CWS and HJT problems

Discussion in 'adware, spyware & hijack cleaning' started by thymekiller, Feb 28, 2004.

Thread Status:
Not open for further replies.
  1. thymekiller

    thymekiller Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    12
    Location:
    Aransas Pass, Tx
    I am working on a machine running Windows 98. I ran Spy-bot, and Ad-Aware as part of my maintenance routine. Both scans came up clean. I assumed that Spywareblaster was doing its job, and I deciced to update it. (BTW, Spy-bot and Ad-Aware were both updated before the scans). when I tried to open Spywareblaster, i got an illegal operation message. After several tries, i figured the file was corrupted, so i uninstalled it, and reinstalled it from a fresh download. Still got the same message. I was concerned, so I decided to run CWShredder. when i tried to open that program, I got this message:

    You have a variant of the Coolwebsearch trojan (CWS.Smartsearch..2) that has attempted to close CWShredder. To counter this, CWShredder is now starting with a random string of text in the title bar. CWShredder is still functioning fine, it has not been corrupted.

    If you feel you should not be getting this error and you are not infected, restart CWshredder, and this warning should not appear again.

    When I closed that box, I got the illegal operation box again. So then I decided to create a HJT log, but when I tried to open that program, it too performed an illegal operation. What is going on here? Anyone got any suggestions?? I ran a virus scan today, and didnt find anything either. Hope someone can help!!!!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Sounds like CWShredder did not kill Smartsearch.

    Please try this:
    Download, unzip and run: http://www.safer-networking.org/files/delcwssk.zip

    If it works run CWShredder again. Make sure you have the latest version (1.51.0) and use the Fix button. Then follow the instructions the program will give you.

    Looking forward to your HijackThis log,

    Pieter
     
  3. thymekiller

    thymekiller Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    12
    Location:
    Aransas Pass, Tx
    I downloaded and ran the file you referred me to. When it was finished, I recieved this message:

    "CoolWWWSearch.SmartKiller (v.1/v.2) has not been found on your system."

    So then I tried to run CWS-same thing. I recieved the illegal operation message. So then I tried uninstalling CWS, and downloading the latest version, since I cant update. I got it installed, but when I try to open it, I get the illegal operation again. Same with HJT, so I wont be posting a log this time. Spywareblaster is doing the same thing as well. I feel like my defenses are down with all this disabled. Anymore suggestions?? I sure do appreciate the assistance!!!
    thymekiller
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Can you download and run this file: http://download.microsoft.com/download/vb60pro/Redist/sp5/WIN98Me/EN-US/vbrun60sp5.exe

    Then try again.

    Regards,

    Pieter
     
  5. thymekiller

    thymekiller Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    12
    Location:
    Aransas Pass, Tx
    Well that made it so I could access all those programs!! Now, here is my HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:50:29 PM, on 2/28/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT 7.5\STUFFIT.EXE
    C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT 7.5\STUFFIT.EXE
    C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT 7.5\STUFFIT.EXE
    C:\WINDOWS\PROFILES\RICK000\MY DOCUMENTS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cableone.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CableONE.net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O9 - Extra button: All (HKLM)
    O9 - Extra 'Tools' menuitem: Close ALL IEx's (HKLM)
    O9 - Extra button: Others (HKLM)
    O9 - Extra 'Tools' menuitem: Close OTHER IEx's (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.cableone.net
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38019.4810648148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

    I finally got CWS to run, and my machine came up clean. I was able also to download updates for Spywareblaster. I appreciate the timely help. If you see anything else in my log that needs to go, please let me know. I want a clean machine!!!
     
  6. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    You got it! Nothing evil in your log.
     
  7. thymekiller

    thymekiller Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    12
    Location:
    Aransas Pass, Tx
    Thanks so much for all the assistance. You all are great!!!
     
  8. thymekiller

    thymekiller Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    12
    Location:
    Aransas Pass, Tx
    oh-one more thing...there appears to be a dialer in my HJT log. Should I remove it?? I tried to go to the website on my computer, but unless I install the dialer, I am denied access. I suspect my husband has been places he shouldnt have been-is it ok if I remove ito_O
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi thymekiller,

    You mean this one: O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab ?

    You can fix it, but if hubby decides he needs it, it will be back in a flash. ;)

    Regards,

    Pieter
     
  10. thymekiller

    thymekiller Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    12
    Location:
    Aransas Pass, Tx
    thanks...I dont think he needs it, and I am hoping to convince him that he doesnt need it either. Anyway, its going to go, and I will just have to keep a close eye on his computer. I appreciate all your help.
     
Thread Status:
Not open for further replies.