How can I remove this SpyWare?!?

Discussion in 'adware, spyware & hijack cleaning' started by sameerfx, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. sameerfx

    sameerfx Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    3
    Location:
    Orlando
    I have some sort of spyware on my computer. I’m running Windows XP Professional w/ Service Pack 1 on a Pentium 4 2.0Ghz and 512 MB RAM.

    When the computer boots into Windows, Windows Media Player always comes up. I have to exit it every time. I’m not sure if the spyware is causing this.

    Also, my IE home page keeps getting reset to about:home or something which displays a website with a bunch of links. When I boot up IE, a popup comes up selling spyware removers.

    I tried running the latest update of Adware and SpySweeper, but was not successful.

    SpyBot keeps finding Common Hijacker and removes it, but Common Hijacker is back every time I restart the computer. Spybot also keeps finding Webdialer and removes it, but it comes back when I restart the computer.

    I don’t know if this is a related issue or not, but I can’t install 1 critical Windows Update. It is the KB835732 Security Update. It keeps failing. I tried installing in manually via the .exe from Microsoft’s website, but it gives me an error message saying a file is corrupt.

    Pest Patrol, AdAware, Spy Sweeper and Spybot have all failed at removing this spyware.

    Can you guys help?


    Logfile of HijackThis v1.97.7
    Scan saved at 7:15:49 PM, on 6/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINNT\System32\Ati2evxx.exe
    c:\jetsuite\jsdaemon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\GWHotKey.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\jetsuite\JETSTAT.EXE
    C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    c:\jetsuite\JSFMAN.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1D46B726-3973-41E1-9F71-AD2168E5E419} - (no file)
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file)
    O2 - BHO: (no name) - {8552BAEF-24F0-4F37-962D-5549BFAF3D67} - (no file)
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E058FB79-F579-488E-8E5E-FD477CA0967E} - C:\WINNT\System32\piaod.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_KR.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37915.8252314815
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab



    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINNT
    Windows system dir: C:\WINNT\system32
    AppData folder: C:\Documents and Settings\Administrator\Application Data
    Username: Administrator

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (856 bytes, R)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINNT\win.ini (1068 bytes, A)
    Found System.ini file: C:\WINNT\system.ini (435 bytes, A)

    - END OF REPORT -



    Common hijacker: Prefix change (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\www!=http://

    Common hijacker: Prefix change (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\!=http://

    WebDialer: Settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-1888320767-2291736501-1374366779-500\Software\Microsoft\Internet Explorer\Main\HOMEOldSP


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-25 Includes\Cookies.sbi
    2004-05-29 Includes\Dialer.sbi
    2004-05-28 Includes\Hijackers.sbi
    2004-05-28 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-05-28 Includes\Malware.sbi
    2004-05-04 Includes\Revision.sbi
    2004-04-12 Includes\Security.sbi
    2004-05-28 Includes\Spybots.sbi
    2004-05-24 Includes\Tracks.uti
    2004-05-28 Includes\Trojans.sbi
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi sameerfx,

    Before you start please move hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. These will now end up on your desktop.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {1D46B726-3973-41E1-9F71-AD2168E5E419} - (no file)
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file)
    O2 - BHO: (no name) - {8552BAEF-24F0-4F37-962D-5549BFAF3D67} - (no file)

    O2 - BHO: (no name) - {E058FB79-F579-488E-8E5E-FD477CA0967E} - C:\WINNT\System32\piaod.dll (file missing)

    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe


    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    Run start.bat and press option 1. 'output.txt' will be created in the folder

    Please post that report.

    Reboot and follow instructions here: https://www.wilderssecurity.com/showthread.php?t=28027

    Regards,

    Pieter
     
  3. sameerfx

    sameerfx Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    3
    Location:
    Orlando
    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sat 06/05/2004
    07:57 PM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (D8E4:3A29) - FS:NTFS clusters:4k
    Total: 30 005 788 672 [28G] - Free: 8 685 940 736 [8.1G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINNT\system32\notepad.exe
    5.1.2600.0 C:\WINNT\notepad.exe
    *Media Player version :
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q818529;Q813951;Q330994;Q828750;Q824145;Q837009;Q832894;Q831167;



    Locked or 'Suspect' file(s) found...
    \\?\C:\WINNT\System32\HLP.DLL +++ File read error
    \\?\C:\WINNT\System32\HLP.DLL +++ File read error


    Scanning for main Hijacker:
    File found was C:\WINNT\System32\CDCDJ.DLL
    Md5 tested As 0758CF635DF08AC381962F74832B6484


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE80FCD5-B5CA-411B-A63A-E0F56443C702}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{EE39DB91-F687-42BD-AFBE-702D9DE905C1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{EE39DB91-F687-42BD-AFBE-702D9DE905C1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
    "CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Run start.bat again and choose option 2. Hit '1' and enter dll name manually:
    C:\WINNT\System32\CDCDJ.DLL

    Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    Also run CWShredder finally to clean up other entries.

    When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

    Regards,

    Pieter
     
  5. sameerfx

    sameerfx Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    3
    Location:
    Orlando
    Hey Pieter, thanks for all the help so far. How do you know all this stuff about rare spywares??

    Anyway, some of the problems have gone away. Windows Media Player no longer comes up on boot.

    There still seems to be some speed lag issues...

    And the IE homepage has remained on google.com today, but I fear something might change it to the spyware site again...

    Here's the latest logs...what else do you think I should remove to finally get rid of this thing?!?

    Here's the start.bat log, I'm not sure if this was successfull. Something about the m5 of the file didn't match:

    CWSDLL/Searchx Appinit Fix By Shadowwar
    Version 3.01 060504
    Please Do not mirror Without Permission!
    I can be contacted at spywaresubmit at aol.com
    Sun 06/13/2004
    01:54 PM

    Backing up Registry Hive

    The operation completed successfully

    Deleting Windows Key

    The operation completed successfully

    Adding Test Windows Key

    The operation completed successfully

    Restoring temp Values Key

    The operation completed successfully

    Deleting Bad Appinit Value

    The operation completed successfully


    Backup of Modified Hiv

    The operation completed successfully

    Deleting test Windows key

    The operation completed successfully

    Deleting Filter text
    Running from C:\Documents and Settings\Administrator\Desktop\spyware\hi\dllfix
    Scanning for Locked File
    Unlocking Locked File

    C:\WINNT\System32\HLP.DLL
    Processing File Manually
    C:\WINNT\system32\CDCDJ.DLL
    Md5 Check of C:\WINNT\system32\CDCDJ.DLL

    Md5 tested As
    File was found but md5 didnt match
    MD5 was:
    Resetting file attributes
    Processing ACL of: <\\?\C:\WINNT\system32\CDCDJ.DLL>

    SetACL finished with error(s):
    SetACL error message: The call to SetNamedSecurityInfo () failed
    Operating system error message: The system cannot find the file specified.
    File was zipped for submission to Shadowwar
    File is located at C:\Documents and Settings\Administrator\Desktop\spyware\hi\dllfix\submit.zip
    please Email a copy to spywaresubmit at aol.com
    Please include a link to your post.
    File is still in original location now unlocked.
    It is now ok to proceed with Rest of Cleanup.

    Adding Back Windows Key

    The operation completed successfully

    Restoring Registry Hive

    The operation completed successfully


    Restoring Cleaned Appinit Value

    The operation completed successfully


    --------------------

    And here's the lavasoft AdWare log. It found two CoolWWW things:


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Sunday, June 13, 2004 2:03:05 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R318 13.06.2004
    ______________________________________________________

    Reffile status:
    =========================
    Reference file loaded:
    Reference Number : 01R318 13.06.2004
    Internal build : 250
    File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    Total size : 1241033 Bytes
    Signature data size : 1220738 Bytes
    Reference data size : 20231 Bytes
    Signatures total : 27180
    Target categories : 10
    Target families : 497

    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium IV
    Memory available:59 %
    Total physical memory:523244 kb
    Available physical memory:306972 kb
    Total page file size:886600 kb
    Available on page file:722716 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2051124 kb
    OS:

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file

    Extended Ad-aware Settings
    =========================
    Set : Unload recognized processes during scanning
    Set : Reanalyze result after scanning, before displaying result list
    Set : Run scan as background process (Low CPU usage)
    Set : Include basic Ad-aware settings in logfile
    Set : Include additional Ad-aware settings in logfile
    Set : Let windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Always back up reference file, before updating
    Set : Play sound if scan produced a result


    6-13-2004 2:03:05 PM - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 6-13-2004 5:57:56 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ThreadCreationTime : 6-13-2004 5:58:01 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 6-13-2004 5:58:01 PM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:06:09 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 6-13-2004 5:58:01 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:5 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 6-13-2004 5:58:02 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 6-13-2004 5:58:02 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:7 [spoolsv.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 6-13-2004 5:58:04 PM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:06:09 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:8 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-13-2004 5:58:04 PM
    BasePriority : Normal
    FileSize : 309 KB
    FileVersion : 1.03.4
    ProductVersion : 1.03.4
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Event Manager Service
    InternalName : ccEvtMgr
    OriginalFilename : ccEvtMgr.exe
    ProductName : Event Manager
    Created on : 11/13/2002 8:44:02 PM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 11/13/2002 8:44:02 PM

    #:9 [explorer.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 6-13-2004 5:58:10 PM
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 6:01:20 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:10 [acsd.exe]
    FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
    ThreadCreationTime : 6-13-2004 5:58:13 PM
    BasePriority : Normal
    FileSize : 1376 KB
    FileVersion : 1,0,24,9
    ProductVersion : 1,0,24,9
    Copyright : Copyright
    CompanyName : America Online, Inc.
    FileDescription : AOL Connectivity Service
    InternalName : acsd
    OriginalFilename : acsd.exe
    ProductName : AOL Connectivity Service
    Created on : 9/3/2003 7:01:45 PM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 4/8/2004 1:17:46 PM

    #:11 [ati2evxx.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 6-13-2004 5:58:13 PM
    BasePriority : Normal
    FileSize : 132 KB
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 8/29/2002 11:08:34 PM

    #:12 [jsdaemon.exe]
    FilePath : c:\jetsuite\
    ThreadCreationTime : 6-13-2004 5:58:13 PM
    BasePriority : Normal
    FileSize : 44 KB
    FileVersion : 4.0.21.0
    ProductVersion : 4.0.21.0
    Copyright : Copyright
    CompanyName : JetFax, Inc.
    FileDescription : JetFax NT MFP Daemon Service
    InternalName : The Daemon
    OriginalFilename : JSdaemon.exe
    ProductName : JetSuite
    Created on : 12/12/2002 3:48:34 AM
    Last accessed : 6/13/2004 5:05:07 PM
    Last modified : 9/22/1999 3:48:52 PM

    #:13 [navapsvc.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ThreadCreationTime : 6-13-2004 5:58:14 PM
    BasePriority : Normal
    FileSize : 113 KB
    FileVersion : 9.05.1015
    ProductVersion : 9.05.1015
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    OriginalFilename : NAVAPSVC.EXE
    ProductName : Norton AntiVirus
    Created on : 11/14/2002 11:41:26 PM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 11/14/2002 11:41:26 PM

    #:14 [nprotect.exe]
    FilePath : C:\Program Files\Norton AntiVirus\AdvTools\
    ThreadCreationTime : 6-13-2004 5:58:14 PM
    BasePriority : Normal
    FileSize : 132 KB
    FileVersion : 16.00.0.22
    ProductVersion : 16.00.0.22
    Copyright : Copyright (C) 2003 Symantec Corporation
    CompanyName : Symantec Corporation
    FileDescription : Norton Protection Status
    InternalName : NPROTECT
    OriginalFilename : NPROTECT.EXE
    ProductName : Norton Utilities
    Created on : 2/13/2003 2:30:57 AM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 8/14/2002 10:03:00 AM

    #:15 [prismxl.sys]
    FilePath : C:\Program Files\Common Files\Lanovation\PrismXL\
    ThreadCreationTime : 6-13-2004 5:58:14 PM
    BasePriority : Normal
    FileSize : 56 KB
    FileVersion : 4.10
    ProductVersion : 4.10
    Copyright : Copyright
    CompanyName : Lanovation
    FileDescription : PrismXL Service
    InternalName : PrismXL Service
    OriginalFilename : PrismXL.sys
    ProductName : PrismXL Software Family
    Created on : 12/4/2002 7:38:41 AM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 8/19/2002 5:00:00 AM

    #:16 [svchost.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 6-13-2004 5:58:17 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:05:38 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:17 [wanmpsvc.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 6-13-2004 5:58:17 PM
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 7, 0, 0, 2
    ProductVersion : 7, 0, 0, 2
    Copyright : Copyright
    CompanyName : America Online, Inc.
    FileDescription : Wan Miniport (ATW) Service
    InternalName : WanMPSvc
    OriginalFilename : WanMPSvc.exe
    ProductName : America Online
    Created on : 12/12/2002 2:02:07 AM
    Last accessed : 6/13/2004 5:06:09 PM
    Last modified : 4/19/2002 3:58:38 PM

    #:18 [notepad.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 6-13-2004 6:00:41 PM
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Notepad
    InternalName : Notepad
    OriginalFilename : NOTEPAD.EXE
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 6:00:44 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:19 [syntplpr.exe]
    FilePath : C:\Program Files\Synaptics\SynTP\
    ThreadCreationTime : 6-13-2004 6:00:43 PM
    BasePriority : Normal
    FileSize : 124 KB
    FileVersion : 6.3.10 03Jun02
    ProductVersion : 6.3.10 03Jun02
    Copyright : Copyright (C) Synaptics, Inc. 1996-2002
    CompanyName : Synaptics, Inc.
    FileDescription : TouchPad Driver Helper Application
    InternalName : SynTPLpr
    OriginalFilename : SynTPLpr.exe
    ProductName : Progressive Touch
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:57:56 PM
    Last modified : 6/3/2002 10:17:00 PM

    #:20 [syntpenh.exe]
    FilePath : C:\Program Files\Synaptics\SynTP\
    ThreadCreationTime : 6-13-2004 6:00:44 PM
    BasePriority : Normal
    FileSize : 528 KB
    FileVersion : 6.3.10 03Jun02
    ProductVersion : 6.3.10 03Jun02
    Copyright : Copyright (C) Synaptics, Inc. 1996-2002
    CompanyName : Synaptics, Inc.
    FileDescription : Synaptics TouchPad Enhancements
    InternalName : Scrolleroo
    OriginalFilename : SynTPEnh.exe
    ProductName : Progressive Touch
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:57:56 PM
    Last modified : 6/3/2002 10:15:52 PM

    #:21 [gwmdmmsg.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 6-13-2004 6:00:44 PM
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 3.4.16 05/06/2002 19:12:44
    ProductVersion : 3.4.16 05/06/2002 19:12:44
    Copyright : Copyright
    CompanyName : GTW
    FileDescription : Modem Messaging Applet
    InternalName : smdmstat.exe
    OriginalFilename : smdmstat.exe
    ProductName : GTW Modem Messaging Applet
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:57:56 PM
    Last modified : 5/6/2002 8:12:44 PM

    #:22 [atiptaxx.exe]
    FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
    ThreadCreationTime : 6-13-2004 6:00:44 PM
    BasePriority : Normal
    FileSize : 284 KB
    FileVersion : 6.13.10.3030
    ProductVersion : 6.13.10.3030
    Copyright : Copyright (C) 1998-2002 ATI Technologies Inc.
    CompanyName : ATI Technologies, Inc.
    FileDescription : ATI Desktop Control Panel
    InternalName : Atiptaxx.exe
    OriginalFilename : Atiptaxx.exe
    ProductName : ATI Desktop Component
    Created on : 12/4/2002 7:38:37 AM
    Last accessed : 6/13/2004 6:01:19 PM
    Last modified : 8/22/2002 9:10:28 PM

    #:23 [gwhotkey.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 6-13-2004 6:00:44 PM
    BasePriority : Normal
    FileSize : 96 KB
    FileVersion : 6.5
    ProductVersion : 6.5
    Copyright : Copyright
    CompanyName : BillP Studios
    FileDescription : Multi-function Keyboard By Bill Pytlovany
    ProductName : Gateway Multi-function Keyboard Utility
    Created on : 12/4/2002 8:40:22 AM
    Last accessed : 6/13/2004 5:57:56 PM
    Last modified : 8/28/2001 5:13:28 PM

    #:24 [directcd.exe]
    FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
    ThreadCreationTime : 6-13-2004 6:00:45 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 5.3.2.35
    ProductVersion : 5.3.2.35
    Copyright : Copyright (c) 2001,2002, Roxio, Inc.
    CompanyName : Roxio
    FileDescription : DirectCD Application
    InternalName : DirectCD
    OriginalFilename : Directcd.exe
    ProductName : DirectCD
    Created on : 12/4/2002 8:46:41 AM
    Last accessed : 6/13/2004 5:57:56 PM
    Last modified : 10/4/2002 12:50:14 AM

    #:25 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-13-2004 6:00:45 PM
    BasePriority : Normal
    FileSize : 53 KB
    FileVersion : 1.0.10.006
    ProductVersion : 1.0.10.006
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client CC App
    InternalName : ccApp
    OriginalFilename : ccApp.exe
    ProductName : Common Client
    Created on : 12/25/2003 9:31:53 AM
    Last accessed : 6/13/2004 5:57:56 PM
    Last modified : 12/2/2003 9:11:04 PM

    #:26 [ctfmon.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 6-13-2004 6:00:47 PM
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 6/13/2004 5:57:56 PM
    Last modified : 8/29/2002 1:00:00 PM

    #:27 [aolwasher.exe]
    FilePath : C:\Program Files\Cookie Washer\
    ThreadCreationTime : 6-13-2004 6:00:47 PM
    BasePriority : Normal
    FileSize : 2912 KB
    FileVersion : 4.0.1.9
    ProductVersion : 4.0
    Copyright : Copyright 1998, 1999, 2000, 2001 Webroot Software, Inc.
    CompanyName : Webroot Software, Inc.
    FileDescription : Cache & Cookie Washer
    Created on : 6/8/2004 7:57:29 AM
    Last accessed : 6/13/2004 5:58:00 PM
    Last modified : 8/16/2001 3:34:14 PM

    #:28 [jetstat.exe]
    FilePath : C:\jetsuite\
    ThreadCreationTime : 6-13-2004 6:00:50 PM
    BasePriority : Normal
    FileSize : 144 KB
    FileVersion : 3.00.0197
    ProductVersion : 3.00.0000
    Copyright : Copyright
    CompanyName : eFax.com
    FileDescription : JetStat Application
    InternalName : JETSTAT
    OriginalFilename : JETSTAT.EXE
    ProductName : JetSuite
    Created on : 12/12/2002 3:47:47 AM
    Last accessed : 6/13/2004 5:58:00 PM
    Last modified : 10/13/1999 5:15:12 PM

    #:29 [proxomitron.exe]
    FilePath : C:\Program Files\Proxomitron Naoko-4\
    ThreadCreationTime : 6-13-2004 6:00:50 PM
    BasePriority : Normal
    FileSize : 326 KB
    FileVersion : 4, 4, 0, 0
    ProductVersion : Naoko-4.4 2002-09-28
    Copyright : Copyright
    CompanyName : Groom-A-Zebu (tm)
    FileDescription : The Proxomitron
    InternalName : Pancreas frappe'
    OriginalFilename : Proxomitron.exe
    ProductName : Proxomitron
    Created on : 10/4/2002 12:40:14 AM
    Last accessed : 6/13/2004 6:01:20 PM
    Last modified : 10/4/2002 12:40:14 AM

    #:30 [msmsgs.exe]
    FilePath : C:\Program Files\Messenger\
    ThreadCreationTime : 6-13-2004 6:01:23 PM
    BasePriority : Normal
    FileSize : 1456 KB
    FileVersion : 4.7.2009
    ProductVersion : Version 4.7
    Copyright : Copyright (c) Microsoft Corporation 1997-2003
    CompanyName : Microsoft Corporation
    FileDescription : Messenger
    InternalName : msmsgs
    OriginalFilename : msmsgs.exe
    ProductName : Messenger
    Created on : 4/15/2003 12:30:14 AM
    Last accessed : 6/13/2004 5:49:14 PM
    Last modified : 4/15/2003 12:30:14 AM

    #:31 [jsfman.exe]
    FilePath : c:\jetsuite\
    ThreadCreationTime : 6-13-2004 6:01:46 PM
    BasePriority : Normal
    FileSize : 63 KB
    FileVersion : 3.00.0197
    ProductVersion : 3.00.0000
    Copyright : Copyright
    CompanyName : eFax.com
    FileDescription : FaxMan32 Application
    InternalName : JSFMAN32
    OriginalFilename : JSFMAN32.EXE
    ProductName : JetSuite
    Created on : 12/12/2002 3:47:48 AM
    Last accessed : 6/13/2004 5:05:07 PM
    Last modified : 10/19/1999 9:03:10 PM

    #:32 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 6-13-2004 6:02:24 PM
    BasePriority : Idle
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 6/5/2004 12:38:49 AM
    Last accessed : 6/13/2004 6:01:13 PM
    Last modified : 7/13/2003 1:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : File
    Data : hlp.dll
    Category : Malware
    Comment :
    Object : C:\WINNT\System32\
    FileSize : 56 KB
    Created on : 5/29/2004 6:13:19 AM
    Last accessed : 6/13/2004 6:00:42 PM
    Last modified : 5/29/2004 6:13:20 AM




    Scanning Hosts file(C:\WINNT\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    1 entries scanned.
    New objects :0
    Objects found so far: 1




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 2


    Reanalyzing scan result
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    No objects have been removed from the result list.


    2:08:09 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:05:02:795
    Objects scanned :53130
    Objects identified :2
    Objects ignored :0
    New objects :2


    -----------------------

    And finally, here's the HijackThis log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:18:02 PM, on 6/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\GWHotKey.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Cookie Washer\aolwasher.exe
    C:\jetsuite\JETSTAT.EXE
    C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINNT\System32\Ati2evxx.exe
    c:\jetsuite\jsdaemon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackTHis\HijackThis.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
    O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_KR.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087057578700
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38150.3480902778
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab



    ---------------

    All your help is greatly appreciated. What else do you think I should try?


    Sameer
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Sameer,

    There is no more spyware in sight in your log. I assume you let AdAware fix the two it found?

    Are the speed issues only on the internet or the entire computer in general?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.