:41:00 p.m.

#:20 [backweb-8876480.exe]
FilePath : C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
ThreadCreationTime : 25-06-2004 10:33:05 p.m.
BasePriority : Normal
FileSize : 16 KB
Created on : 8/11/2002 4:29:00 a.m.
Last accessed : 26/06/2004 10:17:22 a.m.
Last modified : 8/11/2002 4:29:00 a.m.

#:21 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 25-06-2004 10:33:05 p.m.
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 20/12/2003 6:48:45 a.m.
Last accessed : 26/06/2004 10:17:22 a.m.
Last modified : 2/12/2003 3:11:04 a.m.

#:22 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 25-06-2004 10:33:05 p.m.
BasePriority : Normal
FileSize : 32 KB
Created on : 22/02/2068 11:44:46 a.m.
Last accessed : 26/06/2004 9:34:10 a.m.
Last modified : 22/02/2004 11:44:44 a.m.

#:23 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 25-06-2004 10:33:06 p.m.
BasePriority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 3/06/2004 1:09:19 p.m.
Last accessed : 26/06/2004 10:17:22 a.m.
Last modified : 15/06/2004 4:48:24 p.m.

#:24 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ThreadCreationTime : 25-06-2004 10:33:07 p.m.
BasePriority : Idle
FileSize : 1014 KB
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
OriginalFilename : TeaTimer.exe
ProductName : Spybot - Search & Destroy
Created on : 11/05/2004 1:03:00 p.m.
Last accessed : 26/06/2004 9:34:10 a.m.
Last modified : 11/05/2004 1:03:00 p.m.

#:25 [imonnt.exe]
FilePath : C:\Program Files\Intel\Intel® Active Monitor\
ThreadCreationTime : 25-06-2004 10:33:07 p.m.
BasePriority : Normal
FileSize : 100 KB
FileVersion : 1.1.7.136
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Intel Corp.
FileDescription : Intel® Active Monitor Win9x Background Service
InternalName : imonNT
OriginalFilename : imonNT.exe
ProductName : Intel® Active Monitor
Created on : 1/10/2002 4:57:41 a.m.
Last accessed : 26/06/2004 9:33:50 a.m.
Last modified : 3/05/2002 3:09:24 a.m.

#:26 [iemaximizer.exe]
FilePath : C:\Program Files\IE New Window Maximizer\
ThreadCreationTime : 25-06-2004 10:33:07 p.m.
BasePriority : Normal
FileSize : 340 KB
FileVersion : 2.3.0.2
ProductVersion : 2.3.0.2
Copyright : © jiiSoft, Jonatan Dahl. All rights reserved.
CompanyName : jiiSoft
FileDescription : IE New Window Maximizer
InternalName : iemaximizer.exe
OriginalFilename : iemaximizer.exe
ProductName : IE New Window Maximizer
Created on : 23/01/2003 11:21:10 p.m.
Last accessed : 26/06/2004 9:34:10 a.m.
Last modified : 24/01/2003 12:21:10 a.m.

#:27 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\
ThreadCreationTime : 25-06-2004 10:33:08 p.m.
BasePriority : Normal
FileSize : 80 KB
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
OriginalFilename : AcroTray.exe
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
Created on : 9/02/2003 2:12:08 a.m.
Last accessed : 26/06/2004 9:34:10 a.m.
Last modified : 11/10/2001 4:35:00 a.m.

#:28 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 25-06-2004 10:33:10 p.m.
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 29/08/2003 7:05:35 a.m.
Last accessed : 26/06/2004 10:05:57 a.m.
Last modified : 29/08/2003 7:05:35 a.m.

#:29 [msoffice.exe]
FilePath : C:\Program Files\Microsoft Office\Office10\
ThreadCreationTime : 25-06-2004 10:33:13 p.m.
BasePriority : Normal
FileSize : 221 KB
FileVersion : 10.0.2609
ProductVersion : 10.0.2609
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office XP component
InternalName : MSOFFICE
OriginalFilename : MSOFFICE.EXE
ProductName : Microsoft Office XP
Created on : 12/02/2001 11:58:54 a.m.
Last accessed : 26/06/2004 10:17:22 a.m.
Last modified : 12/02/2001 11:58:54 a.m.

#:30 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 25-06-2004 10:33:15 p.m.
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 28/08/2003 11:14:56 p.m.
Last accessed : 26/06/2004 9:34:00 a.m.
Last modified : 28/08/2003 11:14:56 p.m.

#:31 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 4:06:53 a.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 9:57:50 a.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:32 [winword.exe]
FilePath : C:\Program Files\Microsoft Office\Office10\
ThreadCreationTime : 26-06-2004 10:06:24 a.m.
BasePriority : Normal
FileSize : 10374 KB
FileVersion : 10.0.6612
ProductVersion : 10.0.6612
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Word
InternalName : WinWord
OriginalFilename : WinWord.exe
ProductName : Microsoft Office XP
Created on : 16/01/2004 2:19:14 a.m.
Last accessed : 26/06/2004 10:06:32 a.m.
Last modified : 16/01/2004 2:19:14 a.m.

#:33 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 26-06-2004 10:12:35 a.m.
BasePriority : Normal
FileSize : 1462 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright © Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 14/04/2003 8:05:20 a.m.
Last accessed : 26/06/2004 10:12:37 a.m.
Last modified : 14/04/2003 8:05:20 a.m.

#:34 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 26-06-2004 10:17:12 a.m.
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/06/2004 10:28:02 p.m.
Last accessed : 26/06/2004 10:17:13 a.m.
Last modified : 12/07/2003 9:00:20 a.m.

Memory scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 3
Objects found so far: 4


»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1815 entries scanned.
New objects :0
Objects found so far: 4




Performing conditional scans..
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 3
Objects found so far: 7


10:20:53 p.m. Scan complete

Summary of this scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time :00:03:31:343
Objects scanned :57170
Objects identified :7
Objects ignored :0
New objects :7


The following HJT log was created BEFORE the CWS files in the Ad-aware log above were deleted...

Logfile of HijackThis v1.97.7
Scan saved at 10:30:25 p.m., on 26/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Sunday, 27 June 2004 12:03:31 p.m.

Created with Ad-aware Personal, free for private use.
Using reference-file :01R325 27.06.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file


27-06-2004 12:03:31 p.m. - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 26-06-2004 11:46:22 p.m.
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 11:46:24 p.m.
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 11:46:25 p.m.
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 11:46:26 p.m.
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 11:46:26 p.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 11:46:26 p.m.
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 11:46:39 p.m.
Last modified : 28/08/2002 3:41:26 p.m.

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 11:46:27 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 11:46:45 p.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 11:46:28 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 11:46:45 p.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 11:46:29 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 11:46:45 p.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 11:46:29 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 11:46:45 p.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 11:46:31 p.m.
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 p.m.
Last accessed : 26/06/2004 11:46:22 p.m.
Last modified : 18/08/2001 12:00:00 p.m.

#:11 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 26-06-2004 11:46:31 p.m.
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 13/11/2002 3:44:02 a.m.
Last accessed : 26/06/2004 11:46:22 p.m.
Last modified : 13/11/2002 3:44:02 a.m.

#:12 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 26-06-2004 11:46:38 p.m.
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 14/11/2002 6:41:26 a.m.
Last accessed : 26/06/2004 11:46:22 p.m.
Last modified : 14/11/2002 6:41:26 a.m.

#:13 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ThreadCreationTime : 26-06-2004 11:46:39 p.m.
BasePriority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 3/06/2004 1:09:15 p.m.
Last accessed : 26/06/2004 11:46:39 p.m.
Last modified : 15/06/2004 4:47:36 p.m.

#:14 [imonnt.exe]
FilePath : C:\Program Files\Intel\Intel® Active Monitor\
ThreadCreationTime : 26-06-2004 11:46:43 p.m.
BasePriority : Normal
FileSize : 100 KB
FileVersion : 1.1.7.136
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Intel Corp.
FileDescription : Intel® Active Monitor Win9x Background Service
InternalName : imonNT
OriginalFilename : imonNT.exe
ProductName : Intel® Active Monitor
Created on : 1/10/2002 4:57:41 a.m.
Last accessed : 26/06/2004 11:46:22 p.m.
Last modified : 3/05/2002 3:09:24 a.m.

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 26-06-2004 11:46:48 p.m.
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 11/05/2003 9:12:10 a.m.
Last accessed : 26/06/2004 11:47:26 p.m.
Last modified : 11/05/2003 9:12:10 a.m.

#:16 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 11:46:53 p.m.
BasePriority : Normal
FileSize : 152 KB
FileVersion : 3,0,0,1607
ProductVersion : 7,0,0,1607
Copyright : Copyright 1999-2002, Intel Corporation
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
OriginalFilename : IGFXTRAY.EXE
ProductName : Intel® Common User Interface
Created on : 1/10/2002 4:54:15 a.m.
Last accessed : 26/06/2004 11:46:52 p.m.
Last modified : 14/05/2002 8:29:02 a.m.

#:17 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 11:46:53 p.m.
BasePriority : Normal
FileSize : 112 KB
FileVersion : 3,0,0,1607
ProductVersion : 7,0,0,1607
Copyright : Copyright 1999-2002, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel® Common User Interface
Created on : 1/10/2002 4:54:08 a.m.
Last accessed : 26/06/2004 11:46:53 p.m.
Last modified : 14/05/2002 8:20:50 a.m.

#:18 [imontray.exe]
FilePath : C:\Program Files\Intel\Intel® Active Monitor\
ThreadCreationTime : 26-06-2004 11:46:53 p.m.
BasePriority : Normal
FileSize : 32 KB
FileVersion : 1.1.7.136
ProductVersion : 1, 0, 0, 1
Copyright : Copyright © 2000
FileDescription : imontray MFC Application
InternalName : imontray
OriginalFilename : imontray.EXE
ProductName : imontray Application
Created on : 1/10/2002 4:57:41 a.m.
Last accessed : 26/06/2004 11:46:53 p.m.
Last modified : 3/05/2002 3:10:20 a.m.

#:19 [em_exec.exe]
FilePath : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\
ThreadCreationTime : 26-06-2004 11:46:55 p.m.
BasePriority : Normal
FileSize : 34 KB
FileVersion : 9.41.33
ProductVersion : 9.41.1
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 8/11/2002 4:27:24 a.m.
Last accessed : 26/06/2004 11:46:55 p.m.
Last modified : 18/09/2001 8:41:00 p.m.

#:20 [backweb-8876480.exe]
FilePath : C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
ThreadCreationTime : 26-06-2004 11:46:55 p.m.
BasePriority : Normal
FileSize : 16 KB
Created on : 8/11/2002 4:29:00 a.m.
Last accessed : 26/06/2004 11:47:25 p.m.
Last modified : 8/11/2002 4:29:00 a.m.

#:21 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 26-06-2004 11:46:56 p.m.
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 20/12/2003 6:48:45 a.m.
Last accessed : 26/06/2004 11:47:07 p.m.
Last modified : 2/12/2003 3:11:04 a.m.

#:22 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 26-06-2004 11:46:57 p.m.
BasePriority : Normal
FileSize : 32 KB
Created on : 22/02/2068 11:44:46 a.m.
Last accessed : 26/06/2004 11:46:57 p.m.
Last modified : 22/02/2004 11:44:44 a.m.

#:23 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 26-06-2004 11:46:59 p.m.
BasePriority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 3/06/2004 1:09:19 p.m.
Last accessed : 27/06/2004 12:00:27 a.m.
Last modified : 15/06/2004 4:48:24 p.m.

#:24 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ThreadCreationTime : 26-06-2004 11:47:00 p.m.
BasePriority : Idle
FileSize : 1014 KB
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
OriginalFilename : TeaTimer.exe
ProductName : Spybot - Search & Destroy
Created on : 11/05/2004 1:03:00 p.m.
Last accessed : 26/06/2004 11:47:00 p.m.
Last modified : 11/05/2004 1:03:00 p.m.

#:25 [iemaximizer.exe]
FilePath : C:\Program Files\IE New Window Maximizer\
ThreadCreationTime : 26-06-2004 11:47:01 p.m.
BasePriority : Normal
FileSize : 340 KB
FileVersion : 2.3.0.2
ProductVersion : 2.3.0.2
Copyright : © jiiSoft, Jonatan Dahl. All rights reserved.
CompanyName : jiiSoft
FileDescription : IE New Window Maximizer
InternalName : iemaximizer.exe
OriginalFilename : iemaximizer.exe
ProductName : IE New Window Maximizer
Created on : 23/01/2003 11:21:10 p.m.
Last accessed : 26/06/2004 11:47:01 p.m.
Last modified : 24/01/2003 12:21:10 a.m.

#:26 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\
ThreadCreationTime : 26-06-2004 11:47:03 p.m.
BasePriority : Normal
FileSize : 80 KB
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
OriginalFilename : AcroTray.exe
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
Created on : 9/02/2003 2:12:08 a.m.
Last accessed : 26/06/2004 11:47:02 p.m.
Last modified : 11/10/2001 4:35:00 a.m.

#:27 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 26-06-2004 11:47:06 p.m.
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 29/08/2003 7:05:35 a.m.
Last accessed : 26/06/2004 11:57:30 p.m.
Last modified : 29/08/2003 7:05:35 a.m.

#:28 [msoffice.exe]
FilePath : C:\Program Files\Microsoft Office\Office10\
ThreadCreationTime : 26-06-2004 11:47:11 p.m.
BasePriority : Normal
FileSize : 221 KB
FileVersion : 10.0.2609
ProductVersion : 10.0.2609
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office XP component
InternalName : MSOFFICE
OriginalFilename : MSOFFICE.EXE
ProductName : Microsoft Office XP
Created on : 12/02/2001 11:58:54 a.m.
Last accessed : 26/06/2004 11:46:22 p.m.
Last modified : 12/02/2001 11:58:54 a.m.

#:29 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 26-06-2004 11:47:13 p.m.
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 28/08/2003 11:14:56 p.m.
Last accessed : 26/06/2004 11:46:22 p.m.
Last modified : 28/08/2003 11:14:56 p.m.

#:30 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 26-06-2004 11:58:14 p.m.
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/06/2004 10:28:02 p.m.
Last accessed : 27/06/2004 12:02:41 a.m.
Last modified : 12/07/2003 9:00:20 a.m.

#:31 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 27-06-2004 12:02:29 a.m.
BasePriority : Normal
FileSize : 1462 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright © Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 14/04/2003 8:05:20 a.m.
Last accessed : 27/06/2004 12:02:30 a.m.
Last modified : 14/04/2003 8:05:20 a.m.

Memory scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\WINDOWS\TEMP\sp.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\WINDOWS\TEMP\sp.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\WINDOWS\TEMP\sp.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\WINDOWS\TEMP\sp.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\WINDOWS\TEMP\sp.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\WINDOWS\TEMP\sp.html"


Deep registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 3
Objects found so far: 3


»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)


#33 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 26 June 2004 - 08:36 PM

Hi PGPhantom,

Here is my FINDnFIX log. It seems to have found something. Let me know what to do next.

Cheers, Beeza :-)


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Sun 27/06/2004
1:27pm up 0 days, 1:41
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\WDMFLK.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMFLK.DLL +++ File read error
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
╗╗╗Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT
WDMFLK.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

C:\WINDOWS\SYSTEM32\
wdmflk.dll Wed 2 Jun 2004 19:16:06 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WDMFLK.DLL
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group BEEZA\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BEEZA\Beeza
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: BEEZA\Beeza

Primary Group: BEEZA\None



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
1:29pm up 0 days, 1:43
Sun 27/06/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-27-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-27-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠGŞ   C
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

FBpxqH
Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota"

**File C:\FINDnFIX\WIN.TXT
 Windows    sk x x  ď  äŞ ╚   Ą       ! 

#34 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 01:36 AM

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:
  • Open the "FINDnFIX\Keys1" Subfolder!
  • Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  • Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:

    move C:\WINDOWS\System32\WDMFLK.DLL C:\junkxxx\WDMFLK.DLL

  • Save the file and close.
  • Get ready to restart your computer.
  • In the same folder, DoubleClick on the "FIX.bat" file.
  • You will be prompted by popup Alert to restart in 15 seconds.
  • Allow it to restart the computer!
  • On restart, Navigate to: C:\FINDnFIX\ main folder:
  • DoubleClick on the "RESTORE.bat" file.
  • It'll run and produce new log. (log1.txt) post it here!


#35 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 June 2004 - 01:44 AM

Cool, I'll do that now. This is exciting! Be back soon - hopefully!

Cheers, Beeza :-)

#36 trollafrogg

trollafrogg

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 27 June 2004 - 01:51 AM

try this recipe from freeatlast if you need his workaround on the notepad problem and the "cant find file" problem.

#37 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 02:03 AM

trollafrog - Please do not post in active logs - I am already working on the fix and am guiding the user through the various steps - You are only serving to confuse. Thank you for your consideration.

#38 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 June 2004 - 02:06 AM

I'm baaaaack! Looking good PGPhantom. Here's the log...


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Sun 27/06/2004
6:57pm up 0 days, 0:04

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

*Locked files...
* result\\?\C:\junkxxx\WDMFLK.DLL

╗╗╗Filtering files in System32.......( 'R;H;S') ╗╗╗
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

No matches found.

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

C:\JUNKXXX\
wdmflk.dll Wed 2 Jun 2004 19:16:06 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\WDMFLK.DLL


Search text: ŢSTREAMINGDEVICESETUP2Ů «CASE Insensitive Match
Searching ==>C:\JUNKXXX\WDMFLK.DLL
Run Time(sec) 0
**File C:\JUNKXXX\WDMFLK.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

move C:\WINDOWS\System32\WDMFLK.DLL C:\junkxxx\WDMFLK.DLL

-ra-- W32i - - - - 57,344 06-02-2004 wdmflk.dll
A R C:\junkxxx\WDMFLK.DLL
File: <C:\junkxxx\WDMFLK.DLL>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




╗╗Permissions:
C:\junkxxx\WDMFLK.DLL Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

BUILTIN\Administrators:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BEEZA\Beeza
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: BEEZA\Beeza

Primary Group: BEEZA\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\junkxxx\WDMFLK.DLL"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BEEZA\Beeza

Primary Group: BEEZA\None


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠGŞ   C

---------- NEWWIN.TXT
AppInit_DLLsecte
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
000012F0: 01 00 00 00 01 00 76 00 . 5F 44 4C 4C 73 65 63 74 ......v. _DLLsect
**File C:\FINDnFIX\NEWWIN.TXT
Đ_ňÓ   vk  Ç   5swapdisk h ░ ­  X đ   vk  Ó   . TransmissionRetryTimeoutđ   vk  Ç'   E USERProcessHandleQuota" Ó   h ░ ­  X ł ě ě   vk  Ç   v AppInit_DLLsecte

#39 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 June 2004 - 02:11 AM

PGPhantom,

One thing I forgot to say is that I got a ZoneAlarm alert when the computer restarted...

"backWeb-8876480.exe is trying to access the Internet. Destination IP: 63.251.254.11: Port 370
This program has changed since the last time it ran!"

At this stage I have denied Intenet access to backWeb-8876480.exe. Should I be worried about this? Do you know what it's about?

Cheers, Beeza :-)

#40 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 02:13 AM

Can you post an updated HijackThis log? The backweb issue - I would disable it ...Comes with the software for Logitech products. Automatically checks for software upgrades and new products, services, and special offerings from Logitech - To me personally, a clever way for Logitech to push ads to you?? Not good in my books.

#41 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 June 2004 - 02:19 AM

Logfile of HijackThis v1.97.7
Scan saved at 7:20:07 p.m., on 27/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#42 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 02:27 AM

I am fairly positive that we are dealing with a few registry remnants ...

Run HijackThis and delete:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Wait a few hours, reboot and post another HijackThis log just to verify that it is not back again.

It has gone midnight so adios for now - I'll check first thing in the morning to see if you have another log to check.

#43 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 02:28 AM

I should of added - Can you do as much of the following as possible ...

The following is a recommended maintenance regime for Windows XP:
  • The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.
  • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:
    • Office documents
    • Email data - Messages and address book
    • Games saves.
    • Digital Photos and other artwork.
    • Moveis that you have created or edited.
    • MP3's and other music files.
    • Browser favorites and bookmarks.
    • Downloaded files/programs.
    • Passwords, security codes etc for anything that is password protected like Quicken.
    • Activation codes for applications doownloaded and registered.
  • Do not go without an anti-virus program. Free ones include:
  • Be sure to run a periodic Trojan Scan with any of the following programs:
  • Use a Firewall such as ZoneAlarm
  • Regularly scan for adware and spyware using the following programs:
  • Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".
  • Update your system. Go to Microsoft Windows Update and download all critical updates for your system.
  • Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".
  • Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.


#44 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 June 2004 - 02:52 AM

Hi PGPhantom,

Thanks for that. I have deleted the 3 remnants and done most of the other things too. Will post another log in a few hours.

Cheers, Beeza :-)

#45 Beeza

Beeza

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 June 2004 - 08:27 AM

Hi PGPhantom,

Things are looking GOOOOD! I cleaned up those remnants, then deleted content from all 7 folders you recommended. Found another sp.html hiding in Default User/Temp and deleted that too. It's been 5 1/2 hours so far and it's looking GREAT. I haven't rebooted yet, so fingers crossed. I'm off to bed now, it's 1:25 am here. Talk again in the morning.

Cheers, Beeza :-)


Logfile of HijackThis v1.97.7
Scan saved at 1:20:40 a.m., on 28/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Program Files\Iridium\iridium.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\RunOnce: [iTouch] C:\Program Files\Logitech\iTouch\iTouch.exe /RegServer
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.reddirect.co.nz
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.micros...t/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.2...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7587.0816666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#46 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 June 2004 - 10:59 AM

The good news is ... It is clean :) :D Thank you for sticking in there while we resolved this.

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.

#47 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 June 2004 - 04:36 PM

Beeza adds thanks via email:


My CWS problem has been fully resolved by PGPhantom and the thread closed before I had a chance to thank him.

PGPhantom... a BIG THANK YOU!!! You were brilliant. And thank YOU for sticking in there while we resolved it. It has been a pleasure working with you.

Cheers, Beeza :-)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button