• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Beeza

Stubborn CWS - help please!

47 posts in this topic

Greetings,

 

I have been infected with a particularly stubborn CWS hijacker. I have run Spybot S&D, Ad-aware, SpySweeper and HijackThis, but it keeps reinstalling.

 

Here is my HijackThis log...

 

Logfile of HijackThis v1.97.7

Scan saved at 3:54:08 p.m., on 12/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\WINDOWS\explorer.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hdcf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...bad/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Can someone please tell me how to delete the malicious files? It looks to me like hdcf.dll is the culprit. Is this correct?

 

Cheers, Beeza

Share this post


Link to post
Share on other sites

beeza, i also may have the same strain. take a look at my strain... a user Wiskonst has been assiting nicely

 

 

-Jon

Share this post


Link to post
Share on other sites

just wondering, i had a similar problem and i finally made it go away, or at least i thought i did for now... open control panel, administrative tools, services, and see if you have something called Network Security Service.

Share this post


Link to post
Share on other sites

Hi QuantumSlip

 

I had a look and I don't have anything called Network Security Service there. You got me worried now, should I? Or is it good that I don't?!!

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites

Hi Jon,

 

Yep, I remember reading your post before my very first post and recognising that I seem to have the exact same strain as you.

 

I hate the grief it's causing me, but in a strange way I have to admire the cleverness of it too. If only the dunderhead creators would turn their efforts to useful activities!

 

I am tempted to try and fix it myself based on what Wiskonst has been advising you, but I'm a bit worried about stuffing it up. Thought I'd better wait until I got expert advice. However, these guys seem to be snowed under with people like us, so I might give it a go soon.

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites
Hi QuantumSlip

 

I had a look and I don't have anything called Network Security Service there. You got me worried now, should I? Or is it good that I don't?!!

 

Cheers, Beeza :-)

yea, after digging around i found out that wasnt the cause of the problems... for now it's gone for me, but im not surprised if it comes back :( the only thing that i can think of other than removing all those files/reg entries/etc. was to repair the Winsock; try a utility called WinsockXPFix.exe; should be easy to find on google. Run this after removing all the malware that you can find. if that doesnt work.... hope someone else can figure this out

Edited by QuantumSlip

Share this post


Link to post
Share on other sites

BUMP.

 

Below are 3 updated HijackThis logs, one before cleaning all eight dodgy items (R1-HKCU, R1-HKLM, R0-HKLM, and 02-BHO entries), one straight after cleaning those items, and the last one after shutting down and CWS has come back.

 

My computer is running like a dog and I really want to get this fixed. Can anyone help?

 

Cheers, Beeza

 

LOG #1, BEFORE CLEANING...

 

Logfile of HijackThis v1.97.7

Scan saved at 12:16:53 a.m., on 18/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\WINDOWS\System32\svchost.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

C:\WINDOWS\NOTEPAD.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {94E5AC60-2025-462D-B07B-3417C60C0EEC} - C:\WINDOWS\System32\edm.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...bad/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

 

LOG #2, AFTER CLEANING...

 

Logfile of HijackThis v1.97.7

Scan saved at 12:18:21 a.m., on 18/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\WINDOWS\System32\svchost.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

C:\WINDOWS\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...bad/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

 

LOG #3, AFTER SHUTTING DOWN OVERNIGHT AND USING PC ALL DAY, BACK IT CAME...

 

Logfile of HijackThis v1.97.7

Scan saved at 5:57:49 p.m., on 18/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\Program Files\Messenger\msmsgs.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {12226606-AF09-4DA0-A561-D4386C49EB61} - C:\WINDOWS\System32\momo.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...bad/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Well Beeza... I'm not sure if this is good news or bad news but I have the same EXACT hijacker you do. I haven't been able to eliminate mine totally but I have kept it at bay until there is a solid way to eliminate it completely.

I'll share what I've done so far and hopefully it will help.

Safemode boot:

find jscript.dll and jsproxy.dll and added "rename-" in the front (ie: rename-jscript.dll) in the C:\Windows\system32 folder. Do the same for the folder Java in C:\Windows. This will not hurt your system in the least and when it's figured out how to fix this you can just remove the "rename-" part.

I also uninstalled Sun's Java so that my system is not running Java at all.

I had read that CoolWWWSearch uses security holes in Microsoft's Java Virtual Machine to get onto your computer. As a test I reinstalled Sun Java and sure enough my homepage was being hit left and right.

Ok... onto Spybot which I see you have... make sure it's updated and make sure teatimer.exe is running (great little tool and looks like it's already running). To find that click "mode" and choose "advanced" ->"Tools" ->"Resident".

IETweeks: "Lock Hosts file read-only as protection against hijackers"

Under Spybot-S&D click "Immunize" and you already have the Browser helper running.

 

Uninstall Sun Java... do the reboot that it calls for and come back into safemode.

 

Run CWShredder newest version 1.59.0 even if it says none found scroll back up and double check. (I find that it removed CWS.Searchx even tho' it says none found)

Run Spybot-S&D and fix the problems that it finds.

Run Adaware 6 with latest update (seems like a new update every couple days) and repair any problems it finds.

Launch Hijack this again:

Your browser pages should be fixed and edm.dll should be gone if not check them off. Check the install engine program and see if it's a program that should be running. (I'm not sure but you may, if not check that one)

WildTangent, if it is still there click that one. WildTangent gets installed with Bearshare and or Kazaa and is Adware. Pretty much harmless but a pest non the less so you can check that one.

You should be good to go (so to speak) and holding CWS at bay. Tea Timer will ask you about adding entries, if in doubt click disallow. I watch to see if it's adding or deleting an entry and allow all deletes and allow only the allows that are setting my homepage to the normal google page. If you hit a page and you get a popup asking to download Microsoft Virtual Java Machine click cancel (that's what I do anyway).

The only BHO you want running in your case is the SDHelper.

 

A strange thing I've noticed with this Hijacker is when it comes back it knocks out my virus scanner, Tea Timer and AdWatch 3.0. They're still running in the background but no longer show up in the icon tray. And I've caught a DOS window pop up and only flash for a second just before it happens but it's a quick fix from there. I launch HJT and check off the stuff that don't belong and click fix. But I can sometimes go a day or so before I get hit with out suffering in perfomance. I've heard this hijack has bogged some peoples computers down to a crawl. The experts on this board as well as myself are trying to track down an effective way to delete the problem (pssst.. they will probably come up with it first) but in the meantime this bandaid is working for me.

 

Hope this helps!

Share this post


Link to post
Share on other sites

:) Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

 

Please keep an eye on this message for a resolution shortly.

Share this post


Link to post
Share on other sites

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  2. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {12226606-AF09-4DA0-A561-D4386C49EB61} - C:\WINDOWS\System32\momo.dll
  3. Please reboot into safe mode - How do I boot into "Safe" mode?
  4. The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

    1. DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"

[*]DIRECTORIES

  • Nothing Yet

[*]FILES

  • C:\WINDOWS\System32\momo.dll

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Many thanks for your help. It's 5:30 am here and I've been up all night, but I'm VERY happy to be knocking this damn CWS thing on the head :bounce:

 

I'm gonna stay up a bit longer to hopefully catch your reply. I've done all the things you suggested. One observation: I had a lot of sub-folders in the temp directory. I went through them and cleaned up anything I knew was okay to do so, but left a lot behind. Is that okay, or should I have just deleted everything?

 

Here's my updated HJT log...

 

Logfile of HijackThis v1.97.7

Scan saved at 5:28:48 a.m., on 19/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...bad/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites

Over 24 hours and still symtom free! I would venture to guess that it is correct that this version needs JAVA to multiply. I have taken a complete snapshot of my system with Iolo's System Mechanic while it's clean and will take another snapshot if the symptoms return and make a comparison. If and when the symptoms return Beeza, which personal experience with this denotes it will, give my bandaid solution a try.

This strain of CWS pretty much has a mind of it's own and should be named CWS.Temp\sp.html Hijacker or CWS.Ewizard Hijack. I'll start my own topic and post my HJT log so people can see the bandaid is working. If you try my bandaid and it works as well for you as it has for me make sure you post your log and tell people. There are alot of people suffering from this and if a cure isn't right around the corner, making the symptoms disappear is a good thing.

 

Best of Luck

Share this post


Link to post
Share on other sites

Your log looks clean :)

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Share this post


Link to post
Share on other sites

Thank you PGPhantom,

 

I'm a very happy chappy ;D

 

I had already done most of the oher things you recommended, and am now doing the rest. I have got rid of CWS before and it comes back, so don't be surprised if you hear from me again!

 

 

BCGovtMartyr,

 

Thanks for your comments. Yep, we have the same strain alright. I think I know where I got mine too. I got given a CD with photos but I couldn't read it. Needed a Sonic UDF reader or something. The link was dead, so I Googled them and found a Japanese Sonic website with Sonic UDF reader download. I don't know whether it was the website or on the back of the download, but I'm pretty sure that's where I got hit.

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites

I know where mine came from Beeza. I was doing a search for something on the net, clicked a link and poof I got shot to a porn site. Having children in the house and moving about I quickly closed the Window(s) that popped up but it was too late. Damage was done. Of the 4 PC's I have running here this is the only one infected (of course it has to be the server and the fastest one here ::sigh::). Hopefully there will be a cure here soon. These guys are awesome in their tireless venture of finding a cure. Kudoo's guys!

Share this post


Link to post
Share on other sites

Glad to of been of help :)

 

It has been our pleasure to help you :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

 

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.

Share this post


Link to post
Share on other sites

I've got this EXACT same CWS problem too! Beeza, do you get a bunch of popups advertising spyware removal software of all things?

 

Thanks for the assistance PG Phantom... I'm going to try it out and see if it cures my ills. My HijackThis log is posted in a new topic.

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Well, the fix lasted all of 2 hours and I've been having all sorts of problems since then. For a while IE wasn't even working and I couldn't access internet.

 

What I've found is that I can delete all malicious files and have a completely clean HJT log, then open IE and SpywareGuard kicks into action as CWS tries to install new BHOs. I restore all the old BHOs but as BCGovtMartyr has noted, there's still an sp.html file in temp, and sometimes a dll file with a randomly generated name, e.g. jfpifab.dll in windows/system32.

 

Sometimes after restoring the old BHOs with SpywareGuard, I can't access internet. I basically have to reboot when this happens. It's almost as though this variant of CWS knows that you've removed it, so disables IE to spite you. Either that or I'm doing something wrong when SpywareGuard kicks into action.

 

URGH!... It happened half way through writing this post. I opened a new window... couldn't find server, couldn't find anything. From bitter experience I knew what to do: copy this post to word doc and save, then reboot and start again. But before I did I ran HJT and the log was clean. Go figure.

 

Below I have posted two logs. The first one is after I first turned my PC on this morning - clean log. Next I opened IE and watched Spyguard kick into action as CWS tried to install new BHOs. I denied all the changes and restored the old BHOs, then ran HJT again. You'll see the top 3 entries on that log are all CWS that Spyguard didn't remove. I remove them with HJT but it doesn't make any difference. It always comes back.

 

The other thing I've found is that sometimes my PC freezes for several minutes (100% CPU usages) as CWS reinstalls itself.

 

I'm also having problems with my PC running out of virtual memory and slowing down to a crawl. Never had these problems before.

 

I wish I knew where on my system this CWS is hiding. It lurks out of sight in the shadows, occasionally throwing its sp.html and BHO bandits out to wreak havoc, but always remaining hidden itself so it can continue to control the proceedings. If someone can work out how it does it, a tool can be developed to identify and remove it.

 

Anyway, enough of my frustrated ramblings. Here are the two logs. I'm not sure what to do next so any help you can give me is much appreciated. I might try the bandaid solution BCGovtMartyr talked about too.

 

Cheers, Beeza

 

 

Logfile of HijackThis v1.97.7

Scan saved at 7:37:22 a.m., on 25/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\IE New Window Maximizer\iemaximizer.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

 

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Logfile of HijackThis v1.97.7

Scan saved at 7:39:59 a.m., on 25/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\IE New Window Maximizer\iemaximizer.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I think I have this same thing happening..what I have noticed is that my new AVG virus scanner keeps popping up a dll file virus that you can't see anywhere so therefore can't delete (even in safe dos mode but it may be hidden) and It seems to be active whenever I open IE or my virus scanner or outlook..

 

I'm keeping an eye out here to see if you stumble across a solution (or maybe to see if AVG might catch and fix yours but even in dos mode it finds the dll file but can't open it to check it)

 

E

Share this post


Link to post
Share on other sites

New findings...

 

I have found that when I turn on PC and open IE and watch SpywareGuard kick into action as CWS does its nasty thing, I restore the old BHOs and take a note of the name of the dll file in system32.

 

Then I close IE and do that all over again. Then I run HJT and delete the remaining BHOs. Then I open Windows Explorer and delete sp.html from Temp and the dll file from Windows/System32.

 

After that I have trouble-free browsing for hours. Next time I reboot I have to go through the whole damn thing again, but as a temporary make-good it seems to work.

 

Still looking forward to hearing from PGPhantom though to see if you have any guidance on how to rid my machine of CWS for good.

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites

Can you post an updated HijackThis log, and DO NOT reboot, sign off etc until you hear back from me. I would like to get that file that keeps causing this problem. When you do get the message, write down the file name and post it here as well.

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

It's 10:45am on a sunny Saturday morning here in New Zealand. I just turned my PC on. So far IE is clean, but I could probably force CWS back by searching for a page that doesn't exist, or opening and closing IE a few times. Or just waiting. Anyway, here's my updated log. I'll keep the PC on and check a few times during the day to see if you've replied. Many thanks for your help.

 

Cheers, Beeza :-)

 

Logfile of HijackThis v1.97.7

Scan saved at 10:49:31 a.m., on 26/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\IE New Window Maximizer\iemaximizer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

 

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Your log is looking clean :)

 

However ... Please take all my recommendations below and install, run update etc as listed.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

 

Last thing ... The following is a recommended maintenance regime for Windows XP:

  1. The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

[*]Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.

[*]Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:

  • Office documents
  • Email data - Messages and address book
  • Games saves.
  • Digital Photos and other artwork.
  • Moveis that you have created or edited.
  • MP3's and other music files.
  • Browser favorites and bookmarks.
  • Downloaded files/programs.
  • Passwords, security codes etc for anything that is password protected like Quicken.
  • Activation codes for applications doownloaded and registered.

[*]Do not go without an anti-virus program. Free ones include:

[*]Be sure to run a periodic Trojan Scan with any of the following programs:

[*]Use a Firewall such as ZoneAlarm

[*]Regularly scan for adware and spyware using the following programs:

[*]Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".

[*]Update your system. Go to Microsoft Windows Update and download all critical updates for your system.

[*]Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".

[*]Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.

[*]As bad as it may sound - Once a year reinstall your O/S from scratch - i.e. Reformat your hard drive but be 100% certain that you have backed everything up as listed above. <= Obviously this should not be done except by professionals etc.

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

The log looks clean but CWS is still lurking. I came back a few hours ago and couldn't get anything online. Email would work, but not IE. I closed and reopened a few times but no CWS and no internet either, and clean logs too. So I closed IE and did other stuff for 2 hours. Tried again and bingo, internet available. Log still clean.

 

Then searched for a URL which turned out to be non-existent and IE redirected to http://s1di.d8t.biz/index.php?aid=20038

 

Log is still clean and sp.html is NOT in the temp file. Blowed if I know where it's hiding, but it is lurking somewhere. However, Google toolbar successfully blocked the supposed anti-spyware pop-up that invariably comes with http://s1di.d8t.biz/index.php?aid=20038

 

I know that if IE redirects then full blown CWS will come back. Hope you can help with advice

 

Now, on to your suggestions...

 

Spywareblaster: I downloaded this recently but don't appear to have installed it yet. Will do that now.

 

SpywareGuard: Done. I installed this a week or so ago and it is running well. Hasn't got rid of CWS though, but does help keep it in check (to a degree).

 

Ad-aware: Done. Installed and running well for a couple of weeks now. Hasn't got rid of CWS though.

 

Spybot: Done. Installed and running well for about a week now. Hasn't got rid of CWS though.

 

IE-Spyad: Done. I installed this a few days ago.

 

MVPS Hosts file: Will do this now.

 

Google Toolbar: Done. I've had this for some time now. Love it.

 

Directory Cleansing: Half done. I empty the following folders every time I shut down - Temp folder, Temporary Internet Folder, Recycle Bin. I'll create shortcuts for the other ones and include them in that routine too.

 

Backup: I regularly copy my user files to external media, but am not good at doing full backups. Wil do as you suggest from now on though.

 

Anti-Virus: Done. I use Norton Anti-Virus and update my definitions weekly with LiveUpdater. I'm thinking of changing to NOD32 when my LiveUpdater subscription runs out. Any comments?

 

Trojan Scan: Done. I installed Trojan Hunter a few days ago.

 

Firewall: Done. I have had Zone Alarm in the past and really like it. Haven't had it on this machine though, but installed it a couple of weeks ago.

 

Adware Scans: I now use all three programs you recommend. Have for about a week.

 

Defrag: I defrag about once a month.

 

Update: I always update Windows and Office with the most recent patches. I've also used a few of Steve Gibson's apps (www.grc.com) to secure my computer more.

 

Disk Clean: I've never done this. Will do now.

 

Icon Cache: I've never done this either. Will do now.

 

Reinstall O/S: Strewth, that's a major! One thing I hate about Norton and LiveUpdate is that you have to buy another copy if you reinstall your O/S. That's one reason I'm thinking of changing. I'm not sure I'm brave enough to do this, but I'll schedule it in with my tech support for Christmas.

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites

I would like to see if the following produces anything? We may just be chasing a red herring but it does not harm anything to try:

 

Please download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results into this message for further review.

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Thanks for that recommendation. I'll do that now. Before I do though, here are some important findings...

 

Yesterday IE turned to crap again. Couldn't access internet or anything. I ran HJT and got a clean log. I looked in Temp and it was clean. Then I ran Ad-aware and it picked up 7 CWS files, reg entries, etc!!! Before I deleted them, I ran HJT again and it was still clean! I saved logs of each - see below.

 

When I booted up today, IE would not work. I ran HJT and it was clean. Then I ran Ad-aware and it was clean. Then I tried to run SpywareGuard LiveUpdate but it kept freezing / timing out. So I ran SpywareGuard but got this error message...

 

"Error Reading SpywareGuard Definitions! The file may be corrupt, or another program may have tampered with them. Run LiveUpdate to download the latest SpywareGuard definitions."

 

So I ran Ad-aware again but this time checked for updates first, and downloaded the most recent update. Then ran a scan and picked up 3 CWS files. Before I deleted them I ran another HJT scan and it was clean. I deleted the CWS entries and IE is now working. I've posted that log below too.

 

SUMMARY

CWS seems to have:

1) Disabled SpywareGuard

2) Affected HJT so that it shows clean logs even though CWS is active

 

I'm wondering whether CWS is able to (a) detect the presence of SpywareGuard and (b) detect when its components are being removed by HJT and/or Spybot, and then both corrupts all those progs and hides itself within one of them?

 

Look forward to your thoughts. I'll download FINDnFIX now and report back.

 

Cheers, Beeza :-)

 

 

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Saturday, 26 June 2004 10:17:21 p.m.

Created with Ad-aware Personal, free for private use.

Using reference-file :01R315 06.06.2004

______________________________________________________

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

 

26-06-2004 10:17:21 p.m. - Scan started. (Smart mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ThreadCreationTime : 25-06-2004 10:32:43 p.m.

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ThreadCreationTime : 25-06-2004 10:32:46 p.m.

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ThreadCreationTime : 25-06-2004 10:32:47 p.m.

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 25-06-2004 10:32:48 p.m.

BasePriority : Normal

FileSize : 99 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 10:17:21 a.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 25-06-2004 10:32:48 p.m.

BasePriority : Normal

FileSize : 11 KB

FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)

ProductVersion : 5.1.2600.1106

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 10:17:21 a.m.

Last modified : 28/08/2002 3:41:26 p.m.

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 25-06-2004 10:32:49 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 9:57:50 a.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 25-06-2004 10:32:49 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 9:57:50 a.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 25-06-2004 10:32:51 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 9:57:50 a.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 25-06-2004 10:32:51 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 9:57:50 a.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 25-06-2004 10:32:52 p.m.

BasePriority : Normal

FileSize : 50 KB

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

OriginalFilename : spoolsv.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 9:34:10 a.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:11 [ccevtmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ThreadCreationTime : 25-06-2004 10:32:52 p.m.

BasePriority : Normal

FileSize : 309 KB

FileVersion : 1.03.4

ProductVersion : 1.03.4

Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.

CompanyName : Symantec Corporation

FileDescription : Event Manager Service

InternalName : ccEvtMgr

OriginalFilename : ccEvtMgr.exe

ProductName : Event Manager

Created on : 13/11/2002 3:44:02 a.m.

Last accessed : 26/06/2004 9:34:00 a.m.

Last modified : 13/11/2002 3:44:02 a.m.

 

#:12 [userinit.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 25-06-2004 10:32:59 p.m.

BasePriority : Normal

FileSize : 21 KB

FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)

ProductVersion : 5.1.2600.1106

CompanyName : Microsoft Corporation

FileDescription : Userinit Logon Application

InternalName : userinit

OriginalFilename : USERINIT.EXE

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 10:17:22 a.m.

Last modified : 28/08/2002 3:41:28 p.m.

 

#:13 [explorer.exe]

FilePath : C:\WINDOWS\

ThreadCreationTime : 25-06-2004 10:32:59 p.m.

BasePriority : Normal

FileSize : 973 KB

FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)

ProductVersion : 6.00.2800.1221

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft

Created on : 11/05/2003 9:12:10 a.m.

Last accessed : 26/06/2004 10:17:22 a.m.

Last modified : 11/05/2003 9:12:10 a.m.

 

#:14 [navapsvc.exe]

FilePath : C:\Program Files\Norton AntiVirus\

ThreadCreationTime : 25-06-2004 10:33:00 p.m.

BasePriority : Normal

FileSize : 113 KB

FileVersion : 9.05.1015

ProductVersion : 9.05.1015

Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Auto-Protect Service

InternalName : NAVAPSVC

OriginalFilename : NAVAPSVC.EXE

ProductName : Norton AntiVirus

Created on : 14/11/2002 6:41:26 a.m.

Last accessed : 26/06/2004 9:34:10 a.m.

Last modified : 14/11/2002 6:41:26 a.m.

 

#:15 [vsmon.exe]

FilePath : C:\WINDOWS\system32\ZoneLabs\

ThreadCreationTime : 25-06-2004 10:33:01 p.m.

BasePriority : Normal

FileSize : 893 KB

FileVersion : 5.0.590.043

ProductVersion : 5.0.590.043

Copyright : Copyright

CompanyName : Zone Labs Inc.

FileDescription : TrueVector Service

InternalName : vsmon

OriginalFilename : vsmon.exe

ProductName : TrueVector Service

Created on : 3/06/2004 1:09:15 p.m.

Last accessed : 26/06/2004 10:17:22 a.m.

Last modified : 15/06/2004 4:47:36 p.m.

 

#:16 [igfxtray.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 25-06-2004 10:33:03 p.m.

BasePriority : Normal

FileSize : 152 KB

FileVersion : 3,0,0,1607

ProductVersion : 7,0,0,1607

Copyright : Copyright 1999-2002, Intel Corporation

CompanyName : Intel Corporation

FileDescription : igfxTray Module

InternalName : IGFXTRAY

OriginalFilename : IGFXTRAY.EXE

ProductName : Intel® Common User Interface

Created on : 1/10/2002 4:54:15 a.m.

Last accessed : 26/06/2004 9:34:30 a.m.

Last modified : 14/05/2002 8:29:02 a.m.

 

#:17 [hkcmd.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 25-06-2004 10:33:04 p.m.

BasePriority : Normal

FileSize : 112 KB

FileVersion : 3,0,0,1607

ProductVersion : 7,0,0,1607

Copyright : Copyright 1999-2002, Intel Corporation

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

OriginalFilename : HKCMD.EXE

ProductName : Intel® Common User Interface

Created on : 1/10/2002 4:54:08 a.m.

Last accessed : 26/06/2004 9:34:30 a.m.

Last modified : 14/05/2002 8:20:50 a.m.

 

#:18 [imontray.exe]

FilePath : C:\Program Files\Intel\Intel® Active Monitor\

ThreadCreationTime : 25-06-2004 10:33:04 p.m.

BasePriority : Normal

FileSize : 32 KB

FileVersion : 1.1.7.136

ProductVersion : 1, 0, 0, 1

Copyright : Copyright © 2000

FileDescription : imontray MFC Application

InternalName : imontray

OriginalFilename : imontray.EXE

ProductName : imontray Application

Created on : 1/10/2002 4:57:41 a.m.

Last accessed : 26/06/2004 9:34:00 a.m.

Last modified : 3/05/2002 3:10:20 a.m.

 

#:19 [em_exec.exe]

FilePath : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\

ThreadCreationTime : 25-06-2004 10:33:05 p.m.

BasePriority : Normal

FileSize : 34 KB

FileVersion : 9.41.33

ProductVersion : 9.41.1

Copyright : Copyright

CompanyName : Logitech Inc.

FileDescription : Control Center

InternalName : EM_EXEC

OriginalFilename : EM_EXEC.CPP

ProductName : MouseWare

Created on : 8/11/2002 4:27:24 a.m.

Last accessed : 26/06/2004 9:34:30 a.m.

Last modified : 18/09/2001 8:41:00 p.m.

 

#:20 [backweb-8876480.exe]

FilePath : C:\Program Files\Logitech\Desktop Messenger\8876480\Program\

ThreadCreationTime : 25-06-2004 10:33:05 p.m.

BasePriority : Normal

FileSize : 16 KB

Created on : 8/11/2002 4:29:00 a.m.

Last accessed : 26/06/2004 10:17:22 a.m.

Last modified : 8/11/2002 4:29:00 a.m.

 

#:21 [ccapp.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ThreadCreationTime : 25-06-2004 10:33:05 p.m.

BasePriority : Normal

FileSize : 53 KB

FileVersion : 1.0.10.006

ProductVersion : 1.0.10.006

Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.

CompanyName : Symantec Corporation

FileDescription : Common Client CC App

InternalName : ccApp

OriginalFilename : ccApp.exe

ProductName : Common Client

Created on : 20/12/2003 6:48:45 a.m.

Last accessed : 26/06/2004 10:17:22 a.m.

Last modified : 2/12/2003 3:11:04 a.m.

 

#:22 [jusched.exe]

FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\

ThreadCreationTime : 25-06-2004 10:33:05 p.m.

BasePriority : Normal

FileSize : 32 KB

Created on : 22/02/2068 11:44:46 a.m.

Last accessed : 26/06/2004 9:34:10 a.m.

Last modified : 22/02/2004 11:44:44 a.m.

 

#:23 [zlclient.exe]

FilePath : C:\Program Files\Zone Labs\ZoneAlarm\

ThreadCreationTime : 25-06-2004 10:33:06 p.m.

BasePriority : Normal

FileSize : 681 KB

FileVersion : 5.0.590.043

ProductVersion : 5.0.590.043

Copyright : Copyright

CompanyName : Zone Labs Inc.

FileDescription : Zone Labs Client

InternalName : zlclient

OriginalFilename : zlclient.exe

ProductName : Zone Labs Client

Created on : 3/06/2004 1:09:19 p.m.

Last accessed : 26/06/2004 10:17:22 a.m.

Last modified : 15/06/2004 4:48:24 p.m.

 

#:24 [teatimer.exe]

FilePath : C:\Program Files\Spybot - Search & Destroy\

ThreadCreationTime : 25-06-2004 10:33:07 p.m.

BasePriority : Idle

FileSize : 1014 KB

FileVersion : 1, 3, 0, 12

ProductVersion : 1, 3, 0, 12

CompanyName : Safer Networking Limited

FileDescription : System settings protector

InternalName : TeaTimer

OriginalFilename : TeaTimer.exe

ProductName : Spybot - Search & Destroy

Created on : 11/05/2004 1:03:00 p.m.

Last accessed : 26/06/2004 9:34:10 a.m.

Last modified : 11/05/2004 1:03:00 p.m.

 

#:25 [imonnt.exe]

FilePath : C:\Program Files\Intel\Intel® Active Monitor\

ThreadCreationTime : 25-06-2004 10:33:07 p.m.

BasePriority : Normal

FileSize : 100 KB

FileVersion : 1.1.7.136

ProductVersion : 1, 0, 0, 1

Copyright : Copyright

CompanyName : Intel Corp.

FileDescription : Intel® Active Monitor Win9x Background Service

InternalName : imonNT

OriginalFilename : imonNT.exe

ProductName : Intel® Active Monitor

Created on : 1/10/2002 4:57:41 a.m.

Last accessed : 26/06/2004 9:33:50 a.m.

Last modified : 3/05/2002 3:09:24 a.m.

 

#:26 [iemaximizer.exe]

FilePath : C:\Program Files\IE New Window Maximizer\

ThreadCreationTime : 25-06-2004 10:33:07 p.m.

BasePriority : Normal

FileSize : 340 KB

FileVersion : 2.3.0.2

ProductVersion : 2.3.0.2

Copyright : © jiiSoft, Jonatan Dahl. All rights reserved.

CompanyName : jiiSoft

FileDescription : IE New Window Maximizer

InternalName : iemaximizer.exe

OriginalFilename : iemaximizer.exe

ProductName : IE New Window Maximizer

Created on : 23/01/2003 11:21:10 p.m.

Last accessed : 26/06/2004 9:34:10 a.m.

Last modified : 24/01/2003 12:21:10 a.m.

 

#:27 [acrotray.exe]

FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\

ThreadCreationTime : 25-06-2004 10:33:08 p.m.

BasePriority : Normal

FileSize : 80 KB

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

Copyright : Copyright

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

OriginalFilename : AcroTray.exe

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

Created on : 9/02/2003 2:12:08 a.m.

Last accessed : 26/06/2004 9:34:10 a.m.

Last modified : 11/10/2001 4:35:00 a.m.

 

#:28 [sgmain.exe]

FilePath : C:\Program Files\SpywareGuard\

ThreadCreationTime : 25-06-2004 10:33:10 p.m.

BasePriority : Normal

FileSize : 352 KB

FileVersion : 2.02.0001

ProductVersion : 2.02.0001

Copyright : Copyright © 2002-2003 Javacool Software LLC

FileDescription : SpywareGuard

InternalName : sgmain

OriginalFilename : sgmain.exe

ProductName : SpywareGuard

Created on : 29/08/2003 7:05:35 a.m.

Last accessed : 26/06/2004 10:05:57 a.m.

Last modified : 29/08/2003 7:05:35 a.m.

 

#:29 [msoffice.exe]

FilePath : C:\Program Files\Microsoft Office\Office10\

ThreadCreationTime : 25-06-2004 10:33:13 p.m.

BasePriority : Normal

FileSize : 221 KB

FileVersion : 10.0.2609

ProductVersion : 10.0.2609

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Office XP component

InternalName : MSOFFICE

OriginalFilename : MSOFFICE.EXE

ProductName : Microsoft Office XP

Created on : 12/02/2001 11:58:54 a.m.

Last accessed : 26/06/2004 10:17:22 a.m.

Last modified : 12/02/2001 11:58:54 a.m.

 

#:30 [sgbhp.exe]

FilePath : C:\Program Files\SpywareGuard\

ThreadCreationTime : 25-06-2004 10:33:15 p.m.

BasePriority : Normal

FileSize : 228 KB

FileVersion : 2.02.0001

ProductVersion : 2.02.0001

Copyright : Copyright © 2002-2003 Javacool Software LLC.

FileDescription : SG Browser Hijacking Protection

InternalName : sgbhp

OriginalFilename : sgbhp.exe

ProductName : SG Browser Hijacking Protection

Created on : 28/08/2003 11:14:56 p.m.

Last accessed : 26/06/2004 9:34:00 a.m.

Last modified : 28/08/2003 11:14:56 p.m.

 

#:31 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 26-06-2004 4:06:53 a.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 9:57:50 a.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:32 [winword.exe]

FilePath : C:\Program Files\Microsoft Office\Office10\

ThreadCreationTime : 26-06-2004 10:06:24 a.m.

BasePriority : Normal

FileSize : 10374 KB

FileVersion : 10.0.6612

ProductVersion : 10.0.6612

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Word

InternalName : WinWord

OriginalFilename : WinWord.exe

ProductName : Microsoft Office XP

Created on : 16/01/2004 2:19:14 a.m.

Last accessed : 26/06/2004 10:06:32 a.m.

Last modified : 16/01/2004 2:19:14 a.m.

 

#:33 [msmsgs.exe]

FilePath : C:\Program Files\Messenger\

ThreadCreationTime : 26-06-2004 10:12:35 a.m.

BasePriority : Normal

FileSize : 1462 KB

FileVersion : 4.7.2009

ProductVersion : Version 4.7

Copyright : Copyright © Microsoft Corporation 1997-2003

CompanyName : Microsoft Corporation

FileDescription : Messenger

InternalName : msmsgs

OriginalFilename : msmsgs.exe

ProductName : Messenger

Created on : 14/04/2003 8:05:20 a.m.

Last accessed : 26/06/2004 10:12:37 a.m.

Last modified : 14/04/2003 8:05:20 a.m.

 

#:34 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-aware 6\

ThreadCreationTime : 26-06-2004 10:17:12 a.m.

BasePriority : Normal

FileSize : 668 KB

FileVersion : 6.0.1.181

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 3/06/2004 10:28:02 p.m.

Last accessed : 26/06/2004 10:17:13 a.m.

Last modified : 12/07/2003 9:00:20 a.m.

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Internet Explorer\Main

Value : HOMEOldSP

 

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 1

Objects found so far: 1

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_USERS

Object : .Default\Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 3

Objects found so far: 4

 

 

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Hosts file scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

1815 entries scanned.

New objects :0

Objects found so far: 4

 

 

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : PROTOCOLS\Filter\text/html

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : PROTOCOLS\Filter\text/plain

 

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Value : ITBarLayout

 

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 3

Objects found so far: 7

 

 

10:20:53 p.m. Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:03:31:343

Objects scanned :57170

Objects identified :7

Objects ignored :0

New objects :7

 

 

The following HJT log was created BEFORE the CWS files in the Ad-aware log above were deleted...

 

Logfile of HijackThis v1.97.7

Scan saved at 10:30:25 p.m., on 26/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\IE New Window Maximizer\iemaximizer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

 

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Sunday, 27 June 2004 12:03:31 p.m.

Created with Ad-aware Personal, free for private use.

Using reference-file :01R325 27.06.2004

______________________________________________________

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

 

27-06-2004 12:03:31 p.m. - Scan started. (Smart mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ThreadCreationTime : 26-06-2004 11:46:22 p.m.

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ThreadCreationTime : 26-06-2004 11:46:24 p.m.

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ThreadCreationTime : 26-06-2004 11:46:25 p.m.

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 26-06-2004 11:46:26 p.m.

BasePriority : Normal

FileSize : 99 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 11:46:26 p.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 26-06-2004 11:46:26 p.m.

BasePriority : Normal

FileSize : 11 KB

FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)

ProductVersion : 5.1.2600.1106

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 11:46:39 p.m.

Last modified : 28/08/2002 3:41:26 p.m.

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 26-06-2004 11:46:27 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 11:46:45 p.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 26-06-2004 11:46:28 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 11:46:45 p.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 26-06-2004 11:46:29 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 11:46:45 p.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 26-06-2004 11:46:29 p.m.

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 11:46:45 p.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 26-06-2004 11:46:31 p.m.

BasePriority : Normal

FileSize : 50 KB

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

OriginalFilename : spoolsv.exe

ProductName : Microsoft

Created on : 18/08/2001 12:00:00 p.m.

Last accessed : 26/06/2004 11:46:22 p.m.

Last modified : 18/08/2001 12:00:00 p.m.

 

#:11 [ccevtmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ThreadCreationTime : 26-06-2004 11:46:31 p.m.

BasePriority : Normal

FileSize : 309 KB

FileVersion : 1.03.4

ProductVersion : 1.03.4

Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.

CompanyName : Symantec Corporation

FileDescription : Event Manager Service

InternalName : ccEvtMgr

OriginalFilename : ccEvtMgr.exe

ProductName : Event Manager

Created on : 13/11/2002 3:44:02 a.m.

Last accessed : 26/06/2004 11:46:22 p.m.

Last modified : 13/11/2002 3:44:02 a.m.

 

#:12 [navapsvc.exe]

FilePath : C:\Program Files\Norton AntiVirus\

ThreadCreationTime : 26-06-2004 11:46:38 p.m.

BasePriority : Normal

FileSize : 113 KB

FileVersion : 9.05.1015

ProductVersion : 9.05.1015

Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Auto-Protect Service

InternalName : NAVAPSVC

OriginalFilename : NAVAPSVC.EXE

ProductName : Norton AntiVirus

Created on : 14/11/2002 6:41:26 a.m.

Last accessed : 26/06/2004 11:46:22 p.m.

Last modified : 14/11/2002 6:41:26 a.m.

 

#:13 [vsmon.exe]

FilePath : C:\WINDOWS\system32\ZoneLabs\

ThreadCreationTime : 26-06-2004 11:46:39 p.m.

BasePriority : Normal

FileSize : 893 KB

FileVersion : 5.0.590.043

ProductVersion : 5.0.590.043

Copyright : Copyright

CompanyName : Zone Labs Inc.

FileDescription : TrueVector Service

InternalName : vsmon

OriginalFilename : vsmon.exe

ProductName : TrueVector Service

Created on : 3/06/2004 1:09:15 p.m.

Last accessed : 26/06/2004 11:46:39 p.m.

Last modified : 15/06/2004 4:47:36 p.m.

 

#:14 [imonnt.exe]

FilePath : C:\Program Files\Intel\Intel® Active Monitor\

ThreadCreationTime : 26-06-2004 11:46:43 p.m.

BasePriority : Normal

FileSize : 100 KB

FileVersion : 1.1.7.136

ProductVersion : 1, 0, 0, 1

Copyright : Copyright

CompanyName : Intel Corp.

FileDescription : Intel® Active Monitor Win9x Background Service

InternalName : imonNT

OriginalFilename : imonNT.exe

ProductName : Intel® Active Monitor

Created on : 1/10/2002 4:57:41 a.m.

Last accessed : 26/06/2004 11:46:22 p.m.

Last modified : 3/05/2002 3:09:24 a.m.

 

#:15 [explorer.exe]

FilePath : C:\WINDOWS\

ThreadCreationTime : 26-06-2004 11:46:48 p.m.

BasePriority : Normal

FileSize : 973 KB

FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)

ProductVersion : 6.00.2800.1221

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft

Created on : 11/05/2003 9:12:10 a.m.

Last accessed : 26/06/2004 11:47:26 p.m.

Last modified : 11/05/2003 9:12:10 a.m.

 

#:16 [igfxtray.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 26-06-2004 11:46:53 p.m.

BasePriority : Normal

FileSize : 152 KB

FileVersion : 3,0,0,1607

ProductVersion : 7,0,0,1607

Copyright : Copyright 1999-2002, Intel Corporation

CompanyName : Intel Corporation

FileDescription : igfxTray Module

InternalName : IGFXTRAY

OriginalFilename : IGFXTRAY.EXE

ProductName : Intel® Common User Interface

Created on : 1/10/2002 4:54:15 a.m.

Last accessed : 26/06/2004 11:46:52 p.m.

Last modified : 14/05/2002 8:29:02 a.m.

 

#:17 [hkcmd.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 26-06-2004 11:46:53 p.m.

BasePriority : Normal

FileSize : 112 KB

FileVersion : 3,0,0,1607

ProductVersion : 7,0,0,1607

Copyright : Copyright 1999-2002, Intel Corporation

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

OriginalFilename : HKCMD.EXE

ProductName : Intel® Common User Interface

Created on : 1/10/2002 4:54:08 a.m.

Last accessed : 26/06/2004 11:46:53 p.m.

Last modified : 14/05/2002 8:20:50 a.m.

 

#:18 [imontray.exe]

FilePath : C:\Program Files\Intel\Intel® Active Monitor\

ThreadCreationTime : 26-06-2004 11:46:53 p.m.

BasePriority : Normal

FileSize : 32 KB

FileVersion : 1.1.7.136

ProductVersion : 1, 0, 0, 1

Copyright : Copyright © 2000

FileDescription : imontray MFC Application

InternalName : imontray

OriginalFilename : imontray.EXE

ProductName : imontray Application

Created on : 1/10/2002 4:57:41 a.m.

Last accessed : 26/06/2004 11:46:53 p.m.

Last modified : 3/05/2002 3:10:20 a.m.

 

#:19 [em_exec.exe]

FilePath : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\

ThreadCreationTime : 26-06-2004 11:46:55 p.m.

BasePriority : Normal

FileSize : 34 KB

FileVersion : 9.41.33

ProductVersion : 9.41.1

Copyright : Copyright

CompanyName : Logitech Inc.

FileDescription : Control Center

InternalName : EM_EXEC

OriginalFilename : EM_EXEC.CPP

ProductName : MouseWare

Created on : 8/11/2002 4:27:24 a.m.

Last accessed : 26/06/2004 11:46:55 p.m.

Last modified : 18/09/2001 8:41:00 p.m.

 

#:20 [backweb-8876480.exe]

FilePath : C:\Program Files\Logitech\Desktop Messenger\8876480\Program\

ThreadCreationTime : 26-06-2004 11:46:55 p.m.

BasePriority : Normal

FileSize : 16 KB

Created on : 8/11/2002 4:29:00 a.m.

Last accessed : 26/06/2004 11:47:25 p.m.

Last modified : 8/11/2002 4:29:00 a.m.

 

#:21 [ccapp.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ThreadCreationTime : 26-06-2004 11:46:56 p.m.

BasePriority : Normal

FileSize : 53 KB

FileVersion : 1.0.10.006

ProductVersion : 1.0.10.006

Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.

CompanyName : Symantec Corporation

FileDescription : Common Client CC App

InternalName : ccApp

OriginalFilename : ccApp.exe

ProductName : Common Client

Created on : 20/12/2003 6:48:45 a.m.

Last accessed : 26/06/2004 11:47:07 p.m.

Last modified : 2/12/2003 3:11:04 a.m.

 

#:22 [jusched.exe]

FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\

ThreadCreationTime : 26-06-2004 11:46:57 p.m.

BasePriority : Normal

FileSize : 32 KB

Created on : 22/02/2068 11:44:46 a.m.

Last accessed : 26/06/2004 11:46:57 p.m.

Last modified : 22/02/2004 11:44:44 a.m.

 

#:23 [zlclient.exe]

FilePath : C:\Program Files\Zone Labs\ZoneAlarm\

ThreadCreationTime : 26-06-2004 11:46:59 p.m.

BasePriority : Normal

FileSize : 681 KB

FileVersion : 5.0.590.043

ProductVersion : 5.0.590.043

Copyright : Copyright

CompanyName : Zone Labs Inc.

FileDescription : Zone Labs Client

InternalName : zlclient

OriginalFilename : zlclient.exe

ProductName : Zone Labs Client

Created on : 3/06/2004 1:09:19 p.m.

Last accessed : 27/06/2004 12:00:27 a.m.

Last modified : 15/06/2004 4:48:24 p.m.

 

#:24 [teatimer.exe]

FilePath : C:\Program Files\Spybot - Search & Destroy\

ThreadCreationTime : 26-06-2004 11:47:00 p.m.

BasePriority : Idle

FileSize : 1014 KB

FileVersion : 1, 3, 0, 12

ProductVersion : 1, 3, 0, 12

CompanyName : Safer Networking Limited

FileDescription : System settings protector

InternalName : TeaTimer

OriginalFilename : TeaTimer.exe

ProductName : Spybot - Search & Destroy

Created on : 11/05/2004 1:03:00 p.m.

Last accessed : 26/06/2004 11:47:00 p.m.

Last modified : 11/05/2004 1:03:00 p.m.

 

#:25 [iemaximizer.exe]

FilePath : C:\Program Files\IE New Window Maximizer\

ThreadCreationTime : 26-06-2004 11:47:01 p.m.

BasePriority : Normal

FileSize : 340 KB

FileVersion : 2.3.0.2

ProductVersion : 2.3.0.2

Copyright : © jiiSoft, Jonatan Dahl. All rights reserved.

CompanyName : jiiSoft

FileDescription : IE New Window Maximizer

InternalName : iemaximizer.exe

OriginalFilename : iemaximizer.exe

ProductName : IE New Window Maximizer

Created on : 23/01/2003 11:21:10 p.m.

Last accessed : 26/06/2004 11:47:01 p.m.

Last modified : 24/01/2003 12:21:10 a.m.

 

#:26 [acrotray.exe]

FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\

ThreadCreationTime : 26-06-2004 11:47:03 p.m.

BasePriority : Normal

FileSize : 80 KB

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

Copyright : Copyright

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

OriginalFilename : AcroTray.exe

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

Created on : 9/02/2003 2:12:08 a.m.

Last accessed : 26/06/2004 11:47:02 p.m.

Last modified : 11/10/2001 4:35:00 a.m.

 

#:27 [sgmain.exe]

FilePath : C:\Program Files\SpywareGuard\

ThreadCreationTime : 26-06-2004 11:47:06 p.m.

BasePriority : Normal

FileSize : 352 KB

FileVersion : 2.02.0001

ProductVersion : 2.02.0001

Copyright : Copyright © 2002-2003 Javacool Software LLC

FileDescription : SpywareGuard

InternalName : sgmain

OriginalFilename : sgmain.exe

ProductName : SpywareGuard

Created on : 29/08/2003 7:05:35 a.m.

Last accessed : 26/06/2004 11:57:30 p.m.

Last modified : 29/08/2003 7:05:35 a.m.

 

#:28 [msoffice.exe]

FilePath : C:\Program Files\Microsoft Office\Office10\

ThreadCreationTime : 26-06-2004 11:47:11 p.m.

BasePriority : Normal

FileSize : 221 KB

FileVersion : 10.0.2609

ProductVersion : 10.0.2609

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Office XP component

InternalName : MSOFFICE

OriginalFilename : MSOFFICE.EXE

ProductName : Microsoft Office XP

Created on : 12/02/2001 11:58:54 a.m.

Last accessed : 26/06/2004 11:46:22 p.m.

Last modified : 12/02/2001 11:58:54 a.m.

 

#:29 [sgbhp.exe]

FilePath : C:\Program Files\SpywareGuard\

ThreadCreationTime : 26-06-2004 11:47:13 p.m.

BasePriority : Normal

FileSize : 228 KB

FileVersion : 2.02.0001

ProductVersion : 2.02.0001

Copyright : Copyright © 2002-2003 Javacool Software LLC.

FileDescription : SG Browser Hijacking Protection

InternalName : sgbhp

OriginalFilename : sgbhp.exe

ProductName : SG Browser Hijacking Protection

Created on : 28/08/2003 11:14:56 p.m.

Last accessed : 26/06/2004 11:46:22 p.m.

Last modified : 28/08/2003 11:14:56 p.m.

 

#:30 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-aware 6\

ThreadCreationTime : 26-06-2004 11:58:14 p.m.

BasePriority : Normal

FileSize : 668 KB

FileVersion : 6.0.1.181

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 3/06/2004 10:28:02 p.m.

Last accessed : 27/06/2004 12:02:41 a.m.

Last modified : 12/07/2003 9:00:20 a.m.

 

#:31 [msmsgs.exe]

FilePath : C:\Program Files\Messenger\

ThreadCreationTime : 27-06-2004 12:02:29 a.m.

BasePriority : Normal

FileSize : 1462 KB

FileVersion : 4.7.2009

ProductVersion : Version 4.7

Copyright : Copyright © Microsoft Corporation 1997-2003

CompanyName : Microsoft Corporation

FileDescription : Messenger

InternalName : msmsgs

OriginalFilename : msmsgs.exe

ProductName : Messenger

Created on : 14/04/2003 8:05:20 a.m.

Last accessed : 27/06/2004 12:02:30 a.m.

Last modified : 14/04/2003 8:05:20 a.m.

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\WINDOWS\TEMP\sp.html"

Rootkey : HKEY_USERS

Object : .Default\Software\Microsoft\Internet Explorer\Main

Value : Search Page

Data : "file://C:\WINDOWS\TEMP\sp.html"

 

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\WINDOWS\TEMP\sp.html"

Rootkey : HKEY_USERS

Object : .Default\Software\Microsoft\Internet Explorer\Main

Value : Search Bar

Data : "file://C:\WINDOWS\TEMP\sp.html"

 

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\WINDOWS\TEMP

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Here is my FINDnFIX log. It seems to have found something. Let me know what to do next.

 

Cheers, Beeza :-)

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Sun 27/06/2004

1:27pm up 0 days, 1:41

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\WDMFLK.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDMFLK.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\FINDnFIX\LIST.TXT

WDMFLK.DLL Can't Open!

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

wdmflk.dll Wed 2 Jun 2004 19:16:06 A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\WDMFLK.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group BEEZA\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BEEZA\Beeza

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BEEZA\Beeza

 

Primary Group: BEEZA\None

 

 

 

»»»»»»Backups created...»»»»»»

1:29pm up 0 days, 1:43

Sun 27/06/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-27-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-27-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG¸ÿÿÿC

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

FBpxqH

Windows

AppInit

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota"

 

**File C:\FINDnFIX\WIN.TXT

Windows ÿÿÿsk x x Ô „¸ È ¤ !

Share this post


Link to post
Share on other sites

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

  1. Open the "FINDnFIX\Keys1" Subfolder!
  2. Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  3. Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:
    move C:\WINDOWS\System32\WDMFLK.DLL C:\junkxxx\WDMFLK.DLL

  4. Save the file and close.
  5. Get ready to restart your computer.
  6. In the same folder, DoubleClick on the "FIX.bat" file.
  7. You will be prompted by popup Alert to restart in 15 seconds.
  8. Allow it to restart the computer!
  9. On restart, Navigate to: C:\FINDnFIX\ main folder:
  10. DoubleClick on the "RESTORE.bat" file.
  11. It'll run and produce new log. (log1.txt) post it here!

Share this post


Link to post
Share on other sites

trollafrog - Please do not post in active logs - I am already working on the fix and am guiding the user through the various steps - You are only serving to confuse. Thank you for your consideration.

Share this post


Link to post
Share on other sites

I'm baaaaack! Looking good PGPhantom. Here's the log...

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Sun 27/06/2004

6:57pm up 0 days, 0:04

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

*Locked files...

* result\\?\C:\junkxxx\WDMFLK.DLL

 

»»»Filtering files in System32.......( 'R;H;S') »»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

No matches found.

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\JUNKXXX\

wdmflk.dll Wed 2 Jun 2004 19:16:06 A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\WDMFLK.DLL

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

Searching ==>C:\JUNKXXX\WDMFLK.DLL

Run Time(sec) 0

**File C:\JUNKXXX\WDMFLK.DLL

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

move C:\WINDOWS\System32\WDMFLK.DLL C:\junkxxx\WDMFLK.DLL

 

-ra-- W32i - - - - 57,344 06-02-2004 wdmflk.dll

A R C:\junkxxx\WDMFLK.DLL

File: <C:\junkxxx\WDMFLK.DLL>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\junkxxx\WDMFLK.DLL Everyone:(special access:)

 

SYNCHRONIZE

FILE_EXECUTE

 

BUILTIN\Administrators:F

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BEEZA\Beeza

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BEEZA\Beeza

 

Primary Group: BEEZA\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

File "C:\junkxxx\WDMFLK.DLL"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: BEEZA\Beeza

 

Primary Group: BEEZA\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG¸ÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLsecte

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

000012F0: 01 00 00 00 01 00 76 00 . 5F 44 4C 4C 73 65 63 74 ......v. _DLLsect

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' E USERProcessHandleQuota" àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk € v AppInit_DLLsecte

Share this post


Link to post
Share on other sites

PGPhantom,

 

One thing I forgot to say is that I got a ZoneAlarm alert when the computer restarted...

 

"backWeb-8876480.exe is trying to access the Internet. Destination IP: 63.251.254.11: Port 370

This program has changed since the last time it ran!"

 

At this stage I have denied Intenet access to backWeb-8876480.exe. Should I be worried about this? Do you know what it's about?

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites

Can you post an updated HijackThis log? The backweb issue - I would disable it ...Comes with the software for Logitech products. Automatically checks for software upgrades and new products, services, and special offerings from Logitech - To me personally, a clever way for Logitech to push ads to you?? Not good in my books.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 7:20:07 p.m., on 27/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\igfxtray.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\IE New Window Maximizer\iemaximizer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I am fairly positive that we are dealing with a few registry remnants ...

 

Run HijackThis and delete:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

Wait a few hours, reboot and post another HijackThis log just to verify that it is not back again.

 

It has gone midnight so adios for now - I'll check first thing in the morning to see if you have another log to check.

Share this post


Link to post
Share on other sites

I should of added - Can you do as much of the following as possible ...

 

The following is a recommended maintenance regime for Windows XP:

  1. The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

[*]Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.

[*]Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:

  • Office documents
  • Email data - Messages and address book
  • Games saves.
  • Digital Photos and other artwork.
  • Moveis that you have created or edited.
  • MP3's and other music files.
  • Browser favorites and bookmarks.
  • Downloaded files/programs.
  • Passwords, security codes etc for anything that is password protected like Quicken.
  • Activation codes for applications doownloaded and registered.

[*]Do not go without an anti-virus program. Free ones include:

[*]Be sure to run a periodic Trojan Scan with any of the following programs:

[*]Use a Firewall such as ZoneAlarm

[*]Regularly scan for adware and spyware using the following programs:

[*]Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".

[*]Update your system. Go to Microsoft Windows Update and download all critical updates for your system.

[*]Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".

[*]Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Thanks for that. I have deleted the 3 remnants and done most of the other things too. Will post another log in a few hours.

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Things are looking GOOOOD! I cleaned up those remnants, then deleted content from all 7 folders you recommended. Found another sp.html hiding in Default User/Temp and deleted that too. It's been 5 1/2 hours so far and it's looking GREAT. I haven't rebooted yet, so fingers crossed. I'm off to bed now, it's 1:25 am here. Talk again in the morning.

 

Cheers, Beeza :-)

 

 

Logfile of HijackThis v1.97.7

Scan saved at 1:20:40 a.m., on 28/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\igfxtray.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\IE New Window Maximizer\iemaximizer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\_EVOLVE\Downloads\Spyware Removal Tools\Hijack This\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\Iridium\iridium.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe

O4 - HKCU\..\RunOnce: [iTouch] C:\Program Files\Logitech\iTouch\iTouch.exe /RegServer

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://www.reddirect.co.nz

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.152.250/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7587.0816666667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

The good news is ... It is clean :):D Thank you for sticking in there while we resolved this.

 

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

 

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.

Share this post


Link to post
Share on other sites

Beeza adds thanks via email:

 

 

My CWS problem has been fully resolved by PGPhantom and the thread closed before I had a chance to thank him.

 

PGPhantom... a BIG THANK YOU!!! You were brilliant. And thank YOU for sticking in there while we resolved it. It has been a pleasure working with you.

 

Cheers, Beeza :-)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0