How can I remove this SpyWare?!?

I have some sort of spyware on my computer. I’m running Windows XP Professional w/ Service Pack 1 on a Pentium 4 2.0Ghz and 512 MB RAM.

When the computer boots into Windows, Windows Media Player always comes up. I have to exit it every time. I’m not sure if the spyware is causing this.

Also, my IE home page keeps getting reset to about:home or something which displays a website with a bunch of links. When I boot up IE, a popup comes up selling spyware removers.

I tried running the latest update of Adware and SpySweeper, but was not successful.

SpyBot keeps finding Common Hijacker and removes it, but Common Hijacker is back every time I restart the computer. Spybot also keeps finding Webdialer and removes it, but it comes back when I restart the computer.

I don’t know if this is a related issue or not, but I can’t install 1 critical Windows Update. It is the KB835732 Security Update. It keeps failing. I tried installing in manually via the .exe from Microsoft’s website, but it gives me an error message saying a file is corrupt.

Pest Patrol, AdAware, Spy Sweeper and Spybot have all failed at removing this spyware.

Can you guys help?


Logfile of HijackThis v1.97.7
Scan saved at 7:15:49 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Ati2evxx.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\jetsuite\JSFMAN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D46B726-3973-41E1-9F71-AD2168E5E419} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file)
O2 - BHO: (no name) - {8552BAEF-24F0-4F37-962D-5549BFAF3D67} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E058FB79-F579-488E-8E5E-FD477CA0967E} - C:\WINNT\System32\piaod.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_KR.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37915.8252314815
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab



CWShredder v1.57.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINNT
Windows system dir: C:\WINNT\system32
AppData folder: C:\Documents and Settings\Administrator\Application Data
Username: Administrator

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (856 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINNT\win.ini (1068 bytes, A)
Found System.ini file: C:\WINNT\system.ini (435 bytes, A)

- END OF REPORT -



Common hijacker: Prefix change (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\www!=http://

Common hijacker: Prefix change (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\!=http://

WebDialer: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1888320767-2291736501-1374366779-500\Software\Microsoft\Internet Explorer\Main\HOMEOldSP


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi

 

Hi sameerfx,

Before you start please move hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. These will now end up on your desktop.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipeca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1D46B726-3973-41E1-9F71-AD2168E5E419} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file)
O2 - BHO: (no name) - {8552BAEF-24F0-4F37-962D-5549BFAF3D67} - (no file)

O2 - BHO: (no name) - {E058FB79-F579-488E-8E5E-FD477CA0967E} - C:\WINNT\System32\piaod.dll (file missing)

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe


http://tools.zerosrealm.com/dllfix.exe

Doubleclick it and install in folder of choice on the root drive, in your case C:\

Run start.bat and press option 1. 'output.txt' will be created in the folder

Please post that report.

Reboot and follow instructions here: https://www.wilderssecurity.com/showthread.php?t=28027

Regards,

Pieter

 

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sat 06/05/2004
07:57 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (D8E4:3A29) - FS:NTFS clusters:4k
Total: 30 005 788 672 [28G] - Free: 8 685 940 736 [8.1G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINNT\system32\notepad.exe
5.1.2600.0 C:\WINNT\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q818529;Q813951;Q330994;Q828750;Q824145;Q837009;Q832894;Q831167;



Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\HLP.DLL +++ File read error
\\?\C:\WINNT\System32\HLP.DLL +++ File read error


Scanning for main Hijacker:
File found was C:\WINNT\System32\CDCDJ.DLL
Md5 tested As 0758CF635DF08AC381962F74832B6484


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE80FCD5-B5CA-411B-A63A-E0F56443C702}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{EE39DB91-F687-42BD-AFBE-702D9DE905C1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{EE39DB91-F687-42BD-AFBE-702D9DE905C1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




 

Run start.bat again and choose option 2. Hit '1' and enter dll name manually:
C:\WINNT\System32\CDCDJ.DLL

Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

Also run CWShredder finally to clean up other entries.

When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

Regards,

Pieter

 

Hey Pieter, thanks for all the help so far. How do you know all this stuff about rare spywares??

Anyway, some of the problems have gone away. Windows Media Player no longer comes up on boot.

There still seems to be some speed lag issues...

And the IE homepage has remained on google.com today, but I fear something might change it to the spyware site again...

Here's the latest logs...what else do you think I should remove to finally get rid of this thing?!?

Here's the start.bat log, I'm not sure if this was successfull. Something about the m5 of the file didn't match:

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.01 060504
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Sun 06/13/2004
01:54 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Running from C:\Documents and Settings\Administrator\Desktop\spyware\hi\dllfix
Scanning for Locked File
Unlocking Locked File

C:\WINNT\System32\HLP.DLL
Processing File Manually
C:\WINNT\system32\CDCDJ.DLL
Md5 Check of C:\WINNT\system32\CDCDJ.DLL

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINNT\system32\CDCDJ.DLL>

SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed
Operating system error message: The system cannot find the file specified.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Administrator\Desktop\spyware\hi\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully


--------------------

And here's the lavasoft AdWare log. It found two CoolWWW things:


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Sunday, June 13, 2004 2:03:05 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R318 13.06.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R318 13.06.2004
Internal build : 250
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1241033 Bytes
Signature data size : 1220738 Bytes
Reference data size : 20231 Bytes
Signatures total : 27180
Target categories : 10
Target families : 497

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:59 %
Total physical memory:523244 kb
Available physical memory:306972 kb
Total page file size:886600 kb
Available on page file:722716 kb
Total virtual memory:2097024 kb
Available virtual memory:2051124 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Reanalyze result after scanning, before displaying result list
Set : Run scan as background process (Low CPU usage)
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


6-13-2004 2:03:05 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-13-2004 5:57:56 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 6-13-2004 5:58:01 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-13-2004 5:58:01 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:06:09 PM
Last modified : 8/29/2002 1:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-13-2004 5:58:01 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 8/29/2002 1:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-13-2004 5:58:02 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 8/29/2002 1:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-13-2004 5:58:02 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 8/29/2002 1:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-13-2004 5:58:04 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:06:09 PM
Last modified : 8/29/2002 1:00:00 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-13-2004 5:58:04 PM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 11/13/2002 8:44:02 PM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 11/13/2002 8:44:02 PM

#:9 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-13-2004 5:58:10 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 6:01:20 PM
Last modified : 8/29/2002 1:00:00 PM

#:10 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ThreadCreationTime : 6-13-2004 5:58:13 PM
BasePriority : Normal
FileSize : 1376 KB
FileVersion : 1,0,24,9
ProductVersion : 1,0,24,9
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 9/3/2003 7:01:45 PM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 4/8/2004 1:17:46 PM

#:11 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-13-2004 5:58:13 PM
BasePriority : Normal
FileSize : 132 KB
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 8/29/2002 11:08:34 PM

#:12 [jsdaemon.exe]
FilePath : c:\jetsuite\
ThreadCreationTime : 6-13-2004 5:58:13 PM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 4.0.21.0
ProductVersion : 4.0.21.0
Copyright : Copyright
CompanyName : JetFax, Inc.
FileDescription : JetFax NT MFP Daemon Service
InternalName : The Daemon
OriginalFilename : JSdaemon.exe
ProductName : JetSuite
Created on : 12/12/2002 3:48:34 AM
Last accessed : 6/13/2004 5:05:07 PM
Last modified : 9/22/1999 3:48:52 PM

#:13 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 6-13-2004 5:58:14 PM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 11/14/2002 11:41:26 PM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 11/14/2002 11:41:26 PM

#:14 [nprotect.exe]
FilePath : C:\Program Files\Norton AntiVirus\AdvTools\
ThreadCreationTime : 6-13-2004 5:58:14 PM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright (C) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 2/13/2003 2:30:57 AM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 8/14/2002 10:03:00 AM

#:15 [prismxl.sys]
FilePath : C:\Program Files\Common Files\Lanovation\PrismXL\
ThreadCreationTime : 6-13-2004 5:58:14 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 4.10
ProductVersion : 4.10
Copyright : Copyright
CompanyName : Lanovation
FileDescription : PrismXL Service
InternalName : PrismXL Service
OriginalFilename : PrismXL.sys
ProductName : PrismXL Software Family
Created on : 12/4/2002 7:38:41 AM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 8/19/2002 5:00:00 AM

#:16 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-13-2004 5:58:17 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:05:38 PM
Last modified : 8/29/2002 1:00:00 PM

#:17 [wanmpsvc.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-13-2004 5:58:17 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 12/12/2002 2:02:07 AM
Last accessed : 6/13/2004 5:06:09 PM
Last modified : 4/19/2002 3:58:38 PM

#:18 [notepad.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-13-2004 6:00:41 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 6:00:44 PM
Last modified : 8/29/2002 1:00:00 PM

#:19 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 6-13-2004 6:00:43 PM
BasePriority : Normal
FileSize : 124 KB
FileVersion : 6.3.10 03Jun02
ProductVersion : 6.3.10 03Jun02
Copyright : Copyright (C) Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
OriginalFilename : SynTPLpr.exe
ProductName : Progressive Touch
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:57:56 PM
Last modified : 6/3/2002 10:17:00 PM

#:20 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 6-13-2004 6:00:44 PM
BasePriority : Normal
FileSize : 528 KB
FileVersion : 6.3.10 03Jun02
ProductVersion : 6.3.10 03Jun02
Copyright : Copyright (C) Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
OriginalFilename : SynTPEnh.exe
ProductName : Progressive Touch
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:57:56 PM
Last modified : 6/3/2002 10:15:52 PM

#:21 [gwmdmmsg.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-13-2004 6:00:44 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 3.4.16 05/06/2002 19:12:44
ProductVersion : 3.4.16 05/06/2002 19:12:44
Copyright : Copyright
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : GTW Modem Messaging Applet
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:57:56 PM
Last modified : 5/6/2002 8:12:44 PM

#:22 [atiptaxx.exe]
FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
ThreadCreationTime : 6-13-2004 6:00:44 PM
BasePriority : Normal
FileSize : 284 KB
FileVersion : 6.13.10.3030
ProductVersion : 6.13.10.3030
Copyright : Copyright (C) 1998-2002 ATI Technologies Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
OriginalFilename : Atiptaxx.exe
ProductName : ATI Desktop Component
Created on : 12/4/2002 7:38:37 AM
Last accessed : 6/13/2004 6:01:19 PM
Last modified : 8/22/2002 9:10:28 PM

#:23 [gwhotkey.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-13-2004 6:00:44 PM
BasePriority : Normal
FileSize : 96 KB
FileVersion : 6.5
ProductVersion : 6.5
Copyright : Copyright
CompanyName : BillP Studios
FileDescription : Multi-function Keyboard By Bill Pytlovany
ProductName : Gateway Multi-function Keyboard Utility
Created on : 12/4/2002 8:40:22 AM
Last accessed : 6/13/2004 5:57:56 PM
Last modified : 8/28/2001 5:13:28 PM

#:24 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 6-13-2004 6:00:45 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.2.35
ProductVersion : 5.3.2.35
Copyright : Copyright (c) 2001,2002, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 12/4/2002 8:46:41 AM
Last accessed : 6/13/2004 5:57:56 PM
Last modified : 10/4/2002 12:50:14 AM

#:25 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-13-2004 6:00:45 PM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 12/25/2003 9:31:53 AM
Last accessed : 6/13/2004 5:57:56 PM
Last modified : 12/2/2003 9:11:04 PM

#:26 [ctfmon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-13-2004 6:00:47 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 6/13/2004 5:57:56 PM
Last modified : 8/29/2002 1:00:00 PM

#:27 [aolwasher.exe]
FilePath : C:\Program Files\Cookie Washer\
ThreadCreationTime : 6-13-2004 6:00:47 PM
BasePriority : Normal
FileSize : 2912 KB
FileVersion : 4.0.1.9
ProductVersion : 4.0
Copyright : Copyright 1998, 1999, 2000, 2001 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Cache & Cookie Washer
Created on : 6/8/2004 7:57:29 AM
Last accessed : 6/13/2004 5:58:00 PM
Last modified : 8/16/2001 3:34:14 PM

#:28 [jetstat.exe]
FilePath : C:\jetsuite\
ThreadCreationTime : 6-13-2004 6:00:50 PM
BasePriority : Normal
FileSize : 144 KB
FileVersion : 3.00.0197
ProductVersion : 3.00.0000
Copyright : Copyright
CompanyName : eFax.com
FileDescription : JetStat Application
InternalName : JETSTAT
OriginalFilename : JETSTAT.EXE
ProductName : JetSuite
Created on : 12/12/2002 3:47:47 AM
Last accessed : 6/13/2004 5:58:00 PM
Last modified : 10/13/1999 5:15:12 PM

#:29 [proxomitron.exe]
FilePath : C:\Program Files\Proxomitron Naoko-4\
ThreadCreationTime : 6-13-2004 6:00:50 PM
BasePriority : Normal
FileSize : 326 KB
FileVersion : 4, 4, 0, 0
ProductVersion : Naoko-4.4 2002-09-28
Copyright : Copyright
CompanyName : Groom-A-Zebu (tm)
FileDescription : The Proxomitron
InternalName : Pancreas frappe'
OriginalFilename : Proxomitron.exe
ProductName : Proxomitron
Created on : 10/4/2002 12:40:14 AM
Last accessed : 6/13/2004 6:01:20 PM
Last modified : 10/4/2002 12:40:14 AM

#:30 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 6-13-2004 6:01:23 PM
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 4/15/2003 12:30:14 AM
Last accessed : 6/13/2004 5:49:14 PM
Last modified : 4/15/2003 12:30:14 AM

#:31 [jsfman.exe]
FilePath : c:\jetsuite\
ThreadCreationTime : 6-13-2004 6:01:46 PM
BasePriority : Normal
FileSize : 63 KB
FileVersion : 3.00.0197
ProductVersion : 3.00.0000
Copyright : Copyright
CompanyName : eFax.com
FileDescription : FaxMan32 Application
InternalName : JSFMAN32
OriginalFilename : JSFMAN32.EXE
ProductName : JetSuite
Created on : 12/12/2002 3:47:48 AM
Last accessed : 6/13/2004 5:05:07 PM
Last modified : 10/19/1999 9:03:10 PM

#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 6-13-2004 6:02:24 PM
BasePriority : Idle
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6/5/2004 12:38:49 AM
Last accessed : 6/13/2004 6:01:13 PM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : File
Data : hlp.dll
Category : Malware
Comment :
Object : C:\WINNT\System32\
FileSize : 56 KB
Created on : 5/29/2004 6:13:19 AM
Last accessed : 6/13/2004 6:00:42 PM
Last modified : 5/29/2004 6:13:20 AM




Scanning Hosts file(C:\WINNT\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 1




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 2


Reanalyzing scan result
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
No objects have been removed from the result list.


2:08:09 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:05:02:795
Objects scanned :53130
Objects identified :2
Objects ignored :0
New objects :2


-----------------------

And finally, here's the HijackThis log file:

Logfile of HijackThis v1.97.7
Scan saved at 2:18:02 PM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Ati2evxx.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackTHis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_KR.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087057578700
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38150.3480902778
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab



---------------

All your help is greatly appreciated. What else do you think I should try?


Sameer

 

Hi Sameer,

There is no more spyware in sight in your log. I assume you let AdAware fix the two it found?

Are the speed issues only on the internet or the entire computer in general?

Regards,

Pieter