Hijacked by CWS.GoogleMS3

Discussion in 'adware, spyware & hijack cleaning' started by Spicey25, May 20, 2004.

Thread Status:
Not open for further replies.
  1. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    Pest Patrol detected CWS.GoodleMS.3. I have used CWS removal tool, Ad-aware, X-cleaner, Spysubtract and Spy Sweeper. Spybot S&D keeps closing everytime I click on it. Coolwebsearch keeps coming back.

    Here is my Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:24:39 PM, on 5/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Microangelo\muamgr.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    C:\Program Files\interMute\SpySubtract\spysub.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\UIEngines\FlashUIEngine\cpskin.exe
    C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    C:\hijackthis\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fwhww8qt.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\fwhww8qt.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [KeyPatrol] c:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Verizon Online Control Pad] "C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe"
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Downloads (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1080626940750
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/kontiki/kontiki/current/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
    O17 - HKLM\System\CS1\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Spicey25,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/kontiki/kontiki/current/kdx.cab

    Then reboot.

    Could you post the result-log of PestPatrol if it still finds CWS ?

    Regards,

    Pieter
     
  3. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    Thank you so much for helping me.

    After rebooting, I scanned again with Pest Petrol and Spy Sweeper and found nothing. I also scanned with XoftSpy which found CWS.Oslogo in two registry keys in:

    Software\Microsoft\Windows\CurrentVersion\Internet Setting\Zonemap\Domains\msn.com
    Software\Microsoft\Windows\CurrentVersion\Internet Setting\Zonemap\Domains\coolwwwsearch

    I cannot clean with XoftSpy because I’m using a shareware copy.

    In that area of the registry under P3P\History and under Zonemap\Domains, I noticed that there are about 900 or more .coms listed. Should these be there, or were they installed by SpywareBlaster or IE-SPAD which I previously just installed?

    Here is another Hijack This log.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:47:39 AM, on 5/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
    C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
    C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Microangelo\muamgr.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    C:\Program Files\interMute\SpySubtract\spysub.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\UIEngines\FlashUIEngine\cpskin.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\WkDStore.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Verizon Online Control Pad] "C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe"
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Downloads (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1080626940750
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
    O17 - HKLM\System\CS1\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    You are quite right in your assumption and it also is what I suspected.
    PestPatrol is flagging the entries in your Restricted Zones. Not checking the values in the registry it might look like they are in the Trusted Zone, which would be cause to suspect a CWS infection.

    But you don't have one. Just ignore the PestPatrol alerts on these.

    Regards,

    Pieter
     
  5. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    I think the CWS thing is still hanging about on my computer. Spy Sweeper detected it again, see log below. I also scanned and cleaned again with CWShretter, see scan report below. When I logged on today, my Absolute Startup Software detected MSConf Coolwebsearch parasite, see info below.
    I also attached another HijackThis Log. Please help. Do I still have this thing?

    Spy Sweeper Report
    01:04 A|••• Monday, 24 May 2004 09:05 PM •••|
    Updating software definitions
    Your software definitions are up to date.
    09:14 PM Sweeping memory for active software.
    09:14 PM Memory sweep has completed.
    Found: CoolWWW registry trace.
    09:14 PM Registry sweep completed.
    09:14 PM Full sweep on all local drives initiated.
    09:14 PM Now sweeping drive C:
    09:27 PM Full Sweep has completed. Elapsed time 0 hours, 13 minutes, 1 seconds.
    Files swept: 44,408
    Software Located: 1
    Spy Sweeper quarantined registry traces of: CoolWWW
    ____________________________________________________
    CWShredder v1.57.0 scan only report
    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINNT
    Windows system dir: C:\WINNT\system32
    AppData folder: C:\Documents and Settings\Owner\Application Data
    Username: Owner

    Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (734 bytes, A)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINNT\win.ini (526 bytes, A)
    Found System.ini file: C:\WINNT\system.ini (227 bytes, A)
    - END OF REPORT -

    _____________________________
    Absolute Startup Report

    MSConfig Virus. CoolWebsearch parasite related. Note-This is not the valid "MSConfig" which can be left over if you don't uncheck the box after rebooting when running in "Selective Startup" mode.
    File Name: WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    Run

    _________________

    Logfile of HijackThis v1.97.7
    Scan saved at 12:12:18 AM, on 5/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
    C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
    C:\Program Files\Microangelo\muamgr.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\UIEngines\FlashUIEngine\cpskin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Verizon Online Control Pad] "C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe"
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Downloads (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1080626940750
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
    O17 - HKLM\System\CS1\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
     
Thread Status:
Not open for further replies.