HijackThis-Log - Problem with CoolWWWSearch.CameUp

Discussion in 'adware, spyware & hijack cleaning' started by dlb51, Apr 22, 2004.

Thread Status:
Not open for further replies.
  1. dlb51

    dlb51 Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    6
    Hi there,

    this is my first visit here and already I am asking for your help.

    It all started yesterday without any particular reason. My Startpage was altered to www.searchmeup.com/search.php?aid=1057. At first I was unable to change the settings since the option was blocked in IE. Before coming here I tried everything I knew, such as virusscans, spyware removers, hijack removers, registry scans, etc. I even tried to alter the registry myself, but everything I changed was gone after I restarted the computer or opened IE.

    I have followed the steps described in this forum. I used AdAware and then HijackThis as advised (all with the latest versions). This is the log I received:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:12:04, on 22.04.04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAMME\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\WINDOWS\RUNWIN32.EXE
    C:\PROGRAMME\REGISTRY CLEAN EXPERT\RCSCHEDULER.EXE
    C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAMME\INTERNETSHARE\ALL_ABOARD\STSWIN.EXE
    C:\WINDOWS\WININET32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    F:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O1 - Hosts: 192.2.8.1 pc01
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMME\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAMME\SPYHUNTER\SPYHUNTER.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [RoboForm] "C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
    O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Programme\Registry Clean Expert\RCScheduler.exe" /startup
    O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: All_Aboard Status.lnk = C:\Programme\InterNetShare\All_Aboard\stswin.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Ausfüllen &] - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Formulare speichern &[ - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Anpassen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Info Frog (HKLM)
    O9 - Extra 'Tools' menuitem: Info Frog (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Web Inspector (HKLM)
    O9 - Extra 'Tools' menuitem: Web Inspector (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RoboForm Symbolleiste &2 (HKLM)
    O9 - Extra button: Ausfüllen (HKLM)
    O9 - Extra 'Tools' menuitem: Ausfüllen &] (HKLM)
    O9 - Extra button: Speichern (HKLM)
    O9 - Extra 'Tools' menuitem: Formulare speichern &[ (HKLM)
    O9 - Extra button: PicGrab (HKCU)
    O9 - Extra 'Tools' menuitem: &PicGrab starten (HKCU)
    O9 - Extra button: LinkDesktop (HKCU)
    O9 - Extra 'Tools' menuitem: &LinkDesktop starten (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.9974305556
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://www.clubphoto.com/_img/uploader/atl_uploader.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.2.8.5,192.2.8.100,192.2.8.2

    I hope you can help me although parts of the log are in German.

    Thanks in advance,

    Maurice
     
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hello

    You Have A Variant of the CoolWebSearch Trojan.

    Please Download CWShredder from http://www.spywareinfoforum.com/downloads/tools/CWShredder.exe and run the Program. Press the "Fix Button" Let it fix all variants. Next, Close the program and Post a Fresh HijackThis log.

    Also, Hijackthis makes backups when it fixes items. You may want to create a folder to put Hijackthis into or there may be backup files scattered across you F drive or partition.

    Click My Computer, then F:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have F:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
     
  3. dlb51

    dlb51 Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    6
    Hi Nick,

    thanks for your fast reply.

    Regarding the F: disc that is OK. I only use it for testing. So there is practically nothing on it. But thanks anyhow.

    I installed and ran the CWShredder yet it didn't do much. It only restored 9 infected internet explorer pages.

    Well here is the new logfile:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:59:55, on 22.04.04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAMME\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\WINDOWS\RUNWIN32.EXE
    C:\WINDOWS\WININET32.EXE
    C:\PROGRAMME\REGISTRY CLEAN EXPERT\RCSCHEDULER.EXE
    C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAMME\INTERNETSHARE\ALL_ABOARD\STSWIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    F:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O1 - Hosts: 192.2.8.1 pc01
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMME\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAMME\SPYHUNTER\SPYHUNTER.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [RoboForm] "C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
    O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Programme\Registry Clean Expert\RCScheduler.exe" /startup
    O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: All_Aboard Status.lnk = C:\Programme\InterNetShare\All_Aboard\stswin.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Ausfüllen &] - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Formulare speichern &[ - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Anpassen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Info Frog (HKLM)
    O9 - Extra 'Tools' menuitem: Info Frog (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Web Inspector (HKLM)
    O9 - Extra 'Tools' menuitem: Web Inspector (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RoboForm Symbolleiste &2 (HKLM)
    O9 - Extra button: Ausfüllen (HKLM)
    O9 - Extra 'Tools' menuitem: Ausfüllen &] (HKLM)
    O9 - Extra button: Speichern (HKLM)
    O9 - Extra 'Tools' menuitem: Formulare speichern &[ (HKLM)
    O9 - Extra button: PicGrab (HKCU)
    O9 - Extra 'Tools' menuitem: &PicGrab starten (HKCU)
    O9 - Extra button: LinkDesktop (HKCU)
    O9 - Extra 'Tools' menuitem: &LinkDesktop starten (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.9974305556
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://www.clubphoto.com/_img/uploader/atl_uploader.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.2.8.5,192.2.8.100,192.2.8.2

    Thanks once more,

    Maurice
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi dlb51,

    I sent you a PM with my emailaddress.
    Could you please mail me a copie of:
    C:\WINDOWS\wininet32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAMME\SPYHUNTER\SPYHUNTER.exe

    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

    Then reboot and read:
    http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html for additional removal instructions.

    Be carefull with SpyHunter. It is known for its many false positives.

    Regards,

    Pieter
     
  5. dlb51

    dlb51 Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    6
    Hi Pieter,

    I installed SpyHunter today as a last call for help. ;)

    I will uninstall it right away.

    The thing Nich suggested worked partially. As soon as I try to open any of the following pages, CWS is back and my start page is changed again:

    www.hotmail.com
    www.google.com
    www.google.de
    www.vivisimo.com

    At least these I tried. Some other pages it opened but with some difficulties. I mean I needed to open the pages twice to get them on my screen. But after that they work without any problems.

    I will email you the requested file and run HijackThis as indicated by you.

    Thanks,

    Maurice
     
  6. dlb51

    dlb51 Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    6
    And another new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:31:34, on 22.04.04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAMME\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\PROGRAMME\REGISTRY CLEAN EXPERT\RCSCHEDULER.EXE
    C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAMME\INTERNETSHARE\ALL_ABOARD\STSWIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    F:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O1 - Hosts: 192.2.8.1 pc01
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMME\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [RoboForm] "C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Programme\Registry Clean Expert\RCScheduler.exe" /startup
    O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: All_Aboard Status.lnk = C:\Programme\InterNetShare\All_Aboard\stswin.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Ausfüllen &] - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Formulare speichern &[ - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Anpassen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Info Frog (HKLM)
    O9 - Extra 'Tools' menuitem: Info Frog (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Web Inspector (HKLM)
    O9 - Extra 'Tools' menuitem: Web Inspector (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RoboForm Symbolleiste &2 (HKLM)
    O9 - Extra button: Ausfüllen (HKLM)
    O9 - Extra 'Tools' menuitem: Ausfüllen &] (HKLM)
    O9 - Extra button: Speichern (HKLM)
    O9 - Extra 'Tools' menuitem: Formulare speichern &[ (HKLM)
    O9 - Extra button: PicGrab (HKCU)
    O9 - Extra 'Tools' menuitem: &PicGrab starten (HKCU)
    O9 - Extra button: LinkDesktop (HKCU)
    O9 - Extra 'Tools' menuitem: &LinkDesktop starten (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.9974305556
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://www.clubphoto.com/_img/uploader/atl_uploader.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.2.8.5,192.2.8.100,192.2.8.2


    Pieter I haven't received your Email yet. Please check the address again:
    dlb51(=>)gmx.de

    Replace the "(=>)" by "@".

    You might be on the right track regarding the "wininet32.exe" file. It is dated 21.04.04, the day my troubled started!

    Thanks,

    Maurice
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Maurice,

    Your log is clean now. Check your Private Messages. The link is at the top right corner of this site.

    Regards,

    Pieter
     
  8. dlb51

    dlb51 Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    6
    Hi Pieter,

    ah, OK that is where I was to look. As I said I am new to this.
    The file will be emailed in a second.

    Thanks for the help. I will check the other computer to see whether there are still problems.

    Best regards,

    Maurice
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    fix this one as well
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    and then open IE/tools/options/connections/ click on your connection, untick use a proxy server
    this beastie is using a local proxy to divert you and once you have deleted the files it won't let you connect


    Pieter I've got copies of these files from another post and Gavin's had them, that's how we foud out about the local proxy
    https://www.wilderssecurity.com/showthread.php?t=28750
     
  10. dlb51

    dlb51 Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    6
    I would like to say thank you to all of you. With the help of Pieter and dvk01 I managed to get my computer clean and running again! I will use the programms AdAware and HijackThis along with my virusscanner more frequently now.

    Thank you very much and have a nice day,

    Maurice
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Great job all. I'm glad not all the new variants are equally hard to cure. :cool:

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.