View Full Version : CWS help wanted
claire
September 9th, 2003, 12:50 PM
CWS found:
Hostfile:C:\Windows\Hosts(309107 bytes)
Registry keys:cws.com(trusted zone)
:cwwwsearch.com(trusted zone)
:msn.com(trusted zone)
Win.ini file:C\Windows\win.ini(7973 bytesA)
Found line in win.ini=hpfsched.
May I let CWS delete everything without any problem?
The last entry seems linked to my HP printer
Any help would be appreciated. :)
PS if needed how can I have CWS do a partial deletion?
Pieter_Arntz
September 9th, 2003, 02:21 PM
Hi claire,
Feel free to post your HijackThis log.
I'd like to see what is going on.
CWShredder does not do partial deletions.
Could you post your HijackThis log (http://www.tomcoyote.org/hjt/)
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.
Regards,
Pieter
claire
September 9th, 2003, 02:32 PM
hi Pieter,
Thanks for your help
Logfile of HijackThis v1.96.4
Scan saved at 20:30:39, on 9/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TRIDTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\REGPROT\REGPROT.EXE
C:\PROGRAM FILES\SOFT4EVER\LOOKNSTOP\LOOKNSTOP.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\WINDOWS\SYSTEM\SWEEPER.EXE
C:\INTEL\PSNCU INTEL\CPUNUMBER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NAVISCOPE\NAVISCOPE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\EUZEY0K.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dhnet.be/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
O4 - HKLM\..\Run: [WinFast_Gamma] rundll32.exe wfcpl.dll,DllLoadGammaRampSettings
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM\SWEEPER.EXE /Q
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\Eset\nod32krn.exe
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\PSNCU Intel\CPUNumber.exe" /nosplash
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O9 - Extra button: RealGuide (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.9015162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
Pieter_Arntz
September 9th, 2003, 02:42 PM
Hi claire,
Check the following item in HijackThis.
Close all windows except HijackThis and click Fix checked:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) <= You may have to reinstall Spybot S&D to get that right again.
Then reboot.
Did you remove the entries from your trusted zone yourself or was this a total false alarm by CWShredder?
Regards,
Pieter
claire
September 9th, 2003, 02:46 PM
Hi Pieter,
Thanks again for your help.I did not touch my trusted
zone(this one is empty) in anyway.
Is it safer for me to uninstall Spybot first,then clean withHJT and reinstall SPYBOT?Or can I simply clean at once with HJT?
Ps:Thanks again Pieter worked like a charm
Have a great week :)
Pieter_Arntz
September 9th, 2003, 03:31 PM
Hi claire,
Glad to be able to help you. :)
First use HijackThis then reinstall Spybot S&D, I would say.
Otherwise either the file would no longer be missing or you would get a double entry. (Dunno :-[ )
Be seeing you around.
Regards,
Pieter
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums