Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS.MSConfig Takeover


  • Please log in to reply
13 replies to this topic

#1 newkid

newkid

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 18 January 2005 - 05:43 PM

Grinler,

Need your help again my friend. My homepage had been taken over. Earthlink keeps trying to become my homepage again.

I know something is wrong when I try to get on my homepage and "Microsoft Download" page pops up. I'll go to Tools/Internet Options/General and the homepage address comes up: http://start.earthlink.net. I'll delete it and hit "Use Current" and it comes up:http://v5windowsupdate.microsoft.com/v5consumer/default.aspx?In=en-us.
I've deleted this, typed in my http home page address, hit apply/ok. It shows up in the address box, yet when I go back the Earthlink address is back.

I went to Start/Search and typed in "Earthlink" nine items popped up (even though I had done this weeks ago and deleted everthing) and deleted these items.

I've run "CWShredder" and it shows a CWS.MSConfig. I hit fix it. Several times it scans down the list and will stop. A "Microsoft" error pops up and asks me to report it. I'll try it again and it says it's repaired, and it isn't. It's still there.

I've used HiJackThis and compared it to a good runoff and I've found:

R0 - HKCU\Software\Microsoft etc.
R0 - " " " "
04 - HKLM\..\Run: [MSConfig]
04 - HKCU\..\Run: [SpybotSD Tea Timer] (I deleted this software)
04 - HKCU\..\Run: [E6TaskPanel]

I checked all five to fix. Nothing. They all came back. I'm adding my HJT scan for you to see. Can you help?


Logfile of HijackThis v1.98.2
Scan saved at 2:59:49 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Broderbund\Atomic Clock 8.0\AtomClk.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\The Weather Channel\The Weather Channel.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Aluria Software\ASE\ASE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael J\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Atomic Clock] C:\Program Files\Broderbund\Atomic Clock 8.0\AtomClk.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton System Doctor.LNK = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com/flash/index.cfm
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.rr.com/flash/index.cfm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 18 January 2005 - 07:36 PM

Click on start, run, and type msconfig and press enter. Then click on the startup tab and enable all the startups. Then post a new log

#3 newkid

newkid
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 19 January 2005 - 11:04 AM

Grinler,

Thank you for your help! AGAIN!!!



Logfile of HijackThis v1.98.2
Scan saved at 10:00:43 AM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Broderbund\Atomic Clock 8.0\AtomClk.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael J\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Atomic Clock] C:\Program Files\Broderbund\Atomic Clock 8.0\AtomClk.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton System Doctor.LNK = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com/flash/index.cfm
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.rr.com/flash/index.cfm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 19 January 2005 - 02:37 PM

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#5 newkid

newkid
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 19 January 2005 - 05:25 PM

Grinler,

I've got the latest download of CWShredder and after clicking fix it would say the problem was fixed. Yet, when I ran scan only it showed the problem was still there. That's why I bothered you again. Because CWShredder wasn't taking care of the problem.

How about running "X-Cleaner"?

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 19 January 2005 - 05:45 PM

The problem is I dont see anything wrong here...

Have you tried ad-aware and spybot?

#7 newkid

newkid
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 19 January 2005 - 06:48 PM

Grinler,

I've tried Ad-Aware, SpySubtract, Aluria's Spyware Eliminator, along with CWShredder.
The first three showed no problems.

The thing is I had already deleted the two R0's: R0 - HKCU & HKLM dealing with Earthlink, and 04 - HKCU another Earthlink Program File. They came back with the bug, and again Earthlink was trying to be my homepage.

One line that was different from a good scan I compared it to was:

04 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe/auto

Whatever, I've deleted them in HJT only to have them pop up again in the next scan.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 19 January 2005 - 07:34 PM

Well earthlink is your internet providers software so its probably coming from there.

As for the msconfig , if you run msconfig and then select normal startup, that should be gone from the log

#9 newkid

newkid
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 20 January 2005 - 02:42 PM

Grinler,


I'm sure with all the people you've help with their problems you've'e forgotten that I canceled Earthlink because of the software problem, and non-deleting cookies.
I cleaned ever-thing I could that had to do with Earthlink. I even searched and deleted everything.

I've run "X-Cleaner" for malware, and it said I was infected with "BonziBuddy". I had it fix the infection. I ran it again and it said it found nothing now. I then ran a HJT scan and that 04 - HKLM..Run: [MSConfig] etc. was gone. I then was able to delete the four items relating to Earthlink (for the second time since canceling Earthlink). I re-scanned and they were now gone too. The homepage is back, but I ran a free scan from "XoftSpy 4.07" and it says I'm infested with: BonziBuddy again, Twain-Tech, Nite Line Media, and Lop.com.

Can I believe this scan, or not? Are they just coming up with bleep so I buy their software? X-Cleaner, CWShredder, SpySubtract Pro, Ad-Aware, Alurias Spy Eliminater show nothing.

And when a bug takes over like this last one (BonziBuddy) how does Earthlink come back if I've deleted everything?

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 20 January 2005 - 05:26 PM

I still see earthlink related items here. Post a brand new log and lets clean it up now that you reminded me we saw it was the earthlink software causing the problems before

#11 newkid

newkid
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 20 January 2005 - 05:43 PM

Grinler,

With deleting "BonziBuddy" I was able to delete that 04 [MSConfig]. With that gone I was able to delete the four "Earthlink" items.




Logfile of HijackThis v1.98.2
Scan saved at 4:38:41 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Broderbund\Atomic Clock 8.0\AtomClk.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Michael J\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Atomic Clock] C:\Program Files\Broderbund\Atomic Clock 8.0\AtomClk.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton System Doctor.LNK = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com/flash/index.cfm
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.rr.com/flash/index.cfm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 20 January 2005 - 05:47 PM

Looks good to me. Where did you find the bonzibuddy?

#13 newkid

newkid
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 20 January 2005 - 06:16 PM

Grinler,

As I explained I ran "X-Cleaner's" Malware Scanner and it came up with the BonziBuddy. I then I had it clean up the problem. I ran it again, and nothing (opposite of what was happening with CWShredder). With that done I was able to delete 04 [MSConfig] with HJT. Ran an HJT scan, and it was gone. Used HJT to delete the Earthlink items (second time since canceling Earthlink). Ran a HJT scan and they were gone.

What's your feelings on "XoftSpy"? It showed "BonziBuddy" was there and, Twain-Tech, Nite Line Media, Lop.com. Should I belief it? I've read bad things about it on the net.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 20 January 2005 - 07:27 PM

It doesnt have the best reviews. I would stick to the top three for now:

ad-aware
spybot
and spysweeper




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users