• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Cocco_Bill

res://gmswr.dll/index.html#96676

6 posts in this topic

I tried the updated ad-aware, but it didnt help at all. Anyhow here's my logfile..

 

Any help would be greatly appreciated :)

 

 

Logfile of HijackThis v1.97.7

Scan saved at 06:48:43, on 2004-06-20

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\sdkwl.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\MMTray.exe

C:\WINDOWS\netey32.exe

C:\WINDOWS\System32\rundll32.exe

c:\program files\warcraft iii\war3.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\diverse\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmswr.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gmswr.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gmswr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmswr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gmswr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gmswr.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {184827EA-353B-98C7-CCF0-E9FA6D9FA145} - C:\WINDOWS\crwn32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe

O4 - HKLM\..\Run: [windows auto update] msblast.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [netey32.exe] C:\WINDOWS\netey32.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\RunOnce: [sdkwl.exe] C:\WINDOWS\sdkwl.exe

O4 - HKLM\..\RunOnce: [d3uf32.exe] C:\WINDOWS\d3uf32.exe

O4 - HKLM\..\RunOnce: [sdklp.exe] C:\WINDOWS\sdklp.exe

O4 - HKLM\..\RunOnce: [crmf.exe] C:\WINDOWS\system32\crmf.exe

O4 - HKLM\..\RunOnce: [d3te32.exe] C:\WINDOWS\d3te32.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7971.3850694444

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312

Share this post


Link to post
Share on other sites

This is actually a new variant of CWS which is not resolved by current methods.

 

Please take the following steps:

 

First, please enable viewing of hidden/system files per the instructions here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Using the Task Manager end the task on the following processes:

C:\WINDOWS\sdkwl.exe

C:\WINDOWS\netey32.exe

 

Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.

Scroll down and find the service called "Network Security Service".

When you find it, double-click on it.

In the next window that opens, click the Stop button, then change the Startup Type to Disabled.

Now hit Apply and then OK and close any open windows.

 

Be sure to close all browser and explorer windows before continuing.

 

Run HijackThis and place a check mark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmswr.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gmswr.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gmswr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmswr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gmswr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gmswr.dll/sp.html#96676

 

O2 - BHO: (no name) - {184827EA-353B-98C7-CCF0-E9FA6D9FA145} - C:\WINDOWS\crwn32.dll

 

O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe

O4 - HKLM\..\Run: [windows auto update] msblast.exe

O4 - HKLM\..\Run: [netey32.exe] C:\WINDOWS\netey32.exe

O4 - HKLM\..\RunOnce: [sdkwl.exe] C:\WINDOWS\sdkwl.exe

O4 - HKLM\..\RunOnce: [d3uf32.exe] C:\WINDOWS\d3uf32.exe

O4 - HKLM\..\RunOnce: [sdklp.exe] C:\WINDOWS\sdklp.exe

O4 - HKLM\..\RunOnce: [crmf.exe] C:\WINDOWS\system32\crmf.exe

O4 - HKLM\..\RunOnce: [d3te32.exe] C:\WINDOWS\d3te32.exe

Press 'Fix Checked'.

 

Exit HiJackThis.

 

Reboot into Safe Mode* and delete the following files:

C:\WINDOWS\gmswr.dll

C:\WINDOWS\crwn32.dll

C:\WINDOWS\System32\teekids.exe

C:\WINDOWS\Systme32\msblast.exe

C:\WINDOWS\netey32.exe

C:\WINDOWS\sdkwl.exe

C:\WINDOWS\d3uf32.exe

C:\WINDOWS\sdklp.exe

C:\WINDOWS\system32\crmf.exe

C:\WINDOWS\d3te32.

 

While still in Safe Mode* finish the cleanup process, please run through the rest of these steps:

 

Go to Start -->Run and type Regedit then click Ok.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and highlight Services in the left pane. In the right pane, look for any of these entries:

 

__NS_Service

__NS_Service_2

__NS_Service_3

 

If any are listed, right-click that entry in the right pane and choose Delete.

 

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

and highlight Root in the Left Pane. In the right pane, look for these entries:

 

LEGACY___NS_Service

LEGACY___NS_Service_2

LEGACY___NS_Service_3

 

If you find it, right-click it in the right-pane and choose delete.

 

Exit regedit, boot in Normal Mode.

 

 

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

 

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

 

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip

Press 'Restore Original Hosts' and press 'OK'

Exit Program.

 

If you have Spybot S&D installed you may also need to replace one file.

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

 

Download the latest version of Adaware (get the free edition)

http://www.lavasoft.de/software/adaware/

(choose download from the lefthand menu)

 

Go to: Select Full Install and choose the download location of your choice (1.7mb)

Choose Download from http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)

 

Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

 

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # :01R321 19.06.2004 or higher listed.

 

Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:

Scan within archives

Scan my IE Favorites for banned URLS

Scan my hosts file

 

Then click *proceed* to save settings.

 

Click on *Tweak* next. And checkmark to make this green also:

Automatically try to unregister objects prior to deletion

 

Click on *proceed*

 

Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

 

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

 

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

 

Run HiJackThis and post a new log in this thread.

 

 

 

* How to Boot into Safe Mode:

http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Share this post


Link to post
Share on other sites

My new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 09:23:18, on 2004-06-20

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\D-Tools\daemon.exe

C:\WINDOWS\System32\MMTray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Exif Launcher\QuickDCF.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe

D:\diverse\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7971.3850694444

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312

Share this post


Link to post
Share on other sites

Thanks a lot it seems to work. My homepage can be set as before :)

 

A couple of things that werent as expected following your instructions.

 

the files:

 

C:\WINDOWS\crwn32.dll

C:\WINDOWS\System32\teekids.exe

C:\WINDOWS\Systme32\msblast.exe

 

could not be found by me in safemode

 

I also got an error message the C:\WINDOWS\d3te32.exe was missing during my restart from safemode. On second restart after using ad-aware this error message disappeared.

 

I was also able to locate _NS_SERVICE_3 and deleted it.

 

Oh yes, when I was in safemode the winjdows folder contained strange exe files which i did not delete

 

d3nu.exe , d3va.exe, crkj.exe...

 

but perhaps these are just a part of windows

 

Thx again, I will recommend this site to anyone having similar problems

Share this post


Link to post
Share on other sites

BTW: You said that this is a unsolved CWS

 

Does this simply mean that you are unsure if there are any traces of it left after your method and that there is a risk that it will re emerge?

Share this post


Link to post
Share on other sites

We removed the active infection so, unless you are exposed again, there is no chance of re-infection.

 

Those files you listed are all part of the infection. It uses a lot od random named files and unless we are aware of them, they will remain.

 

It should be safe to go ahead and delete them.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0