HijachThis Log

Hi!

Per the moderator's instructions, here is my HijackThis log. I ran Spybot S&D on May 14, the most up-to-date version downloaded that day. I also ran Spywareblaster that day, after running Spybot. These were after an advisor ran PestPatrol on May 12, which failed to cure the problem, which returned May 14, just before I downloaded and ran Spybot and Spywareblaster. These programs also failed to cure the problem, which returned May 15, after which I also ran CWShredder on that date (CWS.Smartsearch was found and deactivated). So far the problem hasn't returned, but I am concerned about some suspicious Desktop icons that were installed on May 15 (see original post to this site following log). Thank you for any help you may be able to provide! Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 9:10:17 PM, on 5/16/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\5ADE41DY\HIJACKTHIS1977[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM216.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1400.DLL (file missing)
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\APUC.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\SYSTEM\dxdllreg.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
O4 - HKLM\..\Run: [mvyvaz] C:\WINDOWS\mvyvaz.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nr1228.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {8DF4F477-0EF7-4AD2-A975-FD124B6F98DA} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {BCD60B26-5856-4667-B256-4F8E1AADB25E} (MSN Money Screener) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.4906712963
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = charter.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1,65.164.24.162

Original Post:

Hi! This is my first post here, hope I'm doing this correctly. Note, I am computer semi-literate at a low level. What follows directly is the "wind up" explaining the problem. To skip this and go directly to the "pitch", scroll down to the questions in red.

I have just emerged (hopefully) from MS Internet Explorer homepage hijack and popup hell! My "computer guru" supposedly cleaned the trojans from my computer on May 12, but two days later the hijack/popup/lockup problem returned when I used the IE "Search" icon from the toolbar for the first time since the "clean up". My "guru" got huffy when I emailed him that the problem was back, and accused me of continuing to download obviously questionable materials, re-infecting the machine. Not true that I know of, so I went to the web to find a solution (when I could get IE to work, as by clicking on a web link within an email to skip the hijacked home page). I downloaded and ran both Spybot and Spywareblaster on May 14. They both found bad actors apparently missed by (or installed since) the running of my guru's clean-up program (PestPatrol). The computer worked well for about a day, but then relapsed on May 15 when I once again clicked the IE Search icon. When I asked my friends on a financial board for help, one person recognized the problem, and advised that I needed to run CWShredder for the CoolWebSearch trojan, as other spyware programs couldn't erase all of this one. I did this on May 15, and the program did find a CWS trojan, #26 - CWS.Smartsearch. After I removed (blocked?) this CWS trojan, the computer has seemed to run well again, except that it froze up with a black screen just a while ago today (May 16) when I left it idle for an hour or so with Outlook Express and IE running. I also ran the MS updates yesterday (May 15), most of which appeared to address this type of trojan problem. Additionally, I uninstalled Java VM on May 15.

Spybot and Spywareblaster installed one icon each on my desktop, plainly identified, both created on May 14. But there have appeared six other icons, not plainly identified, as follow (all are located on C:\Windows\Desktop, were created on May 15, the day I ran CWShredder). I don't know if they are a part of CWShredder, or were installed by the CWS trojan prior to my running CWShredder.

1. 0021-bdl94126.EXE, size 245 KB (251,829 bytes), size on disk 248 KB (253,952 bytes), created May 15, 2004, 10:05:58 AM.

2. CS4P028.exe, size 79.0 KB (80,896 bytes), size on disk 80.0 KB (81,920 bytes), created May 15, 2004, 10:06:04 AM.

3. infamous_downloader.exe, size 3.50 KB (3,584 bytes), size on disk 8.00 KB (8,192 bytes), created May 15, 2004, 10:05:57 AM.

4. install2.exe, size 94.0 KB (96,256 bytes), size on disk 96.0 KB (98,304 bytes), created May 15, 2004, 10:05:54 AM. Note, this is the only icon that is not default format, it is in the form of three child's blocks, one on top of two others, spelling "MFC".

5. o, size 158 bytes (158 bytes), size on disk 8.00 KB (8,192 bytes), created May 15, 2004, 10:05:25 AM.

6. o.bat, size 222 bytes (222 bytes), size on disk 8.00 KB (8,192 bytes), created May 15, 2004, 10:05:29 AM.

Big Question #1: Are these icons indeed CWShredder related, or are they CoolWebSearch or other trojan artifacts?

Big Question #2: If the latter, how do I remove the files to which they point, and what else should I do?

Big Question #3: When I uninstalled Java VM, it was recommended that I also delete files/folders such as "the \%systemroot%\java folder" (see full list on http://www.winnetmag.com/Article/Ar...8206/38206.html). I cannot locate these files and folders, even using the MS hard drive Search function (right click on Start). What are the full directory addresses?

Thanks in advance for any and all help! (Note, the CWShredder author recommends asking questions on forums rather than to him directly, indicating the response is likely to be quicker.)

 

Hello there,

Lets fix your problems in your computer and the bad entries in HijackThis. After that we can discuss your questions.

First of all, you are running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder

When you have done this, then make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM216.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1400.DLL (file missing)
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\APUC.DLL (file missing)
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
O4 - HKLM\..\Run: [mvyvaz] C:\WINDOWS\mvyvaz.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O9 - Extra button: Sidesearch (HKLM)

Reboot in

SAFE MODE and

Show Hidden

Files/Folders and delete if found,

C:\WINDOWS\SYSTEM\BRIDGE.DLL
C:\WINDOWS\TWAINTEC.DLL
C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\NEM216.DLL
C:\PROGRAM FILES\LYCOS
C:\PROGRAM FILES\BARGAIN BUDDY
C:\WINDOWS\SYSTEM\A.EXE
C:\Program Files\Internet Optimizer
c:\windows\temp\msbb.exe
C:\WINDOWS\mvyvaz.exe
c:\installer\id53.exe
C:\Program Files\Save
C:\Program Files\WhenUSearch

Reboot and then Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one -> _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
Notice the underscore at the end, all the others with that need to go as well.

Right click on it, and select delete.
If you get a confirmation question, respond OK then close out the program.

Reboot and download Ad-Aware , check for updates and then run complete scan.

Reboot and post a fresh HijackThis log.

Regards

 

Hi again! Having some problems. I ran HijackThis.exe from a new folder in my My Documents folder as you recommended, and fixed the files you indicated. However, my computer apparently won't restart in Safe Mode. When I select Restart and hold down the Ctrl key, I simply get a DOS message on restart of a keyboard error, which is then "fixed", and the computer restarts normally. I tried letting off the Ctrl key "for a few seconds" when the beep occurs coincident with the DOS keyboard error message, as recommended by your help site, but this had no beneficial effect. I went into the My Computer program and under the Tools/Folder Options/View option ensured "Show hidden files and folders" was CHECKED and "Hide protected operating system files" was UNchecked. 2nd edit, sorry, didn't comprehend at first what Windows Explorer is. I found and deleted

C:\WINDOWS\SYSTEM\BRIDGE.DLL
C:\WINDOWS\NEM216.DLL
C:\WINDOWS\SYSTEM\A.EXE
c:\installer\id53.exe

3rd edit (hope we're not leapfrogging replies here!). I forged ahead and downloaded Registrar Lite and deleted _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}. There were no other _{files} identified. I also downloaded and ran Ad-aware, but it ran for 20 minutes and indicated it was less than 5% finished, so I aborted. It identified 203 files out of about 40,000 checked. I guess I need to run this one overnight. I re-ran HijackThis, here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 8:58:08 AM, on 5/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\SYSTEM\dxdllreg.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nr1228.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {8DF4F477-0EF7-4AD2-A975-FD124B6F98DA} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {BCD60B26-5856-4667-B256-4F8E1AADB25E} (MSN Money Screener) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.4906712963
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = charter.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1,65.164.24.162


What now? TIA!!!

 

Hello,

Fix this in HijackThis,
R3 - Default URLSearchHook is missing

and yes run Ad-aware complete scan.

Are you facing any more problems. The log looks ok now.

Regards

 

Hi! As you instructed, I ran HijackThis and fixed "R3 - Default URLSearchHook is missing". I also ran Ad-aware to completeion while out for a while. It identified 203 files. Do I go ahead and "Quarantine" these files, or does the log need to be reviewed and parsed first? Thanks again!

 

Fix whatever Ad-aware finds and then reboot and post a fresh log

Regards

 

Okay, I deleted the files identified by Ad-aware, and rebooted. Here is the new HijackThis log after reboot:

Logfile of HijackThis v1.97.7
Scan saved at 12:19:43 PM, on 5/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\SYSTEM\dxdllreg.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nr1228.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {8DF4F477-0EF7-4AD2-A975-FD124B6F98DA} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {BCD60B26-5856-4667-B256-4F8E1AADB25E} (MSN Money Screener) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.4906712963
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = charter.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1,65.164.24.162

Assuming there is no further clean up stemming from this log, I'm still concerned about the desktop shortcut icons and complete Java VM removal as in my original post <copy>:

1. 0021-bdl94126.EXE, size 245 KB (251,829 bytes), size on disk 248 KB (253,952 bytes), created May 15, 2004, 10:05:58 AM.

2. CS4P028.exe, size 79.0 KB (80,896 bytes), size on disk 80.0 KB (81,920 bytes), created May 15, 2004, 10:06:04 AM.

3. infamous_downloader.exe, size 3.50 KB (3,584 bytes), size on disk 8.00 KB (8,192 bytes), created May 15, 2004, 10:05:57 AM.

4. install2.exe, size 94.0 KB (96,256 bytes), size on disk 96.0 KB (98,304 bytes), created May 15, 2004, 10:05:54 AM. Note, this is the only icon that is not default format, it is in the form of three child's blocks, one on top of two others, spelling "MFC".

5. o, size 158 bytes (158 bytes), size on disk 8.00 KB (8,192 bytes), created May 15, 2004, 10:05:25 AM.

6. o.bat, size 222 bytes (222 bytes), size on disk 8.00 KB (8,192 bytes), created May 15, 2004, 10:05:29 AM.

Big Question #1: Are these icons indeed CWShredder related, or are they CoolWebSearch or other trojan artifacts?

Big Question #2: If the latter, how do I remove the files to which they point, and what else should I do?

Big Question #3: When I uninstalled Java VM, it was recommended that I also delete files/folders such as "the \%systemroot%\java folder" (see full list on http://www.winnetmag.com/Article/Ar...8206/38206.html). I cannot locate these files and folders, even using the MS hard drive Search function (right click on Start). What are the full directory addresses?

End <copy>.

Note: #4 above, install2.exe, I think I recognize by the icon ("MFC") as one of the files deleted by one of the erasure programs (I'm losing track of which one has done what ). Since all the other above listed dubious shortcuts were created within a few seconds or minutes of each other, I'm guessing they all point to malware. How do I determine whether the files to which they point have been deleted, or else, do I just go to the address in "Properties" where the indicated root files reside and delete them? Also, where do the Java VM files above reside? Thanks, sorry for all these considerations! This has sure been a trip!

 

Those shortcuts were all put up due to trojans and viruses that were in your machine. You can safely delete the named short-cuts, and that should be ok. The culprits are removed as I can see the log is pretty clean. You having any problems that you were facing before? Regarding Java VM, I think it is uninstalled already. If you want to have Java, you can ofcourse download Sun Java. To prevent yourself from infecting again by these evils, read this article.

Regards

 

The root programs still appeared to be existent on the hard drive (not just the shortcut icon file, but the target programs, mostly in the C:\Windows directory, though there were a couple of duplicates in the C:\Windows\Desktop directory as well). I deleted all of these, plus the Desktop shortcut icon files in C:\Windows\Desktop, and then emptied the Recycle Bin to be sure. The computer seems to be operating much faster now, both in boot up, and, especially, in Internet Explorer. I hope there are no more ticking time bombs lurking about. Thank you for your help. I printed your article, and will next be attempting to clean up my wife's machine (not in as bad a shape as mine). Stand by! Again, thank you for your help!!!

 

One last question, does a review of my computer problems indicate that my login names and passwords for my financial dealings may have been observed? Or, that aside, should I just go ahead and change all my passwords just to be safe? Viel Dank!

 

It is a good habit to change your passwords regularly.
And especially if you suspect a security breach.

Regards,

Pieter

 

Back again. Maybe I've gotten too sensitive, but here goes. One of the things I noticed going awry when the trojan hit was that my Ebay "Search keywords" and "Words to exclude" lists started going wonky. Well, currently, any changes I make to a search string, and any new search string I try, are not being "remembered". Is this possibly indicative of a problem still lurking within?

 

As my last post indicated (no reply), I've still been seeing things in IE that appear wonky, so I re-ran the spyware programs this morning. Here are the results:

1. Spybot: Found following suspiscious items: ValueClick, Doubleclick, AvenueA,Inc, DSOExploit, DyFuCa, GAIN.Gator, WhenU.ClockSync. All deleted.

2. SpywareBlaster: Found 125 new objects. All deleted.

3. RegistrarLite: the following item has re-appeared: _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} (was previously deleted on 5/17/04). Re-deleted.

4. Ad-aware: Found 16 new items, as follow: 7 tracking cookies (bluestreak, tribalfusion, qksrv, z1.adserver, trafficmp, trnpad, realmedia), 8 HKEY_ files (180solutions, (2) jao.jao, CCSID, TYPELIB, IE Main Start Page, IE Explorer Bars, Interface) and C:\\Windows\System\jao.dll. All deleted.

Here is the post-cleanup HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 11:44:26 AM, on 5/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\SYSTEM\dxdllreg.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nr1228.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {8DF4F477-0EF7-4AD2-A975-FD124B6F98DA} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {BCD60B26-5856-4667-B256-4F8E1AADB25E} (MSN Money Screener) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.4906712963
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = charter.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1,65.164.24.162

In the above log file, I notice that "R3 - Default URLSearchHook is missing" has reappeared (was previously deleted using HijackThis). It appears that some malware is still embeeded in my machine, or is being reintroduced despite the innoculations of Spybot, SpywareBlaster, and CWShredder (CWS last run on 5/17). Is there any light at the end of the tunnel?

 

Despite Snapdragin's assurance,

https://www.wilderssecurity.com/showthread.php?p=180704#post180704

this thread appears to have been abandoned. Should I post a new thread? Thanks for your direction!

 

The *R3 - Default URLSearchHook is missing* does not mean there is any malware present at your system.
Do you have other reasons to assume there is something the programs you mentioned can't remove?

Regards,

Pieter

 

Thanks for getting back to me, Pieter. Yes, the "R3 - Default URLSearchHook is missing" line in the last HijackThis log was only the last of the abnormalities. Here is a repeat of what directly preceded it, all coming after the prior "cleansing", from re-running the various spyware programs:

1. Spybot: Found following suspiscious items: ValueClick, Doubleclick, AvenueA,Inc, DSOExploit, DyFuCa, GAIN.Gator, WhenU.ClockSync. All deleted.

2. SpywareBlaster: Found 125 new objects. All deleted.

3. RegistrarLite: the following item re-appeared: _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} (was previously deleted on 5/17/04). Re-deleted.

4. Ad-aware: Found 16 new items, as follow: 7 tracking cookies (bluestreak, tribalfusion, qksrv, z1.adserver, trafficmp, trnpad, realmedia), 8 HKEY_ files (180solutions, (2) jao.jao, CCSID, TYPELIB, IE Main Start Page, IE Explorer Bars, Interface) and C:\\Windows\System\jao.dll. All deleted.

(Note: CWShredder came up clean.)

Any idea of what may be re-infecting my computer, and why the "innoculations" have failed to resist it? TIA!