Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked by CWS.Searchx


  • This topic is locked This topic is locked
13 replies to this topic

#1 trashman

trashman

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 30 June 2004 - 02:12 PM

Logfile of HijackThis v1.98.0
Scan saved at 2:24:27 PM, on 6/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\ISRV95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\REALMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PALM\HOTSYNC.EXE
C:\PVSW\BIN\W3DBSMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\MAPISP32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\REGEDIT.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [InoculateIT Scanning Service] C:\Program Files\ComputerAssociates\InoculateIT\isrv95.exe
O4 - HKLM\..\Run: [InoculateIT Realtime Monitor] C:\Program Files\ComputerAssociates\InoculateIT\realmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Dell Home - {A4EEA500-4C0F-11D3-9975-00902781CFF7} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://ncrules.state.nc.us/jdocprtm.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = WKEP.COM
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.16.67,199.191.128.103
O19 - User stylesheet: (file missing)

Any help will be appreciated!

Also, AdAware stopped working so I uninstalled it and now it won't download from the site! And when I tried to run SpywareBlaster I get an error message: "This program file has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." I defragged the hard drive and reinstalled it and I still get the same error message. Has this happened to anyone else?

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:00 PM

Posted 30 June 2004 - 02:48 PM

I want you to fix some of those entries. Please do the following:


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O19 - User stylesheet: (file missing)

Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\WINDOWS\Application Data\Microsoft\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 trashman

trashman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 30 June 2004 - 03:43 PM

Ok, couple of issuues:

For some reason, the computer wouldn't restart in Safe Mode until the third try.

Also, I am using Windows 98SE; I followed the instructions for disabling System Restore that were provided but under the Troubleshooting tab there was not a box labled Disable System Restore.

And last but not least, when I rebooted in normal mode my home page is hijacked back to about:blank.

Logfile of HijackThis v1.98.0
Scan saved at 4:37:29 PM, on 6/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\ISRV95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\REALMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PALM\HOTSYNC.EXE
C:\PVSW\BIN\W3DBSMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {3E38634C-CAAF-11D8-9976-0003D5E154C6} - C:\WINDOWS\SYSTEM\IBG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [InoculateIT Scanning Service] C:\Program Files\ComputerAssociates\InoculateIT\isrv95.exe
O4 - HKLM\..\Run: [InoculateIT Realtime Monitor] C:\Program Files\ComputerAssociates\InoculateIT\realmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Dell Home - {A4EEA500-4C0F-11D3-9975-00902781CFF7} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://ncrules.state.nc.us/jdocprtm.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = WKEP.COM
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.16.67,199.191.128.103
O18 - Filter: text/html - {3E38634B-CAAF-11D8-9976-00035A08CCB2} - C:\WINDOWS\SYSTEM\IBG.DLL
O18 - Filter: text/plain - {3E38634B-CAAF-11D8-9976-00035A08CCB2} - C:\WINDOWS\SYSTEM\IBG.DLL

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:00 PM

Posted 30 June 2004 - 04:14 PM

No problemo :flowers: All proceeding normally with this stuff .... :thumbsup:

You are infected with a variant of the CoolWebSearch.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

or

http://tools.zerosrealm.com/CWShredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#5 trashman

trashman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 30 June 2004 - 05:00 PM

I ran CWShredder in safe mode and it removed the booger!! I updated and ran Spybot and it found nothing. I still can't get AdAware to download (as I said in my original post). Same error message when I try SpywareBlaster as well. Are these problems common?

Thanks for all of your help.


Logfile of HijackThis v1.98.0
Scan saved at 5:56:46 PM, on 6/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\ISRV95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\REALMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PALM\HOTSYNC.EXE
C:\PVSW\BIN\W3DBSMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [InoculateIT Scanning Service] C:\Program Files\ComputerAssociates\InoculateIT\isrv95.exe
O4 - HKLM\..\Run: [InoculateIT Realtime Monitor] C:\Program Files\ComputerAssociates\InoculateIT\realmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Dell Home - {A4EEA500-4C0F-11D3-9975-00902781CFF7} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://ncrules.state.nc.us/jdocprtm.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = WKEP.COM
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.16.67,199.191.128.103

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:00 PM

Posted 30 June 2004 - 06:37 PM

What version of cwshredder are you using? When you start it, it will tell you on the first screen you see?

Make sure its 1.59.1 . Run it again in normal mode, not safe mode and then post a new log.

#7 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 30 June 2004 - 10:18 PM

Hi, trashman and Grinler. :thumbsup:

With Grinler's permission.

You may have a new version that CWShredder can't remove untill you kill the locked DLL that is reinfecting the machine. Lets check to see if that is the version you have.

Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.

Edited by ColdinCbus, 30 June 2004 - 10:34 PM.


#8 trashman

trashman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 01 July 2004 - 09:30 AM

ColdinCbus-

Here you go.

StartDreck (build 2.1.5 public BETA) - 2004-07-01 @ 10:28:55
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*iIWiper=C:\Program Files\iISystem Wiper\SystemWiper.exe m
舞unOnce
聞efault User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*iIWiper=C:\Program Files\iISystem Wiper\SystemWiper.exe m
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*Promon.exe=Promon.exe
*SystemTray=SysTray.Exe
*EM_EXEC=c:\mouse\system\em_exec.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*VsEcomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
*LoadQM=loadqm.exe
*LogWatch=C:\WINDOWS\LogWat95.exe
*InoculateIT Scanning Service=C:\Program Files\ComputerAssociates\InoculateIT\isrv95.exe
*InoculateIT Realtime Monitor=C:\Program Files\ComputerAssociates\InoculateIT\realmon.exe
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*McAfeeWebScanX=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
舞unServicesOnce
**b=rundll32 C:\WINDOWS\SYSTEM\D3DJB.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FFCF5B69=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF9B49=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF89F9=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFFFE69=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE1391=C:\WINDOWS\RUNDLL32.EXE
*FFFFC6C9=C:\WINDOWS\EXPLORER.EXE
*FFFD6A9D=C:\WINDOWS\TASKMON.EXE
*FFFD49B9=C:\WINDOWS\SYSTEM\PROMON.EXE
*FFFC2DA5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFCAF85=C:\MOUSE\SYSTEM\EM_EXEC.EXE
*FFFC8D15=C:\WINDOWS\LOADQM.EXE
*FFFDBE3D=C:\WINDOWS\LOGWAT95.EXE
*FFFD61A1=C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\ISRV95.EXE
*FFFC4E4D=C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\REALMON.EXE
*FFFB7F0D=C:\WINDOWS\RunDLL.exe
*FFFB72D9=C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
*FFFB6AF5=C:\PALM\HOTSYNC.EXE
*FFFBEB09=C:\PVSW\BIN\W3DBSMGR.EXE
*FFFAD655=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF998F9=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF88EAD=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF7CB4D=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
*FFF76D21=C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\MAPISP32.EXE
*FFF5F7D5=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFF6C0D1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF2F879=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFCF3BE9=C:\UNZIPPED\STARTDRECK[1]\STARTDRECK.EXE
翠pplication specific

#9 trashman

trashman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 01 July 2004 - 09:43 AM

Grinler-

My version of CWShredder is 1.59.1. I ran it again in normal mode and here is the log.

Logfile of HijackThis v1.98.0
Scan saved at 10:42:05 AM, on 7/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\ISRV95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\REALMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PALM\HOTSYNC.EXE
C:\PVSW\BIN\W3DBSMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [InoculateIT Scanning Service] C:\Program Files\ComputerAssociates\InoculateIT\isrv95.exe
O4 - HKLM\..\Run: [InoculateIT Realtime Monitor] C:\Program Files\ComputerAssociates\InoculateIT\realmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Dell Home - {A4EEA500-4C0F-11D3-9975-00902781CFF7} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://ncrules.state.nc.us/jdocprtm.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = WKEP.COM
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.16.67,199.191.128.103

#10 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 01 July 2004 - 10:00 AM

OK, that is a hidden DLL infection.

Download: "Win98Fix.zip" from here:
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip to its own folder.

Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.

The bad file should now be visible so you can delete it.
Browse to c:\windows\system\D3DJB.DLL.
Right click on it to remove any read only protection. Then delete it.

(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)



Please Download CWShredder from:
http://www.merijn.org/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/

Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.

Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:

Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file

Then click *proceed* to save settings.

Click on *Tweak* next. And checkmark to make this green also:

Automatically try to unregister objects prior to deletion

Click on *proceed*

Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.


After the scan is complete, click the "Next" button. Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed). A quick way is to Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

Last: Post a new HiJackThis log in this thread.

#11 trashman

trashman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 01 July 2004 - 02:45 PM

Ad-Aware finally downloaded! Everything went smoothly; hopefully that got it. Thanks sooooo much! :thumbsup:

Logfile of HijackThis v1.98.0
Scan saved at 3:41:52 PM, on 7/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\ISRV95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\REALMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PALM\HOTSYNC.EXE
C:\PVSW\BIN\W3DBSMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {795A5082-CB6F-11D8-9976-0003C631797D} - C:\RECYCLED\DC0.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [InoculateIT Scanning Service] C:\Program Files\ComputerAssociates\InoculateIT\isrv95.exe
O4 - HKLM\..\Run: [InoculateIT Realtime Monitor] C:\Program Files\ComputerAssociates\InoculateIT\realmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Dell Home - {A4EEA500-4C0F-11D3-9975-00902781CFF7} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://ncrules.state.nc.us/jdocprtm.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = WKEP.COM
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.16.67,199.191.128.103
O18 - Filter: text/html - {795A5081-CB6F-11D8-9976-000336E3E70A} - C:\RECYCLED\DC0.DLL
O18 - Filter: text/plain - {795A5081-CB6F-11D8-9976-000336E3E70A} - C:\RECYCLED\DC0.DLL

#12 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 01 July 2004 - 03:12 PM

Put checks next to and have HijackThis fix the following items. Make sure you have no browser windows open when you click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

If you did not set this ProxyServer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212

O2 - BHO: (no name) - {795A5082-CB6F-11D8-9976-0003C631797D} - C:\RECYCLED\DC0.DLL (file missing)

Do you know this domain
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = WKEP.COM

If you did not set these name servers.
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.16.67,199.191.128.103

O18 - Filter: text/html - {795A5081-CB6F-11D8-9976-000336E3E70A} - C:\RECYCLED\DC0.DLL
O18 - Filter: text/plain - {795A5081-CB6F-11D8-9976-000336E3E70A} - C:\RECYCLED\DC0.DLL

Reboot, run Hijackthis again and then post a fresh log. Also please tell us if you are still having any problems.

#13 trashman

trashman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 01 July 2004 - 03:45 PM

Yes, I know WKEP.COM. Wasn't sure about the proxy server or name servers so I nuked them to be safe! :thumbsup: Everything seems to be back to normal, Ad-Aware and SpywareBlaster are working fine.

One question: Should I continue to run Ad-Aware with the custom settings that you had me set earlier or should I return them to the default settings? I usually run Ad-Aware every week or so. Thanks again for all of your help!

Logfile of HijackThis v1.98.0
Scan saved at 4:32:29 PM, on 7/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\ISRV95.EXE
C:\PROGRAM FILES\COMPUTERASSOCIATES\INOCULATEIT\REALMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\IISYSTEM WIPER\SYSTEMWIPER.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [InoculateIT Scanning Service] C:\Program Files\ComputerAssociates\InoculateIT\isrv95.exe
O4 - HKLM\..\Run: [InoculateIT Realtime Monitor] C:\Program Files\ComputerAssociates\InoculateIT\realmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Dell Home - {A4EEA500-4C0F-11D3-9975-00902781CFF7} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://ncrules.state.nc.us/jdocprtm.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = WKEP.COM

#14 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 01 July 2004 - 07:30 PM

You you can continue to scan with those custom settings. That is how I do my weekly scans. This is my canned speech. You have some of these products already, but, here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://www.safer-networking.org/index.php?...n&page=download

Because new hijacks and malware is discovered constantly, please check for and update these products often. The Calendar of Updates of a good place to check if any of them have been updated recently http://cou.dozleng.com

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: How Did My Computer Get Hijacked in the First Place

Good Luck. :thumbsup:

Edited by ColdinCbus, 01 July 2004 - 07:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users