Jump to content


Photo

CWSearchx


  • Please log in to reply
4 replies to this topic

#1 awdeluca

awdeluca

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 09:16 AM

I have had this problem for going on 2 months. I obviously have some kind of sleeper file, it recurs about once a day and tries to hijack my browser. I know how to get rid of it using Hijack This and CWShredder, then going into the registry and deleting HomeOldSp(about:blank). The problem is i don't know where the damn little sleeper program resides so i can get rid of it for good - has anyone else dealt with this and have any ideas on how to remove it permanently???

Thanks in advance for the help.

#2 awdeluca

awdeluca

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 09:20 AM

This little thing is a real bitch. I just don't understand how it keeps coming back a full day later after i removed it. Very frustrating.

#3 awdeluca

awdeluca

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 09:29 AM

I can post a log file if that will help anyone...


Logfile of HijackThis v1.97.7
Scan saved at 7:29:39 AM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
D:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
D:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
D:\Program Files\Real\RealPlayer\realplay.exe
C:\WINNT\System32\devldr32.exe
D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
D:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINNT\System32\ctfmon.exe
D:\Program Files\SpyWareWebroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
C:\Documents and Settings\Home User\Start Menu\Programs\Startup\Calendar.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ZipToA.exe
d:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\hpoipm07.exe
D:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\Avconsol.exe
d:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
d:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\CW_Shredder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.msn.com
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] D:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] D:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] d:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKCU\..\Run: [UpdSys] C:\Program Files\Internet Explorer\System.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] D:\Program Files\SpyWareWebroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Calendar.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...wdir702d140.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?38083.880625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#4 awdeluca

awdeluca

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 09:47 AM

Come on guys help a lady out, i am pretty decent on a computer, but this thing is kicking my but *once each day*

#5 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 18 June 2004 - 07:46 PM

Download this zip.

http://tools.zerosrealm.com/pv.zip
Please unzip it to the desktop. It will not work if you run it from inside the zip.

After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

Notepad will open with a log in it. Please copy and paste the log into this post.

Edited by Scoff, 19 June 2004 - 09:59 PM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button