Help - Search - Members - Calendar
Full Version: Delete everyting Cws.searchx
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
supa_al
Jun 25 2004, 10:06 PM
Hello. This is my first post. Before posting ive read every other post related to this, but no dice. I want to get rid of everything, the dll, code, everything. Ive used every program to do this, but nothing. It just keeps coming back. Here is my Log:

Logfile of HijackThis v1.97.7
Scan saved at 3:00:28 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\drivers\CDAC11BA.EXE
G:\WINDOWS\System32\gearsec.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
G:\WINDOWS\System32\CTHELPER.EXE
G:\Program Files\D-Tools\daemon.exe
G:\WINDOWS\System32\ctfmon.exe
G:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
G:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\MsPMSPSv.exe
G:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
G:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Network Associates\VirusScan\Mcshield.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Program Files\iTunes\iTunes.exe
G:\Documents and Settings\al sirus\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://G:\DOCUME~1\ALSIRU~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://G:\DOCUME~1\ALSIRU~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://G:\DOCUME~1\ALSIRU~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://G:\DOCUME~1\ALSIRU~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://G:\DOCUME~1\ALSIRU~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://G:\DOCUME~1\ALSIRU~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = g:\windows\system32\yahoo.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {959BAAAB-9529-4E52-97E4-10C34F056C8E} - G:\WINDOWS\System32\icd.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] G:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] G:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] G:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC8868FA-B744-4F0D-B2B7-F68C171A6205}: NameServer = 63.203.35.55


Ive tried to do this on my own, but i just make it worse. Any help?
supa_al
Jun 25 2004, 11:09 PM
One thing to note. Could solving this problem be by just not using Internet explorer anymore and start using Firefox? Is it safe to uninstall internet explorer?
LoPhatPhuud
Jun 26 2004, 05:32 AM
You have a CoolWebSearch variant which requires special treatment to fix.

Download FindnFix.exe from here: http://freeatlast.100free.com/

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)
supa_al
Jun 27 2004, 04:45 AM
Ok, thanks i will do that.
supa_al
Jun 27 2004, 04:53 AM
Ok LoPhatPhuud, thanks for your help. Here is the contents of Log.txt I also attached the Win.txt


*** freeatlast.100free.com ***

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
G: is not dirty.

Sat 06/26/2004
9:48pm up 0 days, 0:19
***Attention!***
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

Locked or 'Suspect' file(s) found...


G:\WINDOWS\System32\WINL.DLL +++ File read error
\\?\G:\WINDOWS\System32\WINL.DLL +++ File read error

Special 'locked' files scan in 'System32'........
**File G:\FINDnFIX\LIST.TXT
WINL.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
*********

G:\WINDOWS\SYSTEM32\
winl.dll Tue Jun 22 2004 6:46:44p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> G:\WINDOWS\SYSTEM32\WINL.DLL
*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access ALSIRUS\al sirus
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access ALSIRUS\al sirus


Member of...: (Admin logon required!)
User is a member of group ALSIRUS\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "G:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x ALSIRUS\al sirus
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: ALSIRUS\al sirus

Primary Group: ALSIRUS\None



Backups created...
9:48pm up 0 days, 0:19
Sat 06/26/2004

A G:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-26-2004 winback.hiv
A G:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-26-2004 winkey.reg

Performing 16bit string scan....

---------- WIN.TXT
fAppInit_DLLs֍GG
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
DeviceNotSelectedTimeout
ceGDIProcessHandleQuotak
r2Spooler
swapdisk
trTransmissionRetryTimeout
USERProcessHandleQuotai

**File G:\FINDnFIX\WIN.TXT
     ! 
LoPhatPhuud
Jun 27 2004, 06:09 PM
=== Step 2 - Delete Hidden DLL ===
Open the FindnFix folder.
Open the keys1 folder.
RightClick on the MOVEit.bat file, select--> edit.
Copy and paste this line into the batch file, replacing any line there.

move %WinDir%\System32\WINL.DLL %SystemDrive%\junkxxx\WINL.DLL

Save the file and close.

Get ready to restart!
Still in the keys1 folder, double click on FIX.bat.
You will get an alert of ~20 secs before reboot.
Allow it to reboot!

On restart, Open the FindnFix folder.
DoubleClick on RESTORE.bat.
When it is finished, open the FindnFix folder.
Post the contents of Log1.txt in this thread.
supa_al
Jun 27 2004, 08:51 PM
Ok, here is the contents of Log1.txt. Again thanks LoPhatPhuud for the help

Contents:

*** freeatlast.100free.com ***

Sun 06/27/2004
1:48pm up 0 days, 0:01

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
G: is not dirty.

*Locked files...
* result\\?\G:\junkxxx\WINL.DLL

Filtering files in System32.......( 'R;H;S')
*********

No matches found.

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

*********

G:\JUNKXXX\
winl.dll Tue Jun 22 2004 6:46:44p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> G:\JUNKXXX\WINL.DLL


Search text: STREAMINGDEVICESETUP2 CASE Insensitive Match
Searching ==>G:\JUNKXXX\WINL.DLL
Run Time(sec) 0
**File G:\JUNKXXX\WINL.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2......

move %WinDir%\System32\WINL.DLL %SystemDrive%\junkxxx\WINL.DLL

-ra-- W32i - - - - 57,344 06-22-2004 winl.dll
A R G:\junkxxx\WINL.DLL
File: <G:\junkxxx\WINL.DLL>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




Permissions:
G:\junkxxx\WINL.DLL Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

BUILTIN\Administrators:F

Directory "G:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x ALSIRUS\al sirus
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: ALSIRUS\al sirus

Primary Group: ALSIRUS\None

Directory "G:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "G:\junkxxx\WINL.DLL"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: ALSIRUS\al sirus

Primary Group: ALSIRUS\None


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access ALSIRUS\al sirus
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access ALSIRUS\al sirus



---------- WIN.TXT
fAppInit_DLLs֍GG

---------- NEWWIN.TXT
%AppInit_DLLselp
**File G:\FINDnFIX\NEWWIN.TXT
     !    !      #    #  ?          ?       $ ?    \X3^;+      \X3^;+   \X3^;+ vk     ~ DeviceNotSelectedTimeout1 5 vk   vk  '   ceGDIProcessHandleQuotak 9 0 ~ hq~ vk     r2Spooler y e s vk     swapdisk   `   vk  P   trTransmissionRetryTimeoutvk  '   S USERProcessHandleQuotai   `    H vk    %AppInit_DLLselp  '5{X )ncwtũ1aHL?t ((WcTLႏs1lX<JR!@50PB;#v& KE,%F$dž8of)m/w
<0iȐH hVSs5&ά;_fG$h@`2]t5Y.U'
}
=#<֭l-\ȉkY,d|V }v*9 }ÝCm@[($v
:yH>X/o_K>#Lή
**File G:\FINDnFIX\NEWWIN.TXT
00001360: 01 00 00 00 01 00 25 01 . 5F 44 4C 4C 73 65 6C 70 ......%. _DLLselp
**File G:\FINDnFIX\NEWWIN.TXT
     !    !      #    #  ?          ?       $ ?    \X3^;+      \X3^;+   \X3^;+ vk     ~ DeviceNotSelectedTimeout1 5 vk   vk  '   ceGDIProcessHandleQuotak 9 0 ~ hq~ vk     r2Spooler y e s vk     swapdisk   `   vk  P   trTransmissionRetryTimeoutvk  '   S USERProcessHandleQuotai   `    H vk    %AppInit_DLLselp
LoPhatPhuud
Jun 28 2004, 10:12 PM
=== Step 3 Cleanup ===
Open the FindnFix folder.
Open the Files2 folder.
Double Click on the ZIPZAP.bat.

It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to your log file in the email.

When done, please delete the entire FindnFix folder.

=== Clean Remaining Infection ===
Please Download CoolWebShredder, from
http://www.merijn.org/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

Select 'custom options'.
Select your drive, scan and fix all it finds.

Last:
Post a new HiJackThis log in this thread.
supa_al
Jun 29 2004, 02:23 AM
Ok, here is now the new HighJackThisLog:


Logfile of HijackThis v1.97.7
Scan saved at 7:21:36 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
G:\WINDOWS\System32\CTHELPER.EXE
G:\Program Files\D-Tools\daemon.exe
G:\WINDOWS\System32\ctfmon.exe
G:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
G:\WINDOWS\System32\drivers\CDAC11BA.EXE
G:\WINDOWS\System32\gearsec.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
G:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
G:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
G:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\MsPMSPSv.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Network Associates\VirusScan\Mcshield.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\iTunes\iTunes.exe
H:\ProgrMZ\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\System32\yahoo.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = g:\windows\system32\yahoo.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] G:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] G:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] G:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC8868FA-B744-4F0D-B2B7-F68C171A6205}: NameServer = 63.203.35.55
LoPhatPhuud
Jun 29 2004, 02:31 AM
At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

2. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.
supa_al
Jun 29 2004, 03:24 AM
Oh wow....thanks a WHOOOOLE bunch. I thank you LoPhatPhuud. Youve been a great deal of help. Ive tried to do so many things to fix this, but i just made it worse. I thank you again. So far ive been using firefox since my IE has had this bug. Well, thank you again.


-aL
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.