just when a girl thinks she's locked the baddies out!

Discussion in 'adware, spyware & hijack cleaning' started by tansy, Mar 14, 2004.

Thread Status:
Not open for further replies.
  1. tansy

    tansy Registered Member

    Joined:
    Mar 13, 2004
    Posts:
    11
    Location:
    New Zealand1
    hi, I have protected my computer since new, with Zone Alarm Pro, Adaware, Spybot Search and Destroy, Scriptrap, Webwasher, and AVG. (the latter religiously updated, and backed up by weekly online scans via several companies on a rotational basis. Being paranoid, I've also recently added SpywareGuard and SpywareBlaster.
    While the above combination ensures my internet time to be generally hassle free, I've today performed an online PestPatrol scan, and downloaded/run the CWShredder program, both of which find flaws my onboard systems fail to flag.
    These are connected to Fresh Devices software. (PestPatrol) and CWShredder also finds a problem.
    I can live with the Fresh Devices issues...I find their programs useful, and as mentioned above, I surf quite cleanly, but the CW beastie is another matter entirely. I am curious as to how this sneaked past my computer 'sentries', for if it can...what else might - something more harmful?
    I'd much appreciate someone perusing my HiJackthis/CWShredder logs, and provide comments/advice. I don't feel so smug about my security anymore. :( Thanks in advance.
    Kiwigirl.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:04:15 p.m., on 14/03/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orcon.net.nz/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.63.229.137:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~2\FDCATCH.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [WebWasher] C:\PROGRAM FILES\WEBWASHER\WWASHER.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with &FD - file://C:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx.htm
    O8 - Extra context menu item: Download &All by FD - file://C:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx2.htm
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.3965972222
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB



    CWShredder log

    Windows ME (4.90.3000 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: noname

    Found Hosts file: C:\WINDOWS\hosts (309299 bytes, R)
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2144 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (8358 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2179 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -
     
  2. tansy

    tansy Registered Member

    Joined:
    Mar 13, 2004
    Posts:
    11
    Location:
    New Zealand1
    ps to my post.
    PestPatrol also found 2 references to bridge.
    I forgot to mention this.
     
  3. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi kiwigirl,

    nice to have you here and a warm welcome :),
    ok , first things first.
    Make a new folder in My Documents, name it HijackThis or any other suitable name you like. Bring the Hijack program from temp folder, where it is now , to the folder you created.
    Run Hijack from its own folder and post the new log.
    experts will soon be here to help you out :)
     
  4. tansy

    tansy Registered Member

    Joined:
    Mar 13, 2004
    Posts:
    11
    Location:
    New Zealand1
    I ran HiJackthis from a folder I download programs to prior to virus scanning and installing...not from temp folder. I have done as you requested however. This log is via Documents folder.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:40:57 p.m., on 14/03/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\TEMP\TD_0016.DIR\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orcon.net.nz/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.63.229.137:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~2\FDCATCH.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [WebWasher] C:\PROGRAM FILES\WEBWASHER\WWASHER.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with &FD - file://C:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx.htm
    O8 - Extra context menu item: Download &All by FD - file://C:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx2.htm
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.3965972222
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
     
  5. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    kiwigirl,
    Just do wait for sometime.. have patience.. because of different time zones, people here are not present at a particular times. some Expert will come soon and see if there is any problem and help you out

    till then.. have a nice time

    thanks
     
  6. tansy

    tansy Registered Member

    Joined:
    Mar 13, 2004
    Posts:
    11
    Location:
    New Zealand1
    Thanks subratam, I appreciate the time difference. Its a few minutes after 10pm here. I'll be going to bed soon...before much of the world wakes up this morning. :D
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Kiwichick23,

    I see no problem in your HijackThis log, nor in your CWShredder log.

    Do you have any real symptoms?

    Regards,

    Pieter
     
  8. tansy

    tansy Registered Member

    Joined:
    Mar 13, 2004
    Posts:
    11
    Location:
    New Zealand1
    Thank you for checking things out Pieter.
    Your verdict is welcomed. My computer is mostly well behaved/trouble free, as is my time on the internet. (I appear to be one of the few who love Windows ME...so I'm obviously having a good experience.) I'm very security minded, and the Pest Patrol/CWShredder reports had me concerned, even though the flagged items appeared effectively 'disarmed' by my security programs.
    Might PestPatrol be flagging false positives?
    re CWShredder; I took the line "Found CWS.Control"
    etc to mean my computer was compromised by the "CW Control" variant. If its not...why are all the CWSlog entries indicating it is. A less cautious person, might have called upon Shredder to fix the indicated problem. (consequenceso_O)
    Very puzzling.
     
  9. tansy

    tansy Registered Member

    Joined:
    Mar 13, 2004
    Posts:
    11
    Location:
    New Zealand1
    Ouch!!!!!!!! Sorry about the multiple posts. Nothing seemed to happen my end, when I initially tried to post, and was getting the site unavailable error messages subsequently.
    Funny thing is...even after reconnecting to the internet, I couldn't open this site for 25 minutes. How did my message(s)get postedo_O
     
  10. k3dc

    k3dc Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    33
    Location:
    Sunny Florida
    I have also been getting those same three reports- 2 Bridge and one CWS- from Pest Patrol. However, I can't find any trace of them in my registry or in my HijackThis log. I ran CWShredder, and the only file it really alerted on is a legitimate file. I told it "FIX" anyway, just to be sure, and yet I still get the same Pest partol report.

    I've come to the conclusion they're false positives (at least I hope they are). :doubt: Maybe one of the resident experts here can say for sure in your case; I'll be watching closely.
     
  11. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi kiwichick23 :)

    Your multiple postings probably had something to do with this site being down for quite a while this afternoon. ;)

    The time of your first reply coincides with the time this site crashed.

    Just to clean up a bit i will remove the first 2 duplicate postings.




    snowbound
     
  12. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi Kiwichick23,

    The CWShredder tool is looking for certain entries, as you know. The log is showing you what it found as well as what it expects to see. For instance, the line you referred to:

    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2144 bytes, A)

    Your control.exe is slightly over 2k, not the 50k size that CWShredder was looking for.

    None of the entries in your log were found to be the entries that would indicate a coolwebsearch infection. If you were indeed infected by coolwebsearch, I don't think there would be any doubt in your mind due to the way your system would behave.

    Hope that made sense to you. :)
     
  13. tansy

    tansy Registered Member

    Joined:
    Mar 13, 2004
    Posts:
    11
    Location:
    New Zealand1
    Thanks snowbound I was embarressed.
    Its one thing to lose your bikini top when diving into surf on a deserted beach, and quite another when the same beach is crowded, if you get my drift.

    To Vietnam_Vet;
    Yes thank you...I can't have been getting too much wrong these last 3 years. No virus', intruders or damaging exploits so far, and there is still another 1.5 Gb left on my C Drive for all the other security devices I'll need in the future. Next time I partition my drives I'll make my C drive 5 or 10 GB...I hardly use any of the other 45Gb available.
     
  14. CrystalSky

    CrystalSky Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    6
Thread Status:
Not open for further replies.