They just keep coming back

Discussion in 'adware, spyware & hijack cleaning' started by Bent O., Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. Bent O.

    Bent O. Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    5
    I am running Spywareblaster. Every time I have re-booted my machine, Spywareblaster tells me that my machine is unprotected against the following three items: CoolWebSearch (982), OffshoreClicks, and XXXToolbar.
    I click to protect against them - but next time they are back again.

    I also have various scanners/cleaners installed. Ad-Aware detects nothing. Spybot detects and cleans a tracking cookie called Hitslink. And PestPatrol detects and cleans CWS.GoogleMS.3.
    But again, after I have rebooted they are there again.

    How can I get definitely rid of them?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  3. Bent O.

    Bent O. Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    5
    They just keep coming back - 2

    My question was:

    I am running Spywareblaster. Every time I have re-booted my machine, Spywareblaster tells me that my machine is unprotected against the following three items: CoolWebSearch (982), OffshoreClicks, and XXXToolbar.
    I click to protect against them - but next time they are back again.

    I also have various scanners/cleaners installed. Ad-Aware detects nothing. Spybot detects and cleans a tracking cookie called Hitslink. And PestPatrol detects and cleans CWS.GoogleMS.3.
    But again, after I have rebooted they are there again.

    How can I get definitely rid of them?

    Now I have cleaned with Spybot and Ad-Aware, and I have run HijackThis. The log is enclosed. Thank you for instructions.

    Logfile of HijackThis v1.97.7
    Scan saved at 18:20:26, on 04-06-2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
    C:\Programmer\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\cisvc.exe
    C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\usrbridg.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\tp4serv.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Programmer\Fælles filer\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Programmer\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\WANADOO\CnxMon.exe
    C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\WANADOO\TaskbarIcon.exe
    C:\WINNT\LTSMMSG.exe
    C:\Programmer\PestPatrol\PPControl.exe
    C:\Programmer\PestPatrol\PPMemCheck.exe
    C:\Programmer\PestPatrol\CookiePatrol.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programmer\Winzip\WZQKPICK.EXE
    C:\Programmer\Javacool\SpywareGuard\sgmain.exe
    C:\Programmer\Aluria Software\ASE\ASE Scheduler.exe
    C:\Programmer\Javacool\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\cidaemon.exe
    C:\Programmer\Internet Explorer\iexplore.exe
    C:\Programmer\Hijack-this\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.24:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2AB19551-A424-4CCE-B93D-2611E5EAE7F2} - C:\WINNT\System32\dholoaa.dll (disabled by BHODemon)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\Javacool\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {695E0A22-2B3E-4BFF-9941-5CD0FD3763E0} - C:\WINNT\System32\ebmhmla.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {89EA207C-384F-421D-9F92-B74E604CF88C} - C:\WINNT\System32\gnohbda.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {9EC462B0-B465-455A-954A-6AC873645095} - C:\WINNT\System32\ibh.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {AB7DED94-BE39-4782-83F1-116DCEFA6188} - C:\WINNT\System32\ikg.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {AF2E4044-AA5D-45A3-A8A5-37E89D9D71D2} - C:\WINNT\System32\goc.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {C89426C0-DB0C-4446-B9DE-378115871284} - C:\WINNT\System32\dhl.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {C9EBCDDE-ED32-4B84-A8CF-0581C703A3E8} - C:\WINNT\System32\gpmija.dll (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Programmer\Fælles filer\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\WANADOO\CnxMon.exe
    O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
    O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\TaskbarIcon.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmer\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\Programmer\PestPatrol\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\Programmer\PestPatrol\CookiePatrol.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: BHODemon.lnk = C:\Programmer\BHODemon\BHODemon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Programmer\Javacool\SpywareGuard\sgmain.exe
    O4 - Startup: ASE Scheduler.lnk = C:\Programmer\Aluria Software\ASE\ASE Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: GroupWise Notify.lnk = C:\Programmer\Citrix\ICA Client\pn.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\ipsecdialer.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\Winzip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
    O12 - Plugin for .mov: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\Programmer\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dantruck.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{34F8DB42-7CE0-4B09-B73A-8911A91613D8}: NameServer = 193.252.19.3,193.252.19.4
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dantruck.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{34F8DB42-7CE0-4B09-B73A-8911A91613D8}: NameServer = 193.252.19.3,193.252.19.4
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dantruck.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{34F8DB42-7CE0-4B09-B73A-8911A91613D8}: NameServer = 193.252.19.3,193.252.19.4
     

    Attached Files:

    Last edited by a moderator: Jun 4, 2004
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {2AB19551-A424-4CCE-B93D-2611E5EAE7F2} - C:\WINNT\System32\dholoaa.dll (disabled by BHODemon)

    O2 - BHO: (no name) - {695E0A22-2B3E-4BFF-9941-5CD0FD3763E0} - C:\WINNT\System32\ebmhmla.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {89EA207C-384F-421D-9F92-B74E604CF88C} - C:\WINNT\System32\gnohbda.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {9EC462B0-B465-455A-954A-6AC873645095} - C:\WINNT\System32\ibh.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {AB7DED94-BE39-4782-83F1-116DCEFA6188} - C:\WINNT\System32\ikg.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {AF2E4044-AA5D-45A3-A8A5-37E89D9D71D2} - C:\WINNT\System32\goc.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {C89426C0-DB0C-4446-B9DE-378115871284} - C:\WINNT\System32\dhl.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {C9EBCDDE-ED32-4B84-A8CF-0581C703A3E8} - C:\WINNT\System32\gpmija.dll (disabled by BHODemon)

    O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm

    Then reboot and download http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    Run start.bat and press option 1. 'output.txt' will be created in the folder

    Please post that report and use the reply button to do so. (Had to merge your threads ;) )

    Regards,

    Pieter
     
  5. Bent O.

    Bent O. Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    5
    Hello Pieter,

    Enclosed, please find the "Output" in a .txt document. I can see that some of it is in Danish language - maybe you'll manage with your Dutch and a little imagination!!

    Best regards,
     

    Attached Files:

  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  7. Bent O.

    Bent O. Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    5
    Hi Pieter,

    Thanks, but ... in the link to the recovery console it says:

    "To start the Windows Recovery Console, use any of the following methods:
    Start your computer with the Windows Setup floppy disks, or with the Windows CD-ROM. At the "Welcome to Setup" screen, press F10, or press R to repair, and then press C (Windows 2000 only) to start the Windows Recovery Console. Select the appropriate number for the Windows installation that you want to repair, and then type the administrator password. If the administrator password does not exist, just press ENTER.
    Add the Windows Recovery Console to the Windows Startup folder by using Winnt32.exe with the /cmdcons switch. This procedure requires approximately 7 MB of hard disk space on your system partition to hold the Cmdcons folder and files."

    I need to use method No. 2, as the floppy discs and the CD-ROM are in Denmark. I am in France. How do I "add the Windows Recovery Console to the Win dows Startup folder by using Winnt32.exe with the /cmdcons switch"? Where do I find the "/cmdsons switch"?

    Best regards,
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  9. Bent O.

    Bent O. Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    5
    Hi Pieter,

    Thanks a lot for the help you offered me. I appreciate that very much. I have now a clean computer.
    However, I have to admit that the last part of your attempt to help me was too technical for me. I did not dare to mingle with winnt32.exe all by myself. I am just an ordinary user.
    Instead I got an assistance from a Danish Forum, from where a nice lady managed to help me with the last part in an easier way.

    But again, Thank you very much for your help.

    Best regards from Bent
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.