TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Felix on November 14, 2004, 07:25:37 PM

Title: CWS.HiddenDll
Post by: Felix on November 14, 2004, 07:25:37 PM

Ok, I've had a really annoying spyware problem recently.

Basically my IE Startpage was constantly changed to about:blank and had a Search engine site called Search Now. (isnt about:blank just supposed to be blank?). Also, other random sites were constantly beeing forwarded to this while I was browsing the internet.

I googled it and found out that I, like many, was infested with the CWS Spyware. I downloaded CWShredder and ran it. The program found CWS.HiddenDll and removed it along with 6 apparent registry entries. After doing this my IE was back to normal. After a while it came back though. I ran CWShredder again and it again found the above.

This keeps coming back and all I can do is rerun CWShredder every time, but its really annoying.

/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

Any thoughts on how to get rid of it for good?

Title: CWS.HiddenDll
Post by: guestolo on November 14, 2004, 08:56:38 PM

Let's get a closer look Felix

Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important

Title: CWS.HiddenDll
Post by: Guest on November 15, 2004, 08:49:27 AM

Hi,
I did as you told me to. Here's what turned up. I appreciate that my computer knowledge is minimal. Thanx for your help.

Logfile of HijackThis v1.98.2
Scan saved at 13:55:39, on 15.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\eMule.de\emule.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmjb.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\IDA\ida.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/ (http://\"http://www.spiegel.de/\")
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098355668218\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")

Title: CWS.HiddenDll
Post by: guestolo on November 15, 2004, 11:38:26 AM

I see a couple entries that need removed in your log, but unfortunately I'm not seeing everything
Could you from this point on, not use CWShredder to fix your Home page problem

I need to see the log in it's complete infection

Try this for now
Can you Download DLLCompare (http://\"http://download.broadbandmedic.com/DllCompare.exe\")

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button

Post this log
Also try restarting your computer and see if the hijacker returns or set your clock
a couple of days in advance in the system tray and restart your computer
I'm trying to reveal what method we must use for this infection
Post back a fresh hijackthis log too, once you get hit again with about:blank

Again, try not to use CWShredder again, until we apply a fix

Title: CWS.HiddenDll
Post by: Felix on November 15, 2004, 09:04:41 PM

Ok, I got infested again.
It didn't seem to be linked to either restarting or setting the clock back as you said. It just happens randomly following no apparent rhythm.

Here's the log from HijackThis.

Logfile of HijackThis v1.98.2
Scan saved at 02:04:05, on 16.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\eMule.de\emule.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmjb.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1D4869AC-99D4-4872-86C2-FC9CF8514C5D} - C:\WINDOWS\System32\jjbc.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098355668218\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O18 - Filter: text/html - {5B520122-A908-4070-90D6-F20B9AF575B9} - C:\WINDOWS\System32\jjbc.dll
O18 - Filter: text/plain - {5B520122-A908-4070-90D6-F20B9AF575B9} - C:\WINDOWS\System32\jjbc.dll

/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

and the one from DllCompare...

/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\kbd.dll Thu 21 Oct 2004 11:46:02 A...R 57.344 56,00 K
C:\WINDOWS\SYSTEM32\u2rl0gw.dll Thu 21 Oct 2004 18:07:58 ..SHR 433.173 423,02 K
________________________________________________

1.146 items found: 1.146 files (1 H/S), 0 directories.
Total of file sizes: 214.671.193 bytes 204,72 M

Administrator Account = True

--------------------End log---------------------

Do you know what's going on?
Cheers for the help. Appreciated!

Title: CWS.HiddenDll
Post by: guestolo on November 15, 2004, 10:11:28 PM

Well, that identified a hidden installer

Download and save to desktop this Removal Tool (http://\"http://securityresponse.symantec.com/avcenter/FxAgentB.exe\") developed by Symantec

Don't run it yet

Also
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button\")
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES now!
Download all updates
Don't run a scan yet

Let's try some fixes
Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
RESTART your computer when Done

==Double click to Run CWShredder, Let it FIX all problems
RESTART your computer again

==Open Ad-Aware, do a Full System Scan with Ad-Aware
Remove All Critical objects by right clicking in the Criticals pane and selecting all objects--Click next
Exit out of Ad-Aware after fixing criticals
Restart your computer one more time to finish the cleaning process

Post back a fresh hijackthis log afterwards
Also post the FxAgentB.log
Could you also run another scan with DllCompare and post that log too

Title: CWS.HiddenDll
Post by: Felix on November 16, 2004, 09:29:18 AM

Ok, did what you said.

Here's the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 14:28:39, on 16.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098355668218\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")

And here the one from FxAgentB:

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 00000248 (terminated)
process: services.exe, thread: 0000029C (terminated)
process: lsass.exe, thread: 00000294 (terminated)
process: svchost.exe, thread: 0000034C (terminated)
process: svchost.exe, thread: 0000038C (terminated)
process: svchost.exe, thread: 0000045C (terminated)
process: svchost.exe, thread: 00000474 (terminated)
process: spoolsv.exe, thread: 000005B0 (terminated)
process: explorer.exe, thread: 000005F8 (terminated)
process: hpztsb05.exe, thread: 00000674 (terminated)
process: atiptaxx.exe, thread: 000006AC (terminated)
process: jusched.exe, thread: 00000770 (terminated)
process: realsched.exe, thread: 0000076C (terminated)
process: ctfmon.exe, thread: 00000778 (terminated)
process: msnmsgr.exe, thread: 0000073C (terminated)
process: stjlefa.exe, thread: 000007D0 (terminated)
process: ati2evxx.exe, thread: 000000CC (terminated)
process: tcpsvcs.exe, thread: 000001C0 (terminated)
process: IEXPLORE.EXE, thread: 000008F0 (terminated)
process: ida.exe, thread: 00000E6C (terminated)
process: FxAgentB.exe, thread: 00000950 (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\System Volume Information: (not scanned)
C:\WINDOWS\system32\kbd.dll: (will be deleted on next reboot)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 24480
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 21

And finally the DllCompare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\u2rl0gw.dll Thu 21 Oct 2004 18:07:58 ..SHR 433.173 423,02 K
________________________________________________

1.145 items found: 1.145 files (1 H/S), 0 directories.
Total of file sizes: 214.613.849 bytes 204,67 M

Administrator Account = True

--------------------End log---------------------

Also, Ad-Aware found about 8 critical items for CoolWebSearch.... which I deleted.
Cheers.

Title: CWS.HiddenDll
Post by: guestolo on November 16, 2004, 09:00:29 PM

Hi again Felix, can you set Windows to show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for know File Types
* Click Yes to confirm.
* Click OK.

Go to this site and do an free Online File virus scan
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Give it time to load

Use the Browse button to Navigate to this file
C:\WINDOWS\System32\stjlefa.exe <--file

Right click on it and Select it and use the Submit key to scan it
Copy and paste the results back here

Before you post back
Do another scan with Hijackthis and put a check next to this entry

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll

After you have ticked the above entry, close down all other windows, including this one
Leave Hijackthis open and click the FIX CHECKED
Yes to the prompt and exit Hijackthis

Restart your computer

Post back a fresh hijackthis log

Could you also download VX2 Finder (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Double click to open it
"Click to Find VX2.Betterinternet"
next click the "Make log"
Post back that log here too, thanks

Title: CWS.HiddenDll
Post by: Felix on November 17, 2004, 05:57:59 AM

Ok, here are the logs:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

------------------------------------------------------

File: stjlefa.exe
Status: INFECTED/MALWARE
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.55 seconds taken)
ClamAV No viruses found (0.33 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Backdoor.Win32.Agent.ec (1.09 seconds taken)
mks_vir Trojan.Agent.Ec (0.20 seconds taken)
NOD32 Win32/Agent.EC (0.36 seconds taken)
Norman Virus Control W32/Agent.EH (0.12 seconds taken)

------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 11:03:02, on 17.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/ (http://\"http://www.spiegel.de/\")
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098355668218\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")

Cheers

Title: CWS.HiddenDll
Post by: guestolo on November 17, 2004, 08:23:13 PM

Let's try this Felix

Open Hijackthis>>>Config>>Misc Tools>>Open Process Manager
Left click to Highlight and then Kill this process

C:\WINDOWS\System32\stjlefa.exe

After you have killed that process, click the Back button in Hijackthis
>>Config>>Misc Tools>>Click the Delete File on Reboot button

Copy and paste the bolded text below into the File Name box

C:\WINDOWS\System32\stjlefa.exe

Click the OPEN button
Hijackthis will warn the file will be deleted and you must restart your computer
Don't restart yet

Instead, do another scan with Hijackthis and put a check next to these entries

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe

After you have ticked the above entry, Close All other open Windows, including this one
Leave Hijackthis open and Click FIX CHECKED
Yes to the prompt and exit Hijackthis

Restart your computer
Post back a fresh Hijackthis log and let me know if you are still having problems

I strongly urge you to visit Windows updates and download the latest Critical(High Priority) updates
and Service Packs, Including updating IE to SP1
This will help to keep your system secure

Don't update to SP2 right now, you must ensure you are totally clean
and don't install Recommended updates unless you really want them

I believe that Microsoft recommends disabling any Download Accelerator before visiting
It will interfere with the install

We should also get some other Preventive tools on your computer to tighten up your security
I have some free downloads, but lets make sure your clean first

Title: CWS.HiddenDll
Post by: Felix on November 18, 2004, 02:52:37 PM

Hi, thanx again for the help. The problem seems to be gone! Well done on that, coz I was beginning to go insane.

Ill post the HijackThis log anyways, who knows maybe there is still something compromising my pc.

I also installed SP1 and the other critical security updates. I woll not however install SP2 because of everyone I heard who had installed it it caused numerous problems, deinstalliung radnom drivers that weren't Microsoft as well as disabling various Programms (in one case even disabling propper startup of Windows itself).

If you have any good free programms to further enhance my security and detection I would be greatful if you'd let me know... can always do with that.
What is the best Firewall freely available on the net? At the moment I'm running ZoneAlarm (freeware). What about AntiVirus software? Currently i dont have any.

Logfile of HijackThis v1.98.2
Scan saved at 19:55:05, on 18.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmjb.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/ (http://\"http://www.spiegel.de/\")
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098355668218\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")

Cheers for the help so far.... appreciated.

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: CWS.HiddenDll
Post by: guestolo on November 18, 2004, 07:32:18 PM

Good Work Felix, let's see about getting you those tools

But First, if everything is running better you may want to Clear your System Restore Points
Don't need to be restoring any Nasties to your computer
Simply Disable System Restore----Restart your computer---Enable System Restore
This will create a Fresh Restore point and clear all the old ones
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Next: I would go download these 2 free applications

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks

Now for the Anti-Virus software
I use AVG on this machine and I use Avast on my other machine

Why don't you give AVG a try, the free version has just been updated
Includes a better scanning engine

Here's a link
http://free.grisoft.com/freeweb.php/doc/1/ (http://\"http://free.grisoft.com/freeweb.php/doc/1/\")
Let that page load, it sometimes may take a while as the new version is being installed by many
Once installed, make sure that you check for updates
Do a Full system scan on your computer
Let me know if it finds anything.....

Windows SP2 I figure right now is users choice
I chose to install it right away, without no problems
But I have a sequence of events I do before installing on any machines
Haven't had trouble so far.....

The free version of Zone Alarm is used and recommended by many. So you seem okay in that department
Personally, I use Sygates' free version on my machine

Stay Safe Felix, and get IE-Spyad and SpywareBlaster installed
Hold onto Ad-Aware and check for updates every couple of weeks and run a scan...

Let me know how you make out with the virus scanner, curious if it picks up anything....

Title: CWS.HiddenDll
Post by: Andreas S. on December 01, 2004, 04:19:37 AM

Hi, this is the way I successfully Removed CWS.HiddenDLL :
CWSShredder and other Programs can successfully recognize the threat and deal with the registry entries, but you'll have to remove the DLL's yourself.

The thing is that there are two DLL's. If you remove only one of them, the second one will reinstall the first one.
The're found in %Windows% (On WinNT or Win200 it's c:\WINNT), their names are "dpe.dll" and "Copy of dpe.dll". I open them with the Notepad, delete all the text (ie, the program code), save them, and set them to "read only" (Original size is 33k, new they should be 0 or 1 k).

Then run CWSShredder, AdAware, Giant AntiSpy or what have you to clean the registry.

Reset all the home pages of Internet Explorer from Internet Options (WITHOUT STARTING THE BROWSER!!), because some of the pages will immediately re-infect you.

Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN, so you can't be reinfected in the future.

Restart the computer and that's it.

Be careful never to open a browser, Messenger or other browser-based tools during the process!

nabla98-dmoz (at ) yahoo (DOT) com

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 07:39:41 PM

[quote name=\'Andreas S.\' date=\'Dec 1 2004, 03:19 AM\']Hi, this is the way I successfully Removed CWS.HiddenDLL :
CWSShredder and other Programs can successfully recognize the threat and deal with the registry entries, but you'll have to remove the DLL's yourself.

The thing is that there are two DLL's. If you remove only one of them, the second one will reinstall the first one.
The're found in %Windows% (On WinNT or Win200 it's c:\WINNT), their names are "dpe.dll" and "Copy of dpe.dll". I open them with the Notepad, delete all the text (ie, the program code), save them, and set them to "read only" (Original size is 33k, new they should be 0 or 1 k).

Then run CWSShredder, AdAware, Giant AntiSpy or what have you to clean the registry.

Reset all the home pages of Internet Explorer from Internet Options (WITHOUT STARTING THE BROWSER!!), because some of the pages will immediately re-infect you.

Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN, so you can't be reinfected in the future.

Restart the computer and that's it.

Be careful never to open a browser, Messenger or other browser-based tools during the process!

nabla98-dmoz (at ) yahoo (DOT) com[/quote]

Hi, Ive been having the same problem with CWS.hiddenDLL myslelf just as FELIX was. Ive been fighting it for sometime and have ran CWS shredder and other programs many times to get them removed. Then the dang about:blank keeps effecting my homepage on IE.

However, Im not following what I should be doing to fix this problem. I see here that there are 2 ways to take care of it yet I cant determine which might be easier. Even though Im comfortable with the computer and feel I understand it OK - I have many questions when figuring out what you might be referring to.

As for the later of the two solutions here are my questions:

First how do I get to the %Windows%.

Then I understand it from there yet not sure if I have ever set them to read only. I may be able to figure that out on my own.

Then I can run CWSShredder just fine and so on.

However, I dont know what you mean when you say:
Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN

Any help with this would be greatly appreciated

Thanks
-D

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 07:39:57 PM

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 07:55:19 PM

It wouldn't hurt to post a Hijackthis log, you can download it from the Links in my first reply in this post
I can suggest what you can try, if you don't want to
So be it.....
But like I said, it wouldn't hurt to have a look at your log

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 08:09:45 PM

No I don't mind a bit -

I appreciate all the help I can get - Thanks

Here it is

Logfile of HijackThis v1.98.2
Scan saved at 7:19:27 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: ICOODownloadManager Class - {BA7270AE-5636-4618-BAF3-F86ADA39F036} - C:\Program Files\ICOO Loader\addons4\icoourl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: ICOOExternalHandler Class - {ED657BAF-1EE5-4A07-9D2E-6D0525EFC69B} - C:\Program Files\ICOO Loader\addons4\icoourlext.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb028.cab (http://\"http://download.sidestep.com/get/k42033/sb028.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedat...ta/SymAData.cab (http://\"http://www.symantec.com/techsupp/activedata/SymAData.cab\")
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedat.../ActiveData.cab (http://\"http://www.symantec.com/techsupp/activedata/ActiveData.cab\")
O16 - DPF: {FAF76D4D-6525-443F-8C27-EA8898DDD745} - http://www.candid.com/ccsftp/default.cab (http://\"http://www.candid.com/ccsftp/default.cab\")

-Dee

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 08:18:20 PM

Good work, I see you have Spybot installed
It's a great program, is it the latest version 1.3?
Do you also have the free version of Ad-Aware SE Personal 1.05?
If not you should download it, I can supply a link for it

But if you wouldn't mind, let's see if there's a hidden Installer causing this

Can you Download DLLCompare (http://\"http://download.broadbandmedic.com/DllCompare.exe\")
It's a small download

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 08:24:40 PM

One other thing that Ive been needing to fix is how many programs start up when I boot my computer. I noticed from this log I just posted that they are the listed as:

HKLM\..\Run

and

Global Startup

I dont want all of these progams running on my computer as I boot.

Ive tried to go to:
Run

then type in: MSCONFIG.

Go to the startup tab and then deselect the onces that are obvious to not be running - yet that hasn't been successful.

Any suggestions -

-Dee

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 08:27:58 PM

We can get something on your computer to control those startup entries
I Have Windows XP SP2 installed on this computer but I don't like using msconfig
I prefer to use a small download third party program called Codestuff's Starter
I can get you a link if you would like

But first you need to clean your log
You should post the log from DLLCompare

You also have a trojan and some other spyware on your computer besides the About:blank infection

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 08:30:37 PM

Here is what was found

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\wink.dll Sat May 15 2004 7:35:54p A...R 57,344 56.00 K
________________________________________________

1,378 items found: 1,378 files, 0 directories.
Total of file sizes: 290,870,873 bytes 277.39 M

Administrator Account = True

--------------------End log---------------------

-Dee

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 08:34:26 PM

Good work Dee, as you can see the hidden installer is wink.dll
You won't be able to view it as it's hidden right now
So what the other user posted about dpe.dll at 33kb in size is not correct

The newer version is usually always 56kb in size and randomly named
The older version is about 24 kb in size
Just give me a bit and I'll post a fix, I want to check a couple entries in your log

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 09:02:59 PM

Let's try this Dee, we should clean off a bit of this mess
We should use the Symantec uninstaller for some of this but I need you to download a few tools

Download and save to desktop this Removal Tool (http://\"http://securityresponse.symantec.com/avcenter/FxAgentB.exe\") developed by Symantec

Don't run it yet

Also
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button\")
This is a great free program, hang onto this
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES now!
Download all updates
Don't run a scan yet

Let's try some fixes
You may want to print this out, please disconnect complete from the Internet, close all browser windows, if you don't have a printer save these instructions to a Notepad file on your desktop
The below will take a few Restarts of your computer to finish

Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
RESTART your computer when Done

==Double click to Run CWShredder, Let it FIX all problems
RESTART your computer again

==Open Ad-Aware, Make sure you checked for updates.Do a Full System Scan with Ad-Aware
When it's finished scanning
At this point you should either right click on the screen and choose the "Select All Objects" option or individually put a checkmark in each objects checkbox
click on the "Next" button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. If you would like to do so, press the "OK" button
RESTART your computer to finish the cleaning process

Once back in Windows
Set Windows To show Hidden Files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Do another scan with Hijackthis and put a check beside any of these entries if they still exist

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

O2 - BHO: ICOODownloadManager Class - {BA7270AE-5636-4618-BAF3-F86ADA39F036} - C:\Program Files\ICOO Loader\addons4\icoourl.dll

O2 - BHO: ICOOExternalHandler Class - {ED657BAF-1EE5-4A07-9D2E-6D0525EFC69B} - C:\Program Files\ICOO Loader\addons4\icoourlext.dll

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - (no file)
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb028.cab (http://\"http://download.sidestep.com/get/k42033/sb028.cab\")

After you have ticked the above entries, close out ALL other open Windows
Leave Hijackthis open and click FIX CHECKED
Yes to the Prompt and exit hijackthis
Restart your computer in SAFE MODE

Find and delete these files or folders if they exist
C:\WINDOWS\System32\pc32.exe <--file, this is a trojan

C:\Program Files\CasinoOnline <--folder
C:\Program Files\ICOO Loader <--folder

===Do a DiskCleanup>>START----Run---type in cleanmgr
Ensure that Temp and Temporary Internet Files are checked

Restart back into Normal Mode

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh hijackthis log
Could you also run another scan with DLLCompare and post the log
Also post the FxAgentB.log

This gives you a little work to do, but it actually doesn't take that log

Then if you would like we should deal with some of your startup entries
A few are unneccesary
We'll deal with them later
A couple programs you installed are questionable, again we'll deal with them later
Let's get your log clean first

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 09:18:45 PM

Thought I should let you know - Im still here -

Im just having trouble downloading the Adware software

Hang in there with me - Thanks so much for all your help

-Dee

/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 09:23:05 PM

No problem Dee, I'll keep checking in
If you have trouble with that link, try at another
http://www.lavasoftusa.com/support/download/ (http://\"http://www.lavasoftusa.com/support/download/\")

P.S. I'm not going to rush you, I want to make sure you can properly finish everything I recommended

/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 10:33:50 PM

Im finally back -

here is the HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 9:41:02 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedat...ta/SymAData.cab (http://\"http://www.symantec.com/techsupp/activedata/SymAData.cab\")
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedat.../ActiveData.cab (http://\"http://www.symantec.com/techsupp/activedata/ActiveData.cab\")
O16 - DPF: {FAF76D4D-6525-443F-8C27-EA8898DDD745} - http://www.candid.com/ccsftp/default.cab (http://\"http://www.candid.com/ccsftp/default.cab\")

Now for the FxAgentB.log:

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 00000268 (terminated)
process: services.exe, thread: 000002C0 (terminated)
process: lsass.exe, thread: 000002BC (terminated)
process: svchost.exe, thread: 00000368 (terminated)
process: svchost.exe, thread: 000003B8 (terminated)
process: svchost.exe, thread: 0000043C (terminated)
process: svchost.exe, thread: 000004D4 (terminated)
process: svchost.exe, thread: 00000514 (terminated)
process: CCSETMGR.EXE, thread: 0000062C (terminated)
process: SNDSrvc.exe, thread: 00000640 (terminated)
process: CCEVTMGR.EXE, thread: 00000674 (terminated)
process: spoolsv.exe, thread: 00000760 (terminated)
process: CCPROXY.EXE, thread: 000007DC (terminated)
process: KodakCCS.exe, thread: 000000C0 (terminated)
process: NAVAPSVC.EXE, thread: 00000108 (terminated)
process: NPROTECT.EXE, thread: 000001CC (terminated)
process: nvsvc32.exe, thread: 00000070 (terminated)
process: SAVScan.exe, thread: 000002D4 (terminated)
process: ScsiAccess.EXE, thread: 000003E4 (terminated)
process: symlcsvc.exe, thread: 00000490 (terminated)
process: wdfmgr.exe, thread: 000004E4 (terminated)
process: SymWSC.exe, thread: 00000560 (terminated)
process: alg.exe, thread: 000006B4 (terminated)
process: explorer.exe, thread: 000009C0 (terminated)
process: CCAPP.EXE, thread: 00000A74 (terminated)
process: WkUFind.exe, thread: 00000AA8 (terminated)
process: realsched.exe, thread: 00000B18 (terminated)
process: jusched.exe, thread: 00000B48 (terminated)
process: qttask.exe, thread: 00000B78 (terminated)
process: iTunesHelper.exe, thread: 00000BB0 (terminated)
process: Directcd.exe, thread: 00000BC0 (terminated)
process: msmsgs.exe, thread: 00000BC8 (terminated)
process: AcroTray.exe, thread: 00000C2C (terminated)
process: iPodService.exe, thread: 00000CCC (terminated)
process: EasyShare.exe, thread: 00000D58 (terminated)
process: WkCalRem.exe, thread: 00000D94 (terminated)
process: QWDLLS.EXE, thread: 00000E10 (terminated)
process: SpySub.exe, thread: 00000DE8 (terminated)
process: Ad-Aware.exe, thread: 00000384 (terminated)
process: msiexec.exe, thread: 0000037C (terminated)
process: wordpad.exe, thread: 00000E20 (terminated)
process: FxAgentB.exe, thread: 000009F8 (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\Documents and Settings\David: (not scanned)
C:\System Volume Information: (not scanned)
C:\WINDOWS\system32\wink.dll: (will be deleted on next reboot)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 76528
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 42
The number of registry entries fixed: 1

The tool initiated a system reboot.

Im still working on the DLLCompare log

-Dee

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 10:37:28 PM

Ok - I now have that DLLCompare Log:

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

1,377 items found: 1,377 files, 0 directories.
Total of file sizes: 290,813,529 bytes 277.34 M

Administrator Account = True

--------------------End log---------------------

Looks as if all may be well.............

-Dee

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 10:53:23 PM

Looks good Dee, just some startup entries if you want to contol them on startup

But first if everything seems to be running well you should Clean out your System Restore Points
You don't want to Restore any Nasties
This will remove all your restore points and make a fresh one
Simply Disable System Restore---Restart your computer and then Enable System Restore
Here's a link if you need it that will explain
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

You have a couple programs on your computer
This entry in your log
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k

I would uninstall StopSign, if your not using any other Software from Acceleration Software
Fix that entry with Hijackthis and Restart your computer
Delete the C:\Program Files\Acceleration Software folder

This entry
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
I've never used SpySubtract, are you using the Trial Version?
If you don't need the paid version I would uninstall it
Hold onto Ad-Aware and Spybot 1.3
Make sure you are using this version of Spybot
Together they will do a Great jog

You should install this program to help tighten up your security

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
Doesn't run in the background, Just install and run once
Check for updates every couple of weeks---Enable all protection after every update

Spybot has the Immunization feature---Click Immunize>>OK>>Immunize at the top

This entry
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
Shows file missing at the end of it which may indicate you are having trouble with
Norton's, are you?

Post back and let me know about the above if you don't mind

You also have other entries that you don't need running on startup, if you would like links to suggestions for disabling on startup and the link to that Startup application
let me know
It's a small download

I would definitely disable Kodak's backweb, it's as good as Spyware
Phones home unknowingly

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 11:06:04 PM

Ok -

Im not totally finished yet but have a quick question.

Do i do everything that you mentioned before I re-enable the Restore Utility.

And as for you question regarding SpySubtract - it is a trial version - which I dont care for at all.

I was having trouble for sometime with Norton's -- But I believe it is fixed - the firewall and the anti-virus software hasn't been giving me any trouble this week.

-Dee

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 11:09:34 PM

I take that back - I am having trouble with the firewall

Its telling me that the Intrusion Detection is off and I cant seam to get it on.
The error it gives me is: Failed to save setting. Please verify that your Windows account is not restricted.

Dee

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 11:28:58 PM

I figured that entry indicated you were having troubles with Norton's
I seen it in your first log
I would disable System restore now and then restart your computer and then make sure you Re-enable it after restart

Your best bet would be to Uninstall Norton's and Reinstall,
Shut it down in your task manager first
I'm not sure what version of Norton's your running but I would check their website
if you have trouble uninstalling or reinstalling
Here's a link
I'm taking a chance that this is your version
If for some reason your version is out of date or no longer supported, I have links to a free Anti-Virus software that works really well
Norton's 2004 (http://\"http://service1.symantec.com/SUPPORT/nip.nsf/docid/2003111409501936?Open&src=&docid=2001090510510636&nsf=nip.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=\")

Here's some info on Acceleration Software
http://www.spywarewarrior.com/rogue_anti-s...htm#trustworthy (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy\")
Scroll down to Note on eAcceleration Stop-Sign

Do the above, make sure that if you go the route of totally uninstalling Norton's
and reinstalling
Use Live Update to check for All updates, including program update. This is very important to work properly with Xp's Service Pack 2

Why don't you do the above and post back a fresh hijackthis log and then we can disable some of those unnecessary startup entries if you would like

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 11:30:00 PM

OK - did everything you mentioned-

Still willing to help me disable startups with that small download?

And I stilll dont know why my Firewall is giving me trouble - but I haven't tried to figure it out on my own either.

-Dee

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 11:32:05 PM

Disregard that line about the Firewall- you are too fast for me - I had no idea you were all over it already

/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 11:34:47 PM

I forgot about that system restore thing.

I went ahead and did everything you mentioned - deleted programs, downloaded others.

Shoot.....did I cause any problems?

Im going to hold tight before I do anything else.

So at this time it is still disabled

-Dee

Title: CWS.HiddenDll
Post by: Dee on December 03, 2004, 11:45:36 PM

I dont have a disc to reinstall the Firewall -

I purchased it online in June -I have a print out with the Activation Key - yet I have no idea (without some research) how to reistall it from the net.

I believe I only had 90 days to do so.

-Dee

Title: CWS.HiddenDll
Post by: guestolo on December 03, 2004, 11:51:49 PM

Okay Dee, Remember XP's Sp2 has a little bit better firewall if your having trouble with Norton's, you don't need both running
However Nortons is definitely better, if it's working properly

Here's a couple of links that I suggest that you look at to see what you can disable
http://computercops.biz/modules.php?name=StartupList (http://\"http://computercops.biz/modules.php?name=StartupList\")
http://www.answersthatwork.com/Tasklist_pa...es/tasklist.htm (http://\"http://www.answersthatwork.com/Tasklist_pages/tasklist.htm\")

If you look at Tasklists page they like to Recommend the Ultimate Troubleshooter
It's a paid version, you don't need it
You can download and install the free version of Codestuff's Starter (http://\"http://codestuff.tripod.com/StarterSetup.zip\")
from that direct link

Here's what I suggest that you disable on startup
Use those links and you will see what I mean, you may want to leave or disable others
Don't go crazy and disable everything

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

qttask.exe>>>Quicktime's system tray
First enter the preferences of quicktime and disable it on startup and then use STARTER to disable on startup

realsched.exe>>Realplayer's updater, definitely not needed on startup
But first End task on it in the taskmanager
Then navigate to this file
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
RENAME realsched.exe>>>realsched.old
This will ensure that it won't startup, Realplayer works fine without it
Again disable with STARTER

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
Sun Java's Updater
That entry in your log, you can access your Control panel>>>Open the Java Plugin
and disable this feature from Automatically checking for updates and manually do this once every couple of months
you can also disable with STARTER
You can also Clear Java's cache in this location too

These 2 entries in your log
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

You can disable on startup, beforehand you may also want to navigate to
Start > Programs > Kodak > Kodak software updater > Kodak software updater setup.
Disable the Updater
Make sure you disable backweb.exe on startup

OSA9.EXE You can manually startup these programs
Here's a link that may help you out
I would use Codestuffs STARTER to disable
http://www.sysinfo.org/startuplist.php?fil...XE&count=&type= (http://\"http://www.sysinfo.org/startuplist.php?filter=OSA9.EXE&count=&type=\")

Do some research and see what you need

I would definitely uninstall Norton's and reinstall if you are having problems with it...

Stay Safe Dee

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: CWS.HiddenDll
Post by: guestolo on December 04, 2004, 12:01:13 AM

If you restarted go ahead and Re-enable System Restore

I just noticed this

Quote

I dont have a disc to reinstall the Firewall -

I purchased it online in June -I have a print out with the Activation Key - yet I have no idea (without some research) how to reistall it from the net.

I believe I only had 90 days to do so.

I'll look into it for you, maybe both of us can come up with something

But you definitely have to figure it out, just make sure that Norton's AV is running properly

If you have too much trouble with Norton's Firewall, disable it and use the XP firewall
You can find the Windows Firewall Icon in the Control Panel to enable it until we find a fix

Title: CWS.HiddenDll
Post by: Dee on December 04, 2004, 12:04:58 AM

Thanks so much for all your help this evening.....

Ill leave you alone for now....

But I have one very important questions for you

WHO ARE YOU?

/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' /> ... AND HOW THE HECK DO YOU KOW ALL OF THIS -

AND MORE IMPORTANTLY - HOW DO YOU GATHER THE INFO SO FAST THEN TO TYPE IT UP LIKE IT WAS NO TROUBLE AT ALL.

To make it even more amazing....all without a fee.

Thanks so much for your time.

Im sure I will be visiting this site real soon. - I had no idea these forums were so helpful

LOL
-Dee

Title: CWS.HiddenDll
Post by: guestolo on December 04, 2004, 12:06:10 AM

Go to this site
http://www.symantec.com/sabu/nis/npf/ (http://\"http://www.symantec.com/sabu/nis/npf/\")

Maybe because you didn't Activate is the problem

You have to allow popups on this site
Click on the
Find out about Norton Personal Firewall 2005 Product Activation details
on the Right hand side

Some good info there
Let me know if you can activate and it works out for you

Title: CWS.HiddenDll
Post by: guestolo on December 04, 2004, 12:08:47 AM

I enjoy helping others with getting rid of this Malware from they're computers

I don't consider it a game, because you can leave a person's computer in a real mess

But I'm not much for playing games
Except I really want the wife to buy me Half life 2 for Xmas
So this keeps me busy online

/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

I forgot to add, when you go that link for Nortons and click on Details
Then click on "Why Activate Software?"
Then "Support Resources"
Then "Click Here"

Should be some info there

Title: CWS.HiddenDll
Post by: Dee on December 04, 2004, 12:17:50 AM

Again thanks

My husbands going to think Im a genius for figuring this out......All on my own of course.!!!

/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

-Dee

Title: CWS.HiddenDll
Post by: guestolo on December 04, 2004, 12:23:16 AM

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Ahhh, we just won't tell him

Take care Dee

Title: CWS.HiddenDll
Post by: IvansPappa on December 12, 2004, 03:02:35 PM

/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
I am sad to say that I have the same problem
I cant get rid of this cws.hiddendll
it is driving us NUTZ

Title: CWS.HiddenDll
Post by: guestolo on December 12, 2004, 03:44:00 PM

Can you start your own Post in this forum

But first
Download Hijackthis 1.98.2

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important