please check these logs

Discussion in 'adware, spyware & hijack cleaning' started by chercat, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. chercat

    chercat Registered Member

    May 20, 2004
    please check this log
    This log looks clean to me , but when I went into CWShredder today , it said that I had a variation of CWS called Smartsearch ( I belive ) that was attemptiing to close the window .
    It said the CWS had not been corrupted and that I had to close all browser windows in order to fix. I am not quite sure what that meant - I had Explorer , AVG and ZOne Alarm running - I am not sure if Explorer means IE or WIndows Explorer although I am assuming IE ? If I click on that , the box to shut down ,restart or cancel comes up. , so I cannot close Explorer or my whole PC shuts .

    When I run CWShredder , it now says clean but I am thinking it was not able to fix because when I run scan only, I get a log that I am unable to copy that says something like teengurus and xxx something among others . I tried DL ing the latest version of Spybot 3.1 first but it says there are no newer updates ( I have 2.1) and when I try to update to the latest on CWShredder , it comes as a zip file in AOL which does not show up in my Downloaded AOL porgrams and I cannto unzip it .
    Please help and I will try to post back and see exactly what the
    scan only says - I will copy by hand .
    I suspect my teenage son might have gone to a porn site ?
    Logfile of HijackThis v1.97.7
    Scan saved at 3:28:19 PM, on 6/3/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
    ernet Settings,ProxyOverride = localhost
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) -
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) -
    O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -
    O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    CWShredder scan
    Ok, when I scan CWShredder , it says my system is clean but the scan says :

    Hosts file not present
    Found CWS.Control( if file size is over 50K) File C:Windows\control.exe (2112 bytes,A)
    CWS.Oslogo( if value is 2) RegValue: DOmains*
    next line same as above
    CWS.Googlems:2 ( if val is 2) Regvalueomains d.word.4
    CWS.Googlems:4 ( If value is 2) Regvalue Domains* dword.4
    RegValueefaultPrefix (should be http://){http://}
    RegValue Mosaic prefix (Should be http://_{mosaic}http://
    RegValue: Homeprefix( should be http://){home}http://
    FoundWin.ini.file C:Windows\win.ini ( 8540 bytes,A)
    Found line in Win.ini run=
    Found System.ini.file:C\\Windows\system.ini(2073 bytes,A)
    Found line in System.ini shell=explore.exe

    I am running 98SE , AVG , Zone Alarm , as the log tells you .
    I cannot unzip the update that I am getting from the Merjin site for CWShredder - it comes up as an AOL zip file , but is not supported by AOL ( I Have both Comcast and AOL for broadband) so not sure why it comes up this way and it will not show up in the AOL Dl's while will allow it to be unzipped .

    Maybe if I could DL the most current version of Spybot 3.1 this might help? When I went to the site , it gave me different options from sites to DL but not sure which is safest and not a beta version ( from these boards ) .
    ALso, should I uninstall 2.1 before installing the new one ?

    I know this is very long - thanks for reading .
  2. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    You are misreading the scan results

    you are clean

    what is says is if you are infected then the dword value would be 2, your value is 4 so you are clean

    You would definitely know if you had a cws hijack because you would be unable to surf without being redirected to porn sites and would have continuous pop ups
    Last edited: Jun 3, 2004
  3. chercat

    chercat Registered Member

    May 20, 2004
    Thanks for your very prompt reply !

    Well, when I tried to run the CwShredder initially, I did get that message that
    a CWS variant , Smartsearch2, I think it said , was trying to close the CWS program and that they had changed the text file to random letters and numbers and that the program had not been corrupted .

    It did tell me to close all programs and my media player before hitting fix .
    When I tried to close Explorer , it shuts my computer down .
    My media player was not running at all when I got this message either .
    I just clicked on FIX without closing anything else since all I had running was AVG , ZoneAlarm and Explorer - could not close the media player - not running ( weird ) . I am still confused as to why if I click on Explorer it shuts my computer down since I don't believe this used to happen ?

    Recently , my WMP was infected and it was healed by AVG . Now the WMP is no longer in my Add /Remove programs list as I was thinking it might be safer to just completely uninstall it . I have version 6.4 and have no interest in updating cuz I heard horror stories about Version 9 .

    IE 6 is up -to - date with all security patches and I have Spywareblaster installed . So I did not think anything could hijack me again .
    Am I correct in thinking that just because Spywareblaster is installed that I am protected ( I have enable all protection checked in quick tools) or do I actually have to open the program each time I use my computer?

    Thanks so much for all your help .
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    SpywareBlaster does not have to be running to protect you.

    If you do not want to be bothered by WMP anymore I would advise you to install another Media Player and let it take over the file associations.


  5. chercat

    chercat Registered Member

    May 20, 2004
    Hi Pieter

    Thanks for the advice - I talked to two people yesterday at a graduation party whose WMP had been infected with trojans and that no longer showed up in their add/remove programs menu either .

    If i were to install, say Musicmatch jukebox or Realplayer, how would I go about making one my default player and is there a way to manually get rid of the WMP?
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    If you install any of the other players they will take over the file associations currently "owned" by WMP.

    I would not go through the motions you may find on the web about removing WMP as long as it is not bothering you in any way.


Thread Status:
Not open for further replies.