Are these random filenames?

Discussion in 'adware, spyware & hijack cleaning' started by Magicals, May 12, 2004.

Thread Status:
Not open for further replies.
  1. Magicals

    Magicals Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    12
    I ran CWShredder and it gave me two messages about random filenames.

    The first file it found is C:\WINDOWS\asx3test.exe which could be part of CWS.Control.3. It said that CWShredder could not determine if it is a random filename or not.

    The second file it found is C:\WINDOWS\WCUNINST.EXE which could be part of CWS.Control.4. It also said that CWShredder could not determine if is is a random filename or not.

    Does anyone know if these two files are random file names that are part of CWS.Control and if I should have CWShredder delete them or not? Also I'm not sure if my HJT log is completely clean.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:41:48 PM, on 5/12/04
    Platform: Windows 98 Gold (Win9x 4.10.1998 )
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SA3DSRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\COMPAQ\INTERNET\WATCHDOG.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
    C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WILDTANGENT\APPS\GAMECHANNEL.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
    C:\TOOLS_95\IMGICON.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
    C:\SPYWARE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&query=%s&i=enu
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Essdc] essdc.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
    O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
    O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
    O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
    O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
    O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
    O4 - HKLM\..\RunOnce: [RegTLib] c:\windows\RegTLib.exe c:\windows\SYSTEM\StdOle2.Tlb
    O4 - HKLM\..\RunOnce: [Registering xenroll.dll..] c:\windows\SYSTEM\regsvr32 /s xenroll.dll
    O4 - HKLM\..\RunOnce: [Registering hhctrl.ocx..] c:\windows\SYSTEM\regsvr32 /s hhctrl.ocx
    O4 - HKLM\..\RunOnce: [Registering itircl.dll..] c:\windows\SYSTEM\regsvr32 /s itircl.dll
    O4 - HKLM\..\RunOnce: [Registering itss.dll..] c:\windows\SYSTEM\regsvr32 /s itss.dll
    O4 - HKLM\..\RunOnce: [WMC_0] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\msdxm.ocx"
    O4 - HKLM\..\RunOnce: [WMC_1] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\dxmasf.dll"
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYWARE\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\SPYWARE\AD-AWARE 6\AD-AWARE.EXE" "+b1"
    O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
    O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38119.5915740741
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = MSHOME
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

    Thank you for your help!
     
  2. Magicals

    Magicals Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    12
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    both files are good and legit

    you have installed something that needs a reboot to finish installing so please reboot, It looks like some sort of update to IE and adaware is set to delete some files on a reboot as well

    so do the reboot tehn uninstall newdotnet by following the advice here www.newdotnet.com#remove

    then post a new log afterwards to check please, but there is no sign of cws
     
  4. Magicals

    Magicals Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    12
    Hello dvk01,
    Thank you for your help!
    Yes I had updated something and forgot to restart. Anyway I did and let spybot and ad-aware do their thing when I restarted also.

    I uninstalled newdotnet. I could only find the program using procedures 3 and 4. In procedure 3 I found NDNuninstall4_34.exe and NDNuninstall6_22.exe and ran them both.

    After doing that and restarting again I ran HJT for a current log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:05:32 PM, on 5/13/04
    Platform: Windows 98 Gold (Win9x 4.10.1998 )
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SA3DSRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\COMPAQ\INTERNET\WATCHDOG.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
    C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
    C:\TOOLS_95\IMGICON.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
    C:\SPYWARE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&query=%s&i=enu
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Essdc] essdc.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
    O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
    O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
    O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
    O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
    O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
    O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
    O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38119.5915740741
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = MSHOME
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

    Thanks again dvk01 for helping me.
     
Thread Status:
Not open for further replies.