Jump to content


Photo

I Believe I have CoolWWW


  • Please log in to reply
10 replies to this topic

#1 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 June 2004 - 08:24 PM

I have read all your FAQ's carefully as well as many posts but can't seem to resolve my problem. My homepage keeps getting switched to:

rajov.dll/sp.html#96676

Actually, the first 5 characters don't seem to be important since they have changed several times. I have run about 10 different spyware programs and so far have had the most success with Adaware and Spy Sweeper. They both seem to catch something called CoolWWW. Adaware also found Atwala cookie and Wsj cookie. I have run them in normal boot as well as safemode boot and obviously have made sure they are fully up to date. They eliminate the problem but then it comes back after any internet activity. I have entered the registry and deleted the entries as well as "fixing" them with HijackThis but they continue to come back. I have checked all of the 04 files with your database and they seem to be valid. I may not require some of them but they don't appear to be listed as "trouble" files. Also, I have lots of delays in computer access meaning that often I try to click or scroll or something and nothing happens. I have to wait a few seconds to get control back. I ran Norton and Mcafee antivirus and found nothing then recently installed AVG and it ran for quite some time then just stopped. I don't think it even finished but found a bunch of stuff, nothing that appeared to be a concern. I've been at it for 3 days now and it's late so I'm tired and am not thinking as clearly as I'd like to be. I'm heading home shortly but wanted to fire this off in hopes that you can give me a few suggestions to try.

Thank you very much in advance for any assistance you can offer.

Logfile of HijackThis v1.97.7
Scan saved at 9:06:49 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mskx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
C:\WINDOWS\system32\ieno.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Misc_Crap\Downloads\2215\Pocketforce\NewPost.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rajov.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rajov.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rajov.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rajov.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rajov.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rajov.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C802FF77-7FEF-71C1-2FDF-C69DCC178985} - C:\WINDOWS\ienv32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\PROGRA~1\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [ieno.exe] C:\WINDOWS\system32\ieno.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [apivn32.exe] C:\WINDOWS\apivn32.exe
O4 - HKLM\..\RunOnce: [netjk32.exe] C:\WINDOWS\system32\netjk32.exe
O4 - HKLM\..\RunOnce: [ipqp.exe] C:\WINDOWS\system32\ipqp.exe
O4 - HKLM\..\RunOnce: [ipfk32.exe] C:\WINDOWS\ipfk32.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8036.6009027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 08:00 AM

Anyone have any thoughts on this? I'm not trying to be pushy, it's just that since last night it's found itself back six pages already. If someone is investigating it please let me know. It seems that you guys definitely have your hands full.

One item I forgot to mentioned, once I got this thing (Trojan, Virus, Malware, whatever) my Mediaplayer stopped working. I went to MS Update and there was an update but the first time I ran it nothing happened, it still didn't work. I ran it again and the second time it was fixed.

Oh yeah, one last item, I ran a trojan program that checked all the ports and one that showed up was:

Port 5000 open. Possible trojans. Sockets de Troie, Blazer 5

Hope that helps.

Thanks

#3 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 10:45 AM

In reading another post I saw that they ran dllfix.exe so I obtained this and also ran it. See the output.txt and windows1.txt below. I tried to attached the windows1.txt but I don't seem to have that option. Maybe it is not enabled on my account? In the other post there was a file at the end but not in mine so it seems that I have a different issue but I thought this might help anyway.

-------------------------------

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Thu 06/17/2004
11:17 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (3C07:D666) - FS:NTFS clusters:4k
Total: 74 340 044 800 [69G] - Free: 14 089 404 416 [13G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.


Scanning for main Hijacker:


Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C802FF77-7FEF-71C1-2FDF-C69DCC178985}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




--------------------------------------

regf       Pugf hbin  nk, "HR   x 0  , "  Windows sk x x        
     !
   !      #
   #  ?    
     ?   
    ?    
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   \ USERProcessHandleQuota8   8 h  

#4 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 10:49 AM

Also, I just ran Adaware again and it found the following all listed as CoolWWW:

windows\system32\pbxec.dll
windows\system32\rajov.dll
windows\oyikp.dll

Oyikp.dll was the original file that was getting loaded as my homepage then apparently I was successful at removing something such that the main program started over and created rajov.dll which is what my homepage gets switched to now.

I did not tell Adaware to fix them yet until I hear back from you guys on what I should do next.

#5 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 11:05 AM

Two other things to note:

1. I have run CWShreader many times and it continually tells me that everything is ok, which it has done from the beginning.

2. I got a time out a few minutes ago where I ended up at qsrch.com. I tried to search on the web but can't really find anything useful.

#6 greenspleen

greenspleen

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 11:10 AM

i have the same thing as you.

i used to be able to access the web on IE, it just took a while.

now i'm getting not only timeouts, but IE isn't even trying anymore. i just get diverted to bad pages, with no results. i'm on AOL right now, and even that's stalling and looks like it's gonna kick out anytime soon.

i seriously think if they don't come up with a new solution within the next 12 to 24 hours, i'm gonna have to reformat my harddrive. because the speed at which things have gotten progressively worse with this crap is staggering. :-(

#7 greenspleen

greenspleen

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 11:18 AM

just so you know...

internet explorer is now completely dead for me.

it takes 30 seconds to refresh these pages on AOL.

it took about 5 this morning.

#8 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 04:20 PM

What in the world is happening with this site? Are you having a denial of service attack or something? I had no problems accessing this morning but as of late morning I have not really be able to get on. At the moment I am typing but the page is still loading. I have no idea if this will post or not.

Anyway, I think I have gotten rid of this hijacker. There were a combination of things that ultimately led to getting rid of it. I will try to break it down the best I can. Mind you that I have very little experience with this sort of thing so some of my wording may sound amaturish.

WARNING: As I mentioned above, I know very little about this stuff so I suggest you proceed at your own risk. I can't honestly say if I have done any damage to my machine but what I can say is that the hijacking problem appears to be gone and everything is back to normal.

- The most important was two files running in the Task Manager, ieno.exe and mskx.exe. It seems that if either are running it will recreate the other so you need to get rid of both quickly in succession. Something tells me that the names are random which makes it even harder for everyone else although from day one I had noticed ieno.exe and no mater how many different trojan programs I ran it said the same.

- Once I stopped the two processes above I quickly opened hijackthis and got rid of all the search items at the top and the bho items which kept being recreated (random dll files).

- I then did a hard drive search for ieno.exe and mskx.exe and found them in the windows and windows\system directories respectively along with something for each refering to prefetch. To be honest, after being at it for 3 days I stopped keeping records of it and am just going from memory. Anyway, I deleted all of those.

- I then did a scan of the registry for any references to the above two files and deleted any keys related.

- I then opened IE options from the control panel and set my home page to Google.

- I then ran Adaware which ultimately found 10 new dll files all titled as CoolWWW. It seems that any time I turn off the mskx.exe process that ieno would recreate it as well as change the name and recreate a new dll file to replace my home page.

- I ran Spybot Search and Destroy and it found nothing.

- I ran CWshreader for the last time and it found nothing which it has not found anything from the time this started which makes me think that this must be a new variation of CoolWWW.

- Emptied my recycle bin.

Hmm, I think that's it. I rebooted and all is well. My pages aren't changed and more importantly my task manager is void of mskx.exe and ieno.exe. I ran lots of spyware programs in safe mode but ultimately nothing resolved this problem. At the end of the day, everything above was done in normal bootup mode.

I hope this may be of some help to others.

To the experts, based on what I did, does everything sound good or should I perform any other check to be sure all traces are gone?

#9 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 04:23 PM

just so you know...

internet explorer is now completely dead for me.

it takes 30 seconds to refresh these pages on AOL.

it took about 5 this morning.

Greenspleen, give a try to the steps above and hopefully you have the same success I did.

Good luck.

#10 river

river

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 June 2004 - 02:33 AM

Greenspleen, as far as i know that *.dll/index.html#96676 only affects IE - i suggest that you try a different browser like Mozilla http://www.mozilla.org. until the experts on this site figure out how to kill this little basdard.

#11 Tbone

Tbone

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 June 2004 - 07:53 AM

Greenspleen, as far as i know that *.dll/index.html#96676 only affects IE - i suggest that you try a different browser like Mozilla http://www.mozilla.org. until the experts on this site figure out how to kill this little basdard.

What I had did affect IE but it would "run" in the background whether I had IE opened or not. If I booted up my system and didn't even run IE I would still have sporatic delays when typing or clicking or doing whatever which was definitely in some way related to this.

Greenspleen, if you can wait for the "experts" then I would say definitely do so but if not then give a check to my comments above. I will add that there is a tool at LIUtilities called WinTasks that will show what the task manager shows and when you click on a file it will tell you it's purpose if it is a file used by windows. This would help you weed out many files then examine the rest of the processes and see if any two stand out as processes you know nothing about.

For the experts, following is my latest Hijackthis log as of this morning which seems to indicate that the virus/trojan/malware is in fact gone.

Logfile of HijackThis v1.97.7
Scan saved at 8:46:09 AM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\PROGRA~1\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [ieno.exe] C:\WINDOWS\system32\ieno.exe
O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [WinTasks Traybar] C:\Program Files\LIUtilities\WinTasks\wintasks.exe traybar
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8036.6009027778




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button