HELP - Malware reinserts itself on system reboot

Discussion in 'adware, spyware & hijack cleaning' started by White Devel, May 25, 2004.

Thread Status:
Not open for further replies.
  1. White Devel

    White Devel Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Why is it when I remove as many traces of unwanted pests using a multitude of utilities from Spybot search and destroy, PestPatrol, Antiy Ghostbusters, regcleaner, regedit, spysweeper, ect..... There are a selected few that keep returning to my system upon reboot? Among the handful of files that keep reinserting themselves in my computer is CWS.GoogleMS.3. It is a Hijacker that runs a Java applet. Requires older or unpatched version of Microsoft Internet Explorer. Some variants (e.g., CWS.Vrape) will redirect to adult sites or invoke dialers. Every reboot i have to dispose of them.
    I have all up-to-date security patches and program updates from Microsoft and IE 6 as well all my computer maintenance utilities are the latest versions.
    What am I missing? The answer is probably staring me in the face plain as day. HELP ME PLEASE.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. White Devel

    White Devel Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    HELP - malware reinserts itself on every system re-boot

    I scanned with Ad-Aware v.6.0.1.183, PestPatrol v. 4.4.2.7, and Spybot - Search & Destroy 1.3.0.12. Along with many others to clean my system.
    I followed your instructions for creating a log.

    PROBLEM:
    When I reboot and re-scan with Spybot and PestPatrol, two entries are found to be re-planted within my computer even after I have removed them countless times.
    Why do they keep coming back even after my utilities quarantine or delete them?

    1- Using PestPatrol v. 4.4.2.7

    FILE: CWS.GoogleMS.3
    File info:
    HKEY_CURRENT_USER\software\microsoft\currentversion\internet settings\zonemap\domains\xxxtoolbar.com

    2 – Using Spybot - Search & Destroy 1.3.0.12

    Upon every reboot I get:
    System scan says no spybots are found when run, but under Immunize it says
    1725 bad products already blocked, 1 additional protections possible. Please immunize.
    That 1 file keeps coming up.o_O

    Logfile of HijackThis v1.97.7
    Scan saved at 9:33:43 PM, on 5/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\ZONELA~2\ZONEAL~1\zlclient.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Documents and Settings\Giroux. C\Desktop\Tools\Hijack This\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.sympatico.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.sympatico.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.sympatico.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by Me
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7a78634a-90a0-48cc-8dd2-bf140c537766} - (no file)
    O2 - BHO: (no name) - {7B2A9720-A1D1-4B0B-A3CB-515C7D7B48C8} - C:\WINDOWS\SYSTEM32\dnvkyajd.dll
    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {dab8a1ed-16f2-4f8b-9115-84f16f37340a} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {35788ec5-9902-46e6-b6f9-12a3ee9c2f30} - (no file)
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~2\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www1.sympatico.ca
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www1.sympatico.ca
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.city.north-bay.on.ca/scripts/AxisCamControl.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
     
  4. Yellowhammer

    Yellowhammer Spyware Fighter

    Joined:
    May 23, 2004
    Posts:
    53
    Location:
    Alabama, USA
    Re: HELP - malware reinserts itself on every system re-boot

    Close all windows and have hijackthis fix the following:

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {7a78634a-90a0-48cc-8dd2-bf140c537766} - (no file)
    O2 - BHO: (no name) - {7B2A9720-A1D1-4B0B-A3CB-515C7D7B48C8} - C:\WINDOWS\SYSTEM32\dnvkyajd.dll
    O2 - BHO: (no name) - {dab8a1ed-16f2-4f8b-9115-84f16f37340a} - (no file)

    O3 - Toolbar: (no name) - {35788ec5-9902-46e6-b6f9-12a3ee9c2f30} - (no file)

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB


    As for this entry: FILE: CWS.GoogleMS.3
    File info:
    HKEY_CURRENT_USER\software\microsoft\currentversion\internet settings\zonemap\domains\xxxtoolbar.com

    This means you have this entry in the restricted sites which is where you want it.
     
    Last edited: May 25, 2004
  5. White Devel

    White Devel Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Four Adware Issues

    I scanned with Ad-Aware v.6.0.1.183, PestPatrol v. 4.4.2.7, and Spybot - Search & Destroy 1.3.0.12.

    Every time I run PestPatrol I get the following 4 entries. They reinsert themselves on every system reboot despite them being deleted. I currently have LimeWire, Overnet, WarezP2P client, and Tesla file sharing programs installed. NO Kazaa anymore.
    Is this a bug in PestPatrol that selects these files as a threat in confidentiality even though they may be harmless as with what happened with the entry of FILE: CWS.GoogleMS.3 in File info: HKEY_CURRENT_USER\software\microsoft\currentversion\internet settings\zonemap\domains\xxxtoolbar.com?
    And can I ever get rid of them without uninstalling my file sharing programs?
    What software are they associated with?



    1 - XoloX Category: Adware In Registry: HKEY_CLASSES_ROOT\magnet
    2- SaveNow Category: Adware In Registry: HKEY_LOCAL_MACHINE\software\classes\magnet\shell\open\command
    3- SaveNow Category: Adware In Registry: HKEY_LOCAL_MACHINE\software\classes\magnet\defaulticon
    4- KaZaA Category: Adware In Registry: HKEY_LOCAL_MACHINE\software\magnet


    Logfile of HijackThis v1.97.7
    Scan saved at 4:52:40 PM, on 5/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\ZONELA~2\ZONEAL~1\zlclient.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Documents and Settings\Giroux. C\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.sympatico.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.sympatico.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.sympatico.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by Me
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5

    .0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1

    \Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper

    .dll
    O2 - BHO: (no name) - {7a78634a-90a0-48cc-8dd2-bf140c537766} - (no file)
    O2 - BHO: (no name) - {7B2A9720-A1D1-4B0B-A3CB-515C7D7B48C8} - (no file)
    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {dab8a1ed-16f2-4f8b-9115-84f16f37340a} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic

    Agent\CopernicAgentExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~2\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Spam Bully for Outlook Express] "C:\Program Files\Axaware\Spam Bully 2 for

    OE\oespambully.exe" install
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

    Gamma Loader.exe
    O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\System32

    \MetaProducts\Add_Url.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program

    Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic

    Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www1.sympatico.ca
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www1.sympatico.ca
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/

    qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/

    SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/76808a0e7

    ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.city.north-bay.on

    .ca/scripts/AxisCamControl.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/

    security/controls/SassCln.CAB
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  7. White Devel

    White Devel Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Re: Four Adware Issues

    Yes I have removed the entries that were specified using HijackThis. Thanks for the help on that issue. Close Away..
    I’ve read that others have also submitted a report to PestPatrol about the bug, the CWS.GoogleMS.3 entry that is being detected in the newer version even though it is where it should be.

    Any thoughts on these new issues?
     
  8. White Devel

    White Devel Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Re: Four Adware Issues

    ..;';
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.