Jump to content


Photo

City of Heroes problem


  • Please log in to reply
15 replies to this topic

#1 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 June 2004 - 06:20 PM

Read the FAQ, done everything I could. Updated and ran Spybot, updated and scanned for viruses. Downloaded and ran CWShredder. According to all the above, everything's clean. Downloaded and ran HighjackThis, removed BHOs. New ones keep appearing. Still can't run City of Heroes (new game) and tech support says the problem is spyware. Help??

Logfile of HijackThis v1.97.7
Scan saved at 4:20:02 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\systr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\winxk32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Family\My Documents\Cheryl\computer info\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Family\Application Data\Mozilla\Profiles\default\tef79o6b.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Family\Application Data\Mozilla\Profiles\default\tef79o6b.slt\prefs.js)
O2 - BHO: (no name) - {4FC94B1F-F066-F80C-485F-C0DA5FF9D913} - C:\WINDOWS\system32\d3yo.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: restart_vs.lnk = D:\viewsonic.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Colorific.lnk = C:\Program Files\E-Color\Colorific\hgcctl95.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7743.4259027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 26 June 2004 - 05:49 PM

Welcome to SWI - sorry for the wait, but we've been swamped!

Start by pressing CTRL-ALT-DEL once, and click the Processes tab. Look for these two processes, and if you find them, right click on them and select "end process".

systr.exe (or just systr)
winxk32.exe (or just winxk32)

Close the window.

Run a HijackThis scan and check the following items to fix:

O2 - BHO: (no name) - {4FC94B1F-F066-F80C-485F-C0DA5FF9D913} - C:\WINDOWS\system32\d3yo.dll

O4 - HKLM\..\Run: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab


Make sure all Explorer and Widows Explorer windows are closed and click Fix Checked in HijackThis.

Close HijackThis and open Windows Explorer - you may need to reconfigure Windows Explorer to Enable Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the Files and Folders section.
Select: Display the contents of system folders.

Scroll down to the Hidden Files and Folders section.
Select: Show hidden files and folders, Ok the prompt
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files
Ok the Prompt, click Apply

Click the Apply to all Folders button.

Find these two files and delete them:

C:\WINDOWS\systr.exe

C:\WINDOWS\system32\winxk32.exe

Reboot your system.

You didn't mention Ad-aware, so if you don't have it, I recommend you get it and run it.

How to use Ad-aware to remove Spyware <- Please check this link for instructions on how to download, install and then use Ad-aware.

Rescan with HijackThis and post a new log as a reply in this thread.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 09:17 PM

Hi,
Thanks much for the quick reply. Here's the update: Got fed up with the problem, had been thinking about a new computer anyway, so bought a new Compaq for kids. Formatted the Dell (the one with the problem) for me. Loaded both the new Compaq and the Dell with Windows XP, Office XP, Norton AV, Spybot S&D, Adaware, Pop-up Stopper. Added an NVidia card to the Compaq, downloaded new drivers and new DirectX. Suddenly new Compaq is completely infested with spyware, hijacking IE and game won't run again. Interestingly, no problem with the Dell. I've run Adaware several times on the Compaq (shows that it cleans everything, then next time I run it there's more stuff there), run Spybot S&D, run Stinger. Here's a new HJT file. Any help you can offer very appreciated. I'm at a loss, and very frustrated at my infested 24-hour-old computer!


Logfile of HijackThis v1.97.7
Scan saved at 7:05:32 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\d3fy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\addew.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\Computer Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8512441F-E8F7-35DA-C3F7-AAEAC5DA7FA2} - C:\WINDOWS\sdkuc32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [d3fy.exe] C:\WINDOWS\system32\d3fy.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 29 June 2004 - 09:41 PM

You've got one of the CWS about:blank variants - but Ad-aware has been working well on this particular one - so I'm somewhat baffled since you've been running it. Do you have the latest reflist update file installed? Have you set it up for a full scan as in the instructions I linked in my post above?

If you answer yes to both of those questions then we'll start a manual removal procedure.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#5 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 10:59 PM

I'm not sure I understand this: "Do you have the latest reflist update file installed? Have you set it up for a full scan as in the instructions I linked in my post above?" What is reflist? I did an update on Adaware before scanning, then set it up for a custom scan and clicked on everything available. Did I miss something? Where is this likely to have come from, given a brand new computer?

#6 i need the help

i need the help

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 11:11 PM

i have the same game. i just tryed it and it won't work either. i already have a post startd with my log on it, as well as what else is wrong. please help

#7 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 30 June 2004 - 07:52 AM

coupes,

The reflist is the definitions file that you update, so it seems that your answer to both questions is yes. That's disappointing because Ad-aware, with the latest update, is successfully cleaning this on other machines.

This infection likely came from some website you visited. Even on a new machine, Internet Explorer is probably in need of updating and you should visit Windows Update and download the latest critical updates.

Let's try one other thing. Reboot into Safe Mode (by tapping the F8 key repeatedly during bootup) and run Ad-aware in Safe Mode.

Then reboot normally, run another HijackThis scan and post it, and we'll start manual cleaning.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#8 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 30 June 2004 - 01:52 PM

Thanks, all done. Here's the new log.
Cheryl

Logfile of HijackThis v1.97.7
Scan saved at 11:50:26 AM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\d3fy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\sdkcd32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\Computer Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8512441F-E8F7-35DA-C3F7-AAEAC5DA7FA2} - C:\WINDOWS\sdkuc32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [d3fy.exe] C:\WINDOWS\system32\d3fy.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

#9 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 30 June 2004 - 03:46 PM

  • Make sure your settings allow you to view Hidden files. Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  • Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "d3fy.exe" & "sdkcd32.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  • Next, go to Start->Run and type Services.msc then click OK.
  • Scroll down and find the service called "Network Security Service".
  • When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  • Run HijackThis, click on Scan and then place a check mark in the following boxes:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\itoqi.dll/sp.html#37680

    O2 - BHO: (no name) - {8512441F-E8F7-35DA-C3F7-AAEAC5DA7FA2} - C:\WINDOWS\sdkuc32.dll

    O4 - HKLM\..\Run: [d3fy.exe] C:\WINDOWS\system32\d3fy.exe

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE


    Make sure that all browser or Internet Explorer windows are closed and click on Fix Checked - when done close HijackThis.
  • Reboot into Safe Mode and delete these files:

    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\itoqi.dll
    C:\WINDOWS\sdkuc32.dll
    C:\WINDOWS\system32\d3fy.exe
    C:\WINDOWS\sdkcd32.exe

  • Go to Start => Run and type in regedit and press Enter.
  • Once the registry opens, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
    If __NS_Service_3 exists , right click on it and choose Delete from the menu.
  • Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose Delete from the menu.
  • Exit regedit and reboot in Normal Mode.
  • Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press Restore Original Hosts and press OK. Exit the Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
  • Run HiJackThis again and post a new log in this thread.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#10 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 30 June 2004 - 06:21 PM

Okay, tried all. Had a few problems. Step 7, three files weren't there to delete: c:\windows\system32\itoqi.dll, c:\windows\sdkuc32.dll and c:\windows\sdkcd32.exe

Step 10, didn't exist.

Step 12, when I clicked on "restore original hosts" I got a "file access denied" message.

Here's the new log.

Many thanks!!
Cheryl


Logfile of HijackThis v1.97.7
Scan saved at 4:17:29 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Owner\My Documents\Computer Stuff\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

#11 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 01 July 2004 - 09:19 AM

Even with the problems, you did good Cheryl. The log looks clean.

I'm presuming that the search page referenced here: http://srch-qus10.hpwis.com/ is your choice. It's not related to CoolWebSearch.

The instructions I gave you are designed to deal with this CWS variant in multiple permutations, so usually some parts aren't there. Some people have the Registry entry in step 10 and some don't. Most people don't even have a Hosts file - I'm thinking of leaving that part out in the future until I can confirm if they need it or not.

But this critter has been know to reassert itself after a few system reboots so let's be tentative about declaring it dead. Sometimes the files you couldn't delete in step 7 aren't there because they've been renamed. However, I don't see any renamed replacements in the log either.

If you have no more problems after a day or two, post back here and we'll celebrate. And, I'll have some optional suggestions for you.

But, at least for now, you're looking good.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#12 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 10:54 AM

Thanks so much!! My son is playing his game and couldn't be happier. I've updated the preferences in IE and Netscape to increase security, have downloaded Spyware Blaster and paid for automatic updates for all computers in the house and have had strict conversations with kids about NOT DOWNLOADING ANYTHING! The search page you noted isn't something I want -- is there an easy way to get rid of it? I'll get back to you in a couple of days and let you know how things are going. You've been great -- can't thank you enough.
Cheryl

#13 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 01 July 2004 - 03:19 PM

Check IE Help (Index category: search providers, Internet) for info on resetting or customizing your search functions - if you need additional instructions, let me know.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#14 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2004 - 11:30 PM

Hey, I'm back. All's well, as far as City of Heroes is concerned. The game is playing fine. However, I just updated and ran AdAware and it found 28 items, including several it identified as CoolWeb Search. It deleted them all, but obviously there's still a problem. Realized I'd installed Spyware Blaster on every computer but this one -- yikes. It's on now, but want to make sure I take care of any issues now. Here's a new HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 9:27:27 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\Computer Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\4lfgc73w.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

If you're willing to help again, I'd be most appreciative.
Cheryl

#15 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 07 July 2004 - 08:57 AM

Oh, I'm willing to help again, no problem with that. But, I'm not really seeing anything wrong in your log. Ad-aware might have gotten everything - I sure don't see anything related to CWS.

But, it won't hurt to run CWShredder again either. There's been an updated version released since your first post, so if you're not running v1.59.1 then click the Check for update button and let it upgrade before you run it.

Are you experiencing any more problems, or were you just alarmed by Ad-aware's findings?
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#16 coupes

coupes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 12 July 2004 - 10:57 PM

Sorry for the delayed response -- been out of town. No, there haven't been problems, I was just reacting to the Adaware results. I'll run CWShredder again. Thanks again -- enjoy the summer!
c




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button