Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CoolWWWSearch.008k & CoolWWWSearch.mshp help


  • This topic is locked This topic is locked
4 replies to this topic

#1 netmad56

netmad56

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 17 June 2004 - 09:37 PM

I have run Spybot S & D and found CoolWWWSearch.008k, and CoolWWWSearch.mshp are the problems. I've fixed them every time
and I still get the links on my forum posts, and I cannot change my home
page. I have also run Cwshredder in the safe mode and still no luck. I ran Hijack This and got the following log. How do I delete this mess?

Thanks in advance for any help.


Logfile of HijackThis v1.97.7
Scan saved at 6:46:33 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\msfk32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\msub32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Dad\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wzbvr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wzbvr.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wzbvr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wzbvr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wzbvr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wzbvr.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A8F9DA2-68AE-94CC-C521-8B5DF5E048DD} - C:\WINDOWS\msub32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1040.dll
O4 - HKLM\..\Run: [msub32.exe] C:\WINDOWS\msub32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [msfk32.exe] C:\WINDOWS\msfk32.exe
O4 - HKLM\..\RunOnce: [sdkak.exe] C:\WINDOWS\system32\sdkak.exe
O4 - HKLM\..\RunOnce: [iejx.exe] C:\WINDOWS\system32\iejx.exe
O4 - HKLM\..\RunOnce: [sdkro32.exe] C:\WINDOWS\system32\sdkro32.exe
O4 - HKLM\..\RunOnce: [d3dd.exe] C:\WINDOWS\d3dd.exe
O4 - HKLM\..\RunOnce: [crnh32.exe] C:\WINDOWS\system32\crnh32.exe
O4 - HKLM\..\RunOnce: [sysqv32.exe] C:\WINDOWS\system32\sysqv32.exe
O4 - HKLM\..\RunOnce: [winax32.exe] C:\WINDOWS\winax32.exe
O4 - HKLM\..\RunOnce: [mfcfz32.exe] C:\WINDOWS\system32\mfcfz32.exe
O4 - HKLM\..\RunOnce: [appbn32.exe] C:\WINDOWS\system32\appbn32.exe
O4 - HKLM\..\RunOnce: [winji.exe] C:\WINDOWS\system32\winji.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab

BC AdBot (Login to Remove)

 


m

#2 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2004 - 10:36 PM

Please do not open Internet Explorer during any portion of this process.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

msfk32.exe
msub32.exe

Step 3:

I now need you to delete the following files:

C:\WINDOWS\msfk32.exe
C:\WINDOWS\msub32.exe
The file from the services above. May be a file listed already
C:\WINDOWS\wzbvr.dll
C:\WINDOWS\msub32.dll
C:\WINDOWS\System32\PDF1040.dll
C:\WINDOWS\system32\sdkak.exe
C:\WINDOWS\system32\iejx.exe
C:\WINDOWS\d3dd.exe
C:\WINDOWS\system32\crnh32.exe
C:\WINDOWS\system32\sdkro32.exe
C:\WINDOWS\system32\sysqv32.exe
C:\WINDOWS\winax32.exe
C:\WINDOWS\system32\mfcfz32.exe
C:\WINDOWS\system32\appbn32.exe
C:\WINDOWS\system32\winji.exe

Also delete any files that have the same name as these files but end with a dll or dat. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis and fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wzbvr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wzbvr.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wzbvr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wzbvr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wzbvr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wzbvr.dll/sp.html#37049
O2 - BHO: (no name) - {0A8F9DA2-68AE-94CC-C521-8B5DF5E048DD} - C:\WINDOWS\msub32.dll
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1040.dll
O4 - HKLM\..\Run: [msub32.exe] C:\WINDOWS\msub32.exe
O4 - HKLM\..\RunOnce: [msfk32.exe] C:\WINDOWS\msfk32.exe
O4 - HKLM\..\RunOnce: [sdkak.exe] C:\WINDOWS\system32\sdkak.exe
O4 - HKLM\..\RunOnce: [iejx.exe] C:\WINDOWS\system32\iejx.exe
O4 - HKLM\..\RunOnce: [sdkro32.exe] C:\WINDOWS\system32\sdkro32.exe
O4 - HKLM\..\RunOnce: [d3dd.exe] C:\WINDOWS\d3dd.exe
O4 - HKLM\..\RunOnce: [crnh32.exe] C:\WINDOWS\system32\crnh32.exe
O4 - HKLM\..\RunOnce: [sysqv32.exe] C:\WINDOWS\system32\sysqv32.exe
O4 - HKLM\..\RunOnce: [winax32.exe] C:\WINDOWS\winax32.exe
O4 - HKLM\..\RunOnce: [mfcfz32.exe] C:\WINDOWS\system32\mfcfz32.exe
O4 - HKLM\..\RunOnce: [appbn32.exe] C:\WINDOWS\system32\appbn32.exe
O4 - HKLM\..\RunOnce: [winji.exe] C:\WINDOWS\system32\winji.exe


[b]Step 5:[b]

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3 (This may be different but will always start with __NS_Service)

If __NS_Service_3 exists , right click on it and choose delete from the menu.


Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3


If LEGACY___NS_Service_3
exists then right click on it and choose delete from the menu.

Reboot and delete the following directory:
C:\PROGRAM FILES\MYWEBSEARCH\

Then post a new log

#3 netmad56

netmad56
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 20 June 2004 - 06:10 PM

Ran through the proceedure you posted py home page is still to the same page. Here is the new log.

Hey, I sure appreciate your time and efforts!

Logfile of HijackThis v1.97.7
Scan saved at 9:43:42 PM, on 6/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\iplm.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\sysxx.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Documents and Settings\Dad\Desktop\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BA8BD793-5432-6734-8550-4EDA48470E4D} - C:\WINDOWS\sysxx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [crgh.exe] C:\WINDOWS\system32\crgh.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [sysso.exe] C:\WINDOWS\sysso.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [sdkug32.exe] C:\WINDOWS\system32\sdkug32.exe
O4 - HKLM\..\RunOnce: [iezi.exe] C:\WINDOWS\iezi.exe
O4 - HKLM\..\RunOnce: [netde.exe] C:\WINDOWS\netde.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

#4 netmad56

netmad56
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 20 June 2004 - 06:12 PM

The above reply was before I logged onto the internet. This file is the one that I got after I logged on.

Logfile of HijackThis v1.97.7
Scan saved at 9:49:12 PM, on 6/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\iplm.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javadn.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Dad\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\botzr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://botzr.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://botzr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\botzr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://botzr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\botzr.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B7AE5988-3688-C06D-F636-5509DAD63F01} - C:\WINDOWS\d3tc.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [crgh.exe] C:\WINDOWS\system32\crgh.exe
O4 - HKLM\..\Run: [javadn.exe] C:\WINDOWS\system32\javadn.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [sysso.exe] C:\WINDOWS\sysso.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [sdkug32.exe] C:\WINDOWS\system32\sdkug32.exe
O4 - HKLM\..\RunOnce: [iezi.exe] C:\WINDOWS\iezi.exe
O4 - HKLM\..\RunOnce: [netde.exe] C:\WINDOWS\netde.exe
O4 - HKLM\..\RunOnce: [addmt32.exe] C:\WINDOWS\addmt32.exe
O4 - HKLM\..\RunOnce: [atlim32.exe] C:\WINDOWS\atlim32.exe
O4 - HKLM\..\RunOnce: [addmv32.exe] C:\WINDOWS\addmv32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:25 AM

Posted 20 June 2004 - 08:35 PM

The problem with this malware is that if you attempt to delete it and you do not do it fast enough it can reinstate itself. Post one more log, keep internet explorer and computer on until I respond and then follow the directions I post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users