CWS bug removal assistance needed

Discussion in 'adware, spyware & hijack cleaning' started by KTNFrank, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. KTNFrank

    KTNFrank Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    1
    Good Morning. I would appreciate your assistance in cleaning CWS.SearchX spyware from my PC. WinME, Norton anti-virus updates are current.

    My PC was infected 6/18/2004 with the corruption of wmplayer.exe and notepad.exe, and with the "spyware detected" pop-up occassionally being displayed.

    I've followed the "Three Steps" (Ad-aware & Spybot, and HijackThis) that you suggested in another posting on your site. It appears that the virus re-infects the PC during bootup, so I have performed the following steps.

    Steps I've taken to nullify (not remove) CWS are:

    1) boot, and deactivate ZoneAlarm, Norton anti-virus, and all windows applications.
    2) update, configure (with your suggested configurations), and run Ad-aware to identify the CWS items (found 12 items & 6 programs the first time, then only 12 items during a later runM).
    3) update and run Spybot (located WebDialer(registry: HomeOldSP=about:blank))
    4) ran HijackThis and saved the log.
    5) ran Windows Explorer to search for all files changed on 6/18/2004 (the date of the infection).
    6) correlated items in the Windows Explorer search report with the HijackThis log.
    7) changed the extensions (e.g. ".exe to .ex_" ".html to .htm_" etc.) of the correlated items to inhibit their execution (but to retain them in case they are not associated with CWS). Windows would not permit the renaming of GMH.DLL, stating that the file was in use (see 9) below)
    :cool: re-run Adaware and Spybot to research and remove the items previously identified.
    9) used Accessories/MS-DOSPrompt to rename GMH.DLL to GMH.DL_
    10) I have not yet run HijackThis to alter the Registry entries.
    11) re-boot to see what happens.
    12) Well, WinME booted, however:
    a) sp.html has reappeared in windows/temp
    b) AdAware has again identified 12 items (that it had removed prior to the last boot)
    c) SpyBot has again found WebDialer (that it had removed prior to the last boot)
    d) the other items whose file types were manually altered (e.g. .exe to .ex_) had not reappeared.


    Well, it was a valiant try, but it's time to "tap the real Pro's", so I'll post this note onto your site with the hope that you'll be able to give me a hand in purging this bug.


    Thanks

    Frank



    ---------------------------------------------------
    Items whose extensions I changed as noted above to inhibit their execution.

    d3d.dll 0KB
    gmh.dll 30KB (Windows will not permit this file to be renamed)
    kbddole.dll 0KB
    Notepad.exe (corrupted, so I use Wordpad)
    WMPlayer.exe (corrupted)
    sp.html (this seems to be updated every time the PC is booted and it's not one of my .html files)
    java-info.txt (was reported as modified on the date and time of the infection)
    muninst.exe 33KB(I haven't been able to find what this .dll is used for)



    ---------------------------------------------------
    Logfile of HijackThis v1.98.0
    Scan saved at 6:53:35 PM, on 7/18/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
    C:\PROGRAM FILES\ZIPMAGIC\ZM32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
    C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\DOCKAPP.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
    C:\PROGRAM FILES\PC DIAG\FREEMEM\FREEMEM.EXE
    C:\PROGRAM FILES\VITALSIGNS\NETMEDIC2003_12_28\VITALSIGNS\NET.MEDIC\PROGRAM\SYSHOOK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\DOWNLOADS\HIGHJACKTHIS\HIJACKTHIS.ZIP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {2328CB5D-366C-4F29-AA0E-16D0F4CC52D5} - C:\WINDOWS\SYSTEM\GMH.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [CPortPatch] C:\WINDOWS\Quick Install\CPPatch.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [BayMgr] DockApp.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\ZipMagic\zm32.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\ZipMagic\zm32.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\PC DIAG\FREEMEM\FREEMEM.EXE" Startup
    O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Startup: syshook.lnk = C:\Program Files\VitalSigns\NetMedic2003_12_28\VitalSigns\Net.Medic\Program\syshook.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: Bugnosis - {630CB4FA-AA9E-4bf2-BBD1-81C239203E2F} - (no file)
    O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
    O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
    O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
    O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ibdcharts/ocx/plotwon.ocx
    O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v10/investor.cab
    O16 - DPF: {86CEEAFA-AE5C-11D4-A4C8-00A0C9E79206} (ActiveXDemo Control) - http://www.finjan.com/mcrc/ActiveXDemo.cab
    O18 - Filter: text/html - {284F7843-F274-4440-A534-5E67F7066194} - C:\WINDOWS\SYSTEM\GMH.DLL
    O18 - Filter: text/plain - {284F7843-F274-4440-A534-5E67F7066194} - C:\WINDOWS\SYSTEM\GMH.DLL
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
     
Thread Status:
Not open for further replies.