CoolWWW and CWS-AboutBlank problem (merged)

Discussion in 'adware, spyware & hijack cleaning' started by xxxmain, Jun 21, 2004.

Thread Status:
Not open for further replies.
  1. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    CoolWWW and CWS-AboutBlank problem

    Hey everyone, thanks for offering this great service, amazing job.

    I seem to have aquired CoolWWW and CWS-AboutBlank. I think this is what I have since that is what adaware6.0 and Webroot SpySweeper keep coming up with. I've run these two programs over and over and after deleting all of the junk something is re-generating it. It causes my opening page to redirect to msn.com or some other page that is listed as about:blank but isn't of course. I also get popups advertising a site that sells spyware programs I think. My internet connection is also extremely slow.

    I've run CWShredder and removed whatever it came up with but that seems to re-generate as well. I've also deleted all of my temporary internet files and done a cleanup of my C drive. I just ran HiJack This and below is my log:

    -------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 4:40:14 PM, on 6/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Nikon\NkView4\NkVwMon.exe
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\Documents and Settings\Jeff\My Documents\downloads\hijack this\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37964.0204398148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Re: CoolWWW and CWS-AboutBlank problem

    Sorry about the bump but I'm onto page 2 already. Any help would be great.

    Thanks
     
  3. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    New HiJack Log for Review

    I ran adaware and Spysweeper, rebooted, and then ran Hijack This. Below is the log. Thanks for the help.


    Logfile of HijackThis v1.97.7
    Scan saved at 1:40:42 PM, on 6/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Nikon\NkView4\NkVwMon.exe
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\Documents and Settings\Jeff\My Documents\downloads\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {9985220F-C0F5-4CEE-A6AE-E2681D576E82} - C:\WINNT\system32\gcah.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37964.0204398148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Re: New HiJack Log for Review

    Hey guys, am I doing something wrong on the forum? Maybe I'm not following the rules and I just don't know it. I've posted two of these messages and no one replies. Any help would be great or just tell me what I'm doing wrong and I'll re-post.

    Thanks
     
  5. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Re: New HiJack Log for Review

    Can I pay someone to help me? I'd really like to get my computer fixed, it is slowing my business down.
     
  6. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    I find it difficult to believe that over 70 people can review this thread and no one has anything to say about it but the guy that originally posted. It would have been nice to get some sort of a reply, even if it said "you're screwed, it can't be fixed" or "that is simple, do this", or "this is too much work, you're on your own".

    Anyways, sorry to have wasted your time. I guess I'll just backup and reformat my hard drive and start from scratch.

    I was overly impressed with this forum when I first visited it but I guess I was wrong.

    Thanks again.
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi xxxmain,

    Please understand that the type of CWS infection you have is not an easy one to fix and only a few can actually post the completed instructions for it.

    There are many many logs here to be viewed, and that takes time and research, and we are all volunteers with families and jobs that also need our attention (not to mention we need sleep too).

    You can attempt the fix yourself if you feel confident enough, and go as far as you can, then post a new log back here to be checked by one of the Experts.

    Here is the link:
    Scroll down to post #27
    Another about:blank variant: https://www.wilderssecurity.com/showthread.php?t=28658&page=2

    Regards,

    snap
     
  8. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Hey snap, thanks, I appreciate that. I know everyone is a volunteer and I don't expect everyone to stop everything they are doing to help me but NO ONE made any post stating that it was difficult to fix and it will take time. As far as I knew, no one was interested in helping. Again, I don't expect everyone to drop everything and put all energy towards me, just offer some sort of communication.

    I can and will pay for any help with this. It isn't a money issue at all. I think the services on this forum are amazing. I just keep seeing people posting after me getting some sort of a reaction and no one speaking with me.

    I'm more confused about this forum than anything. I even made a post asking if I was doing everything correctly but you are still the first person to post..... after I had given up.

    Thanks for the post.
     
  9. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    I did what was said in post #27, rebooted, ran adaware, and then ran HiJack This again. Below is the log. The problem still exists.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:46:53 PM, on 6/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\Mixer.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Nikon\NkView4\NkVwMon.exe
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\Documents and Settings\Jeff\My Documents\downloads\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5BCC5E0F-982A-4EBF-981D-49D73BDF1C31} - C:\WINNT\system32\gcah.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37964.0204398148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi xxxmain,

    I do understand. :)

    This particular CWS infection is a bit more beyond my area of knowledge, so I will not attempt to walk you through it. I'll leave a note for one of our Experts and ask them if they can take a look at the new log you've posted.

    Regards,

    snap
     
  11. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Thanks a lot snap, I really appreciate your help.
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  13. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Thanks Illuka, but to be honest with you I don't know enough about this stuff to use that without specific instructions. That would be great if some of the experts will be around eventually. I'm actually not in a huge rush, I can wait, just as long as they can find time for me at some point :)

    Thanks for the help everyone, I'm am feeling much more confident about this now that I'm hearing from others.
     
  14. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    it's very simple to use: unzip the download, doubleclick the application, click start disinfection. your machine will reboot and that's it, post a fresh log once you've run it, to see if it did the trick
     
  15. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Alright, so I ran that application and this is what the log said:

    6/24/2004 2:46:55 AM SPhjFix started v1.07
    6/24/2004 2:46:55 AM Stealth-String not found -> Programm terminated
    6/24/2004 2:47:24 AM SPhjFix started v1.07
    6/24/2004 2:47:24 AM Stealth-String not found -> Programm terminated
    6/24/2004 2:52:49 AM SPhjFix started v1.07
    6/24/2004 2:52:49 AM Stealth-String not found -> Programm terminated

    I restarted the computer and ran HiJack This again. Here is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:53:47 AM, on 6/24/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\Mixer.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Documents and Settings\Jeff\My Documents\downloads\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5BCC5E0F-982A-4EBF-981D-49D73BDF1C31} - C:\WINNT\system32\gcah.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37964.0204398148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  17. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Hey Pieter, I don't see anything called "Beta-fix.exe" at that link. Could it be at another link?

    Thanks
     
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi xxxmain,

    It looks like Free@Last has updated the Beta-Fix.exe with FINDnFIX.exe (2K/XP only!)

    I just tried it myself, nice. :)

    Go to the link Pieter provided and download the "FINDnFIX.exe" file, then double-click the FINDnFIX.exe file to extract the files. It will create a folder called FINDnFIX in the C drive.

    Navigate to the FINDnFIX folder and you'll see a file called !LOG!.bat. Run the !LOG!.bat file to generate a report (it may take a minute before it is finished). A text document should open up with the scan report. Copy & paste that report here in your next post for Pieter to analyse.

    Regards,

    snap
     
  19. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Excellent, thanks Snap and Pieter. Below is the log file FINDnFIX generated.

    Microsoft Windows 2000 [Version 5.00.2195]
    The type of the file system is NTFS.
    C: is not dirty.

    Thu 06/24/2004
    12:49am up 0 days, 10:00
    »»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
    Files listed in this section (in System32) are not always definitive!
    Always Double Check and be sure the file pointed doesn't exist!

    »»Locked or 'Suspect' file(s) found...


    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    »»»Special 'locked' files scan in 'System32'........
    **File C:\FINDnFIX\LIST.TXT

    ****Filtering files in System32... (-h -s -r...) ***
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    No matches found.

    No matches found.

    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group XXXMAIN01\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: XXXMAIN01\None



    »»»»»»Backups created...»»»»»»
    12:50am up 0 days, 10:01
    Thu 06/24/2004

    A C:\FINDnFIX\winBackup.hiv
    --a-- - - - - - 8,192 06-24-2004 winbackup.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 06-24-2004 winkey.reg

    »»Performing 16bit string scan....

    ---------- WIN.TXT
    AppInit_DLLs0
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    Windows
    AppInit
    DLLs0
    DeviceNotSelectedTimeout
    GDIProcessHandleQuota
    Spooler
    swapdisk
    TransmissionRetryTimeout
    USERProcessHandleQuota0

    **File C:\FINDnFIX\WIN.TXT
            àÿÿÿÐ ø @ p * À  Øÿÿÿvk  €   , AppInit_DLLs0 0 Ðÿÿÿvk  (   0 DeviceNotSelectedTimeoutèÿÿÿ1 5  `å °å èå Ðÿÿÿvk  €'   9 GDIProcessHandleQuota 5 àÿÿÿvk     5 Spooler ðÿÿÿy e s 7 4 àÿÿÿvk  €   swapdiskÐÿÿÿvk  ð   6 TransmissionRetryTimeoutðÿÿÿ9 0  `è Ðÿÿÿvk  €'   0 USERProcessHandleQuota0 Ð ÿÿÿÿ
    
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That looks to be all clear o_O

    xxxmain,

    Did you find C:\WINNT\system32\gcah.dll
    among the DLL's loaded in explorer.exe when you used APM?

    Regards,

    Pieter
     
  21. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Yes I did, I fixed it along with all of the other R1 lines stated in that other post in HiJack This and then I ran APM and selected explorer.exe in the upper window and I Unloaded gcah.dll in the lower window and followed the prompts. When I restarted and ran Adaware I think everything was back to the problem again.

    I'll try running through that process again and post the HiJack This log again.

    Thanks
     
  22. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Wow, this is driving me crazy, which is I guess what it is supposed to do. I re-ran HJT and fixed athe R1 about:blank thing and the O2 -BHO gcah.dll thing. I ran APM and gcah.dll wasn't there. I restarted the computer and ran HJT again and fixed everything and the gcah.dll AGAIN and ran APM and this time the gcah.dll was there, I right clicked on it and followed the prompts. I then restarted again and ran adaware, which found nothing (this hasn't happened in a while) however, when I opened up my browser... BAM, same problem still existed.

    I have both adaware and Spysweeper on my computer and I have the Auto Monitor thing on all the time so they are both popping up constantly telling me there are problems. I keep blocking the problems. Could this be some of my issues? Should I uninstall the Spysweeper for now and turn off the auto monitor for Adaware?

    I just ran HJT and FINDnFIX again, below are the logs:

    Microsoft Windows 2000 [Version 5.00.2195]
    The type of the file system is NTFS.
    C: is not dirty.

    Thu 06/24/2004
    3:22pm up 0 days, 0:07
    »»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
    Files listed in this section (in System32) are not always definitive!
    Always Double Check and be sure the file pointed doesn't exist!

    »»Locked or 'Suspect' file(s) found...


    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    »»»Special 'locked' files scan in 'System32'........
    **File C:\FINDnFIX\LIST.TXT

    ****Filtering files in System32... (-h -s -r...) ***
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    No matches found.

    No matches found.

    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group XXXMAIN01\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: XXXMAIN01\None



    »»»»»»Backups created...»»»»»»
    3:23pm up 0 days, 0:08
    Thu 06/24/2004

    A C:\FINDnFIX\winBackup.hiv
    --a-- - - - - - 8,192 06-24-2004 winbackup.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 06-24-2004 winkey.reg

    »»Performing 16bit string scan....

    ---------- WIN.TXT
    AppInit_DLLs0
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    Windows
    AppInit
    DLLs0
    DeviceNotSelectedTimeout
    GDIProcessHandleQuota
    Spooler
    swapdisk
    TransmissionRetryTimeout
    USERProcessHandleQuota0

    **File C:\FINDnFIX\WIN.TXT
            àÿÿÿÐ ø @ p * À  Øÿÿÿvk  €   , AppInit_DLLs0 0 Ðÿÿÿvk  (   0 DeviceNotSelectedTimeoutèÿÿÿ1 5  `å °å èå Ðÿÿÿvk  €'   9 GDIProcessHandleQuota 5 àÿÿÿvk     5 Spooler ðÿÿÿy e s 7 4 àÿÿÿvk  €   swapdiskÐÿÿÿvk  ð   6 TransmissionRetryTimeoutðÿÿÿ9 0  `è Ðÿÿÿvk  €'   0 USERProcessHandleQuota0 Ð ÿÿÿÿ
    

    ------------------------------


    Logfile of HijackThis v1.97.7
    Scan saved at 3:20:53 PM, on 6/24/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\Mixer.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\Documents and Settings\Jeff\My Documents\downloads\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jeff\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4448DF57-026B-4BD8-A58B-EED474F99DD1} - C:\WINNT\system32\gcah.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37964.0204398148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I have a distinct feeling you are not only blocking the problems, but also the solutions we are offering.

    Disable SpywareGuard's Brwoser protection and SpySweepers resident guard.
    The retry the fixes as you must know them by heeart by now.

    Then reboot and let us know what happens.
    When you do turn the guards back on, read very carefully what the old and new values are. Then decide whether that is so0mething you want or not. There is no rush, it will wait.

    Regards,

    Pieter
     
  24. xxxmain

    xxxmain Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    18
    Wow Pieter, I think we are closer than ever now. I did everything you mentioned. I had to do it a few times but it seems like we are clean now.

    I restarted a bunch of times in between but here is where I'm at as of the last restart:

    1. I ran HJT and don't see any weird stuff (no gcah.dll)
    2. I scanned with Adaware and it found nothing
    3. I opened Internet Explorer and msn.com/bunch of crap was my homepage
    4. I changed it to about:Blank (this is actually what I want it to be)
    5. I rescanned with Ad-aware and it finds:
    - Tracking cookie and
    - Possible Browser HiJack attempt to:
    - HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")

    I did not fix these things. I'm thinking that maybe I made the registry alteration when I changed the home page and Adaware may have thought that a Hijacker did it. Is this a fair assumption? I'm thinking that if I fix the Possible Browser Attack it will just make my homepage msn.com/blah blah blah again.

    Anyway, like I said, everything seems to be working now but I just want to make sure I'm on the right track.

    Thanks
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Yes. AdAware has about:blank on the list of suspicious sites, hence the warning.

    I think you have it covered now.

    Good job,

    Pieter

    PS Sorry about all the typos in my previous post. I must have been watching TV when I wrote that. LOL
     
Thread Status:
Not open for further replies.