please help me remove about:blank.. here's my log :)

Discussion in 'adware, spyware & hijack cleaning' started by bomp, May 9, 2004.

Thread Status:
Not open for further replies.
  1. bomp

    bomp Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    I'll be forever grateful if you could please help me to get rid of cws.searchx...
    :))

    here is my log

    Logfile of HijackThis v1.97.7
    Scan saved at 15:17:10, on 09.05.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Logitech\ImageStudio\LowLight.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\bomp\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0906C26A-CE6A-42F5-A1AF-427E91D57564} - C:\WINDOWS\System32\pglbpo.dll (file missing)
    O2 - BHO: (no name) - {7E21247D-B3F4-408C-B206-8787DFE187ED} - C:\WINDOWS\System32\amipog.dll (file missing)
    O2 - BHO: (no name) - {E31966CC-012A-458D-B54C-23183A92D621} - C:\WINDOWS\System32\njlnmg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.4989699074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Start with the following:
    Surf to http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
    And download and unzip Find-All.zip
    Inside the unzipped folder find the file Find All.bat and doubleclick it.

    When it is done it will produce a file output.txt in that same folder.
    Post the content of that file and let me know if your system is dual-boot, whether you have an XP-CD or a bootdisk.

    Regards,

    Pieter
     
  3. bomp

    bomp Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    Thank you so much for helping me!
    I don't know what a "dual-boot" means, all I know is that I have an XP-cd..

    Here's the content of the find-all-file

    Regards, Elisabet :)



    --===**'FIND-ALL' VERSION 2, 5/04**===--

    System Info:
    C: "" (D887:4115) - FS:NTFS clusters:4k
    Total: 80 015 491 072 [75G] - Free: 3 943 636 992 [3.7G]


    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\D3DKBF.DLL +++ File read error
    \\?\C:\WINDOWS\System32\D3DKBF.DLL +++ File read error


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0906C26A-CE6A-42F5-A1AF-427E91D57564}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E21247D-B3F4-408C-B206-8787DFE187ED}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E31966CC-012A-458D-B54C-23183A92D621}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{A32F4301-463D-4C57-90EB-307961B38FFA}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{A32F4301-463D-4C57-90EB-307961B38FFA}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
    "CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

    Class Install Handler
    {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}
    C:\WINDOWS\system32\urlmon.dll

    deflate
    {8f6b0360-b80d-11d0-a9b3-006097942311}
    C:\WINDOWS\system32\urlmon.dll

    gzip
    {8f6b0360-b80d-11d0-a9b3-006097942311}
    C:\WINDOWS\system32\urlmon.dll

    lzdhtml
    {8f6b0360-b80d-11d0-a9b3-006097942311}
    C:\WINDOWS\system32\urlmon.dll

    text/html
    {A32F4301-463D-4C57-90EB-307961B38FFA}
    C:\WINDOWS\System32\njlnmg.dll

    text/plain
    {A32F4301-463D-4C57-90EB-307961B38FFA}
    C:\WINDOWS\System32\njlnmg.dll

    text/webviewhtml
    {733AC4CB-F1A4-11d0-B951-00A0C90312E1}
    %SystemRoot%\system32\SHELL32.dll

    text/xml
    {807553E5-5146-11D5-A672-00B0D022E945}
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

    {A32F4301-463D-4C57-90EB-307961B38FFA} C:\WINDOWS\System32\njlnmg.dll
    {E31966CC-012A-458D-B54C-23183A92D621} C:\WINDOWS\System32\njlnmg.dll
    {A32F4301-463D-4C57-90EB-307961B38FFA} C:\WINDOWS\System32\njlnmg.dll
    {E31966CC-012A-458D-B54C-23183A92D621} C:\WINDOWS\System32\njlnmg.dll
    {807553E5-5146-11D5-A672-00B0D022E945} C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

    _______________________________

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    {0906C26A-CE6A-42F5-A1AF-427E91D57564}
    C:\WINDOWS\System32\pglbpo.dll

    {7E21247D-B3F4-408C-B206-8787DFE187ED}
    C:\WINDOWS\System32\amipog.dll

    {E31966CC-012A-458D-B54C-23183A92D621}
    C:\WINDOWS\System32\njlnmg.dll

    --==***Probable "bad" file will be represented as
    C:\WINDOWS...System32...XXXX.dll***==--

    Handle v2.2
    Copyright (C) 1997-2004 Mark Russinovich
    Sysinternals - www.sysinternals.com

    ------------------------------------------------------------------------------
    winlogon.exe pid: 788 NT AUTHORITY\SYSTEM
    34: Section \BaseNamedObjects\2879067108ll
    38: File C:\WINDOWS\system32\d3dkbf.dll
    dc: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
    158: Section \BaseNamedObjects\ShimSharedMemory
    1a4: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
    1c0: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
    1e4: File C:\WINDOWS\AppPatch
    1ec: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
    210: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
    214: File C:\WINDOWS\system32\dllcache
    218: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm
    21c: File C:\WINDOWS\system32
    220: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut
    224: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut
    228: File C:\WINDOWS\system32\inetsrv
    22c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
    230: File C:\WINDOWS\Fonts
    234: File C:\WINDOWS\system32\drivers
    238: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp
    23c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar
    240: File C:\Program Files\microsoft frontpage\version3.0\bin
    244: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin
    248: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033
    24c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
    250: File C:\WINDOWS
    254: File C:\Program Files\Common Files\Microsoft Shared\DAO
    258: File C:\Program Files\Windows Media Player
    25c: File C:\Program Files\Common Files\System\msadc
    260: File C:\Program Files\Common Files\System\ado
    264: File C:\Program Files\Common Files\System\Ole DB
    268: File C:\WINDOWS\inf
    26c: File C:\WINDOWS\system
    270: File C:\WINDOWS\msagent
    274: File C:\WINDOWS\msagent\intl
    278: File C:\Program Files\MSN Gaming Zone\Windows
    27c: File C:\WINDOWS\Help
    280: File C:\WINDOWS\PCHEALTH\HELPCTR\Binaries
    284: File C:\Program Files\NetMeeting
    288: File C:\WINDOWS\system32\drivers\disdn
    28c: File C:\WINDOWS\ime\CHTIME\Applets
    290: File C:\WINDOWS\system32\wbem
    294: File C:\WINDOWS\system32\IME\CINTLGNT
    298: File C:\WINDOWS\system32\Com
    29c: File C:\WINDOWS\system32\Setup
    2a0: File C:\WINDOWS\ime\imjp8_1
    2a4: File C:\Program Files\Common Files\Microsoft Shared\Triedit
    2a8: File C:\Program Files\Windows NT
    2ac: File C:\Program Files\Common Files\System
    2b0: File C:\WINDOWS\system32\1033
    2b4: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts
    2b8: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts
    2bc: File C:\WINDOWS\system32\usmt
    2c0: File C:\WINDOWS\ime\imkr6_1\dicts
    2c4: File C:\WINDOWS\system32\mui\0009
    2c8: File C:\Program Files\Internet Explorer
    2cc: File C:\WINDOWS\ime\imjp8_1\applets
    2d0: File C:\WINDOWS\ime\imkr6_1\applets
    2d4: File C:\WINDOWS\system32\xircom
    2d8: File C:\Program Files\Internet Explorer\Connection Wizard
    2dc: File C:\Program Files\Common Files\Microsoft Shared\MSInfo
    2e0: File C:\WINDOWS\ime\imkr6_1
    2e4: File C:\WINDOWS\ime\shared
    2e8: File C:\WINDOWS\system32\IME\PINTLGNT
    2ec: File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
    2f0: File C:\WINDOWS\Resources\Themes\Luna
    2f4: File C:\Program Files\Movie Maker
    2f8: File C:\WINDOWS\ime
    30c: File C:\WINDOWS\srchasst
    310: File C:\Program Files\Outlook Express
    314: File C:\WINDOWS\system32\oobe
    318: File C:\Program Files\Common Files\MSSoap\Binaries
    31c: File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033
    320: File C:\WINDOWS\mui
    324: File C:\WINDOWS\system32\npp
    328: File C:\WINDOWS\ime\shared\res
    32c: File C:\Program Files\Windows NT\Pinball
    330: File C:\WINDOWS\ime\chsime\applets
    350: File C:\WINDOWS\system32\Restore
    358: File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
    374: File C:\Program Files\Common Files\Microsoft Shared\Speech
    378: File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
    37c: File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
    380: File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
    384: File C:\WINDOWS\system32\wbem\snmp
    388: File C:\Program Files\Common Files\SpeechEngines\Microsoft
    38c: File C:\Program Files\Common Files\Microsoft Shared\Speech\1033
    390: File C:\WINDOWS\system32\spool\drivers\color
    394: File C:\WINDOWS\system32\IME\TINTLGNT
    398: File C:\WINDOWS\Help\Tours\mmTour
    39c: File C:\WINDOWS\PCHEALTH\UploadLB\Binaries
    3a0: File C:\Program Files\Common Files\Microsoft Shared\VGX
    3a4: File C:\WINDOWS\system32\wbem\xml
    3a8: File C:\Program Files\Windows NT\Accessories
    3ac: File C:\Program Files\xerox\nwwia
    3bc: File C:\WINDOWS\WinSxS
    658: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
    6d4: Section \BaseNamedObjects\mmGlobalPnpInfo
    6ec: Section \BaseNamedObjects\WDMAUD_Device_Interface_Path
    73c: Section \BaseNamedObjects\WDMAUD_Callbacks
    74c: Section \BaseNamedObjects\WDMAUD_Path_Size
    758: File C:\WINDOWS\system32
    7f8: Section \BaseNamedObjects\__R_000000000007_SMem__
    
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi bomp,

    This will be very tricky, so if you have any questions don't proceed, but ask first.

    Set your computer to boot from CD and insert the XP CD
    When you restart your computer WITH THE WINXP CD in the drive, it will/should ask you to HIT ANY KEY TO BOOT FROM CD (something like that) At that time you have about 2 or 3 seconds to press a key before it moves on to boot to the hard drive.

    Once you've done that then you need to select R for recovery console.
    Here is a description of the Recovery Console:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;314058

    Delete C:\WINDOWS\System32\D3DKBF.DLL

    Then reboot normally and download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then ownload Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that panel and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    After that reboot post a new HijackThis log.

    Regards,

    Pieter
     
  5. bomp

    bomp Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    Hi, I get to the recovery console, but I don't know how to delete a file from this place.. I could try, but you told me to ask before I proceed :)
     
  6. bomp

    bomp Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    Oh, I found it on the link you gave me, so you don't have to tell me, thank you anyway : )
     
  7. bomp

    bomp Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    I followed your instructions, and here is the new hijackthis-log


    Logfile of HijackThis v1.97.7
    Scan saved at 21:59:28, on 09.05.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\POP-UP~1\PSFree.exe
    C:\Program Files\Logitech\ImageStudio\LowLight.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\bomp\Desktop\HijackThis.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\imapi.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0906C26A-CE6A-42F5-A1AF-427E91D57564} - C:\WINDOWS\System32\pglbpo.dll (file missing)
    O2 - BHO: (no name) - {7E21247D-B3F4-408C-B206-8787DFE187ED} - C:\WINDOWS\System32\amipog.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.4989699074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi bomp,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {0906C26A-CE6A-42F5-A1AF-427E91D57564} - C:\WINDOWS\System32\pglbpo.dll (file missing)
    O2 - BHO: (no name) - {7E21247D-B3F4-408C-B206-8787DFE187ED} - C:\WINDOWS\System32\amipog.dll (file missing)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    Then reboot.
    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that panel and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    You should at least get Windows and IE updated.
    And read this https://www.wilderssecurity.com/showthread.php?t=27971

    Another important tool would be a firewall.
    and use it to block these ranges of IP addresses, both incoming and outgoing 213.159.117.0-213.159.118.255, 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255 both TCP & UDP
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help with many versions of the cws pest. The problem with this approach is that some good sites might also be blocked (which I doubt).

    Regards,

    Pieter
     
  9. bomp

    bomp Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    It seems like it's gone! I can't believe it's really gone, I've been trying to remove it for a month now, thank you so much!!
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.