TheTechGuide Forum

General Category => Tech Clinic => Topic started by: IvansPappa on December 12, 2004, 05:40:49 PM

Title: CWS.HiddenDll removal....
Post by: IvansPappa on December 12, 2004, 05:40:49 PM: Thank you for taking time to help me with this, I downloaded the HiJack this as you instructed and following is the log
thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 4:51:25 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\WINNT\system32\runner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {016C3F9D-7DE3-4F1E-8F99-5F55B27EE172} - (no file)
O3 - Toolbar: (no name) - {0341E606-BD3A-4C5D-9F08-7F74D38A7E67} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINNT\system32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKCU\..\Run: [runner.exe] C:\WINNT\system32\runner.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab (http://\"http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab\")
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
Title: CWS.HiddenDll removal....
Post by: guestolo on December 12, 2004, 05:53:18 PM: I don't see the entries in your log, let's try this

You have Spyware Vanisher installed, if you didn't pay for it I would get rid of it
Read this link for the reasons why
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm\")

Spysweeper is recommended as well as the next 2 which you can download and use for free
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button\")
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Download all updates

Scan your system with Ad-Aware
Perform a Full System scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
====================================================
RESTART your computer to finish the cleaning process

When your back in Windows
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
Don't enable TeaTimer when Installing, you can do this later but leave it disable for now
After installation--SEARCH FOR UPDATES
Download All updates
Check for Problems---FIX everything in RED

Restart your computer once again

Back in Windows
Download and save to desktop VX2 Finder (126) (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Open VX2 Finder and press the "Click to Find VX2.BetterInternet
Press the "Make log"
Copy and paste the entire contents of the log back here

Can you Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

Also post back a fresh Hijackthis log, thanks
Title: CWS.HiddenDll removal....
Post by: IvansPappa on December 14, 2004, 09:27:52 PM: Log for VX2.BetterInternet File Finder (msg126)

Files Found---
Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
SV1

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\d3dne.dll Fri Apr 16 2004 9:46:26p A...R 35,840 35.00 K
________________________________________________

1,315 items found: 1,315 files, 0 directories.
Total of file sizes: 268,876,891 bytes 256.42 M

Administrator Account = True

--------------------End log--------------------

Logfile of HijackThis v1.98.2
Scan saved at 7:23:49 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\WINNT\system32\runner.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BB9C1FB3-FF7B-4A45-A054-9E1A8A9C7023} - C:\WINNT\system32\pjo.dll
O3 - Toolbar: (no name) - {016C3F9D-7DE3-4F1E-8F99-5F55B27EE172} - (no file)
O3 - Toolbar: (no name) - {0341E606-BD3A-4C5D-9F08-7F74D38A7E67} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINNT\system32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [runner.exe] C:\WINNT\system32\runner.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab (http://\"http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab\")
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O18 - Filter: text/html - {39AFD8DE-6D4C-40E8-9D2D-F9EFDD761F70} - C:\WINNT\system32\pjo.dll
O18 - Filter: text/plain - {39AFD8DE-6D4C-40E8-9D2D-F9EFDD761F70} - C:\WINNT\system32\pjo.dll

I hope this helps
Title: CWS.HiddenDll removal....
Post by: guestolo on December 14, 2004, 10:28:09 PM: I'd like to see if Symantec's tool will take care of this

First---Download and save to desktop this Removal Tool (http://\"http://securityresponse.symantec.com/avcenter/FxAgentB.exe\") developed by Symantec
Don't run it yet

Second---Download and save to desktop The STANDALONE version of CWShredder (http://\"http://www.intermute.com/spysubtract/cwshredder_download.html\")
Don't run it yet

Now for the fixes
==Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
RESTART your computer when Done

Back in windows:
Do another scan with Hijackthis and put a check next to these entries: If they exist

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {BB9C1FB3-FF7B-4A45-A054-9E1A8A9C7023} - C:\WINNT\system32\pjo.dll

O3 - Toolbar: (no name) - {016C3F9D-7DE3-4F1E-8F99-5F55B27EE172} - (no file)
O3 - Toolbar: (no name) - {0341E606-BD3A-4C5D-9F08-7F74D38A7E67} - (no file)

O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan

O18 - Filter: text/html - {39AFD8DE-6D4C-40E8-9D2D-F9EFDD761F70} - C:\WINNT\system32\pjo.dll
O18 - Filter: text/plain - {39AFD8DE-6D4C-40E8-9D2D-F9EFDD761F70} - C:\WINNT\system32\pjo.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

==Double click to Run to open CWShredder, Let it FIX all problems
RESTART your computer again

Find and delete this file if it exists
C:\WINNT\system32\pjo.dll

You may have to Set Windows to Show Hidden Files and Folders (http://\"http://www.xtra.co.nz/help/0,,4155-1916458,00.html\")

Post back a fresh Hijackthis log ==== FxAgentB.log

Could you also let me know what this entry is related too
C:\WINNT\system32\runner.exe <--file
If you don't know what it is
Go to this site http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Give the link time to load
Use the Browse button and navigate to runner.exe and then Right click on it and Select it
then click the Submit button
Wait for the results and post back here the Scanner results
Title: CWS.HiddenDll removal....
Post by: IvansPappa on December 15, 2004, 08:29:23 PM: Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

Backdoor.Agent.B has not been found on your computer.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\d3dne.dll Fri Apr 16 2004 9:46:26p A...R 35,840 35.00 K
________________________________________________

1,314 items found: 1,314 files, 0 directories.
Total of file sizes: 268,876,889 bytes 256.42 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.98.2
Scan saved at 6:25:03 PM, on 12/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINNT\system32\runner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\hjt\HijackThis.exe

F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINNT\system32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [runner.exe] C:\WINNT\system32\runner.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab (http://\"https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab\")
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab (http://\"http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab\")
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

and the runner.exe should be my roadrunner internet service, i think... I hope...lol
Title: CWS.HiddenDll removal....
Post by: guestolo on December 15, 2004, 08:33:45 PM: Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Use that link to the online virus file scan and submit it and let me know what it finds in the Scanner results

Your looking for this file
C:\WINNT\system32\runner.exe
Also see if you can find this one and submit it too
C:\WINNT\SYSTEM32\d3dne.dll

You can copy and paste back the info of the scanner results back here
Title: CWS.HiddenDll removal....
Post by: IvansPappa on December 16, 2004, 09:04:46 PM: Service load: 0% 100%

File: runner.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: FSG

AntiVir TR/Mitglieder.BK (0.30 seconds taken)
Avast Win32:Mitglieder-AA (1.61 seconds taken)
BitDefender Trojan.Proxy.Mitglieder.BK (0.31 seconds taken)
ClamAV Trojan.Proxy.W32.Mitglieder.O (0.31 seconds taken)
Dr.Web Win32.HLLM.Beagle.based (0.48 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus TrojanProxy.Win32.Mitglieder.bk (0.61 seconds taken)
mks_vir Trojan.Trojanproxy.Mitglieder.Gen (0.20 seconds taken)
NOD32 probably unknown NewHeur_PE (probable variant) (0.38 seconds taken)
Norman Virus Control Sandbox: W32/Malware; [ General information ]

* File might be compressed.
* File length: 8064 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\runner.exe.

[ Changes to registry ]
* Creates key "HKCU\Software\Timeout".
* Sets value "uid"="238131497" in key "HKCU\Software\Timeout".
* Sets value "port"="" in key "HKCU\Software\Timeout".
* Sets value "pid"="" in key "HKCU\Software\Timeout".
* Creates value "runner.exe"="C:\WINDOWS\SYSTEM\runner.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://www.lssacs.com/script.php?p=0&id=238131497p (http://\"http://www.lssacs.com/script.php?p=0&id=238131497p\").
* Opens URL: http://www.lhmon.com/script.php?p=0&id=238131497p (http://\"http://www.lhmon.com/script.php?p=0&id=238131497p\").

[ Security issues ]
* Possible backdoor functionality [QOS] port 4660.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Enumerates running processes. (0.82 seconds taken)

Statistics
Last piece of malware found was TR/Mitglieder.BK in runner.exe, detected by:

Scanner Malware name Time taken
AntiVir TR/Mitglieder.BK 0.27 seconds
Avast Win32:Mitglieder-AA 1.67 seconds
BitDefender Trojan.Proxy.Mitglieder.BK 0.66 seconds
ClamAV Trojan.Proxy.W32.Mitglieder.O 0.54 seconds
Dr.Web Win32.HLLM.Beagle.based 0.88 seconds
F-Prot Antivirus X 0.06 seconds
Kaspersky Anti-Virus TrojanProxy.Win32.Mitglieder.bk 1.05 seconds
mks_vir Trojan.Trojanproxy.Mitglieder.Gen 0.66 seconds
NOD32 probably unknown NewHeur_PE 0.47 seconds
Norman Virus Control Sandbox: W32/Malware 1.03 seconds

Service statistics:

2826 files (2304 of those unique) have been uploaded & scanned since 12/12/2004, the day of the last database purge.
745 of those 2304 files contained a virus or any other form of malware.
This page has been visited 6422 times in this time period.
This service managed to spot 43 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 297 suspicious files without any help from scanner results.
However, 9 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 99.61% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.

No I am not sitting still! For those of you interested, a new, better version of this service is being developed. Click here for a sneak peek. It is not finished. It has bugs. Please only use it for testing purposes.
If you have suggestions and/or comments, please send me them!
Most popular malware:

Rank Malware name Uploaded Last known filename
1 backdoor.agobot.3.gen 38 times pnc.exe
2 backdoor.rbot.gen 23 times wnfrwll.exe
3 trojan.muldrop.1321 20 times test5.scr
4 tr/spam.avafx 18 times vbsys2.dll
5 backdoor.sdbot.gen 17 times AsianPussy.zip
6 win32/trojandownloader.troll.a 17 times fhfhfhfhfhfhfh.exe
7 behaveslike:win32.explorerhijack 16 times sdbot05c.exe
8 tr/dldr.agent.ap.3 14 times syskj.exe
9 worm/robobot 13 times lsvchost.exe
10 backdoor.win32.wootbot.am 13 times ForBot-NoSSL_10_17.exe
11 win32:trojano-495 13 times ssdpsrv.exe
12 win32:trojan-gen. {other} 11 times test.exe
13 trojan.startpage.nk 11 times kalvnfw32.exe
14 tr/drop.delf.fd.1 10 times reg.exe
15 backdoor.win32.rbot.gen 8 times ass.exe

and this is what i get when running the other file
C:\WINNT\SYSTEM32\d3dne.dll

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

so, i guess the runner.exe isnt my roadrunner huh...lol
Title: CWS.HiddenDll removal....
Post by: guestolo on December 16, 2004, 09:41:09 PM: Let's try this
Copy and paste these instructions to a Notepad file on your desktop
You can open up Notepad
START>>RUN>>Type in notepad and hit Enter

After you have downloaded killbox could you close down all browsers and stay disconnected from the Internet till your thru

Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip (http://\"http://www.downloads.subratam.org/KillBox.zip\")
Unzip the files to the folder of your choice.

Next: Open up Hijackthis>>Click on Config button>>Misc Tools>>Open Process manager and kill this process
C:\WINNT\system32\runner.exe

Next
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [runner.exe] C:\WINNT\system32\runner.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double-click on Killbox.exe to run it

click on Tools->Delete Temp Files

When that finishes, seperately,copy and paste each of the following bolded lines into the "Full Path of File to Delete" box in Killbox,
Ensure to check these options
"Delete File On Reboot"
on the .dll file also check "Unregister Dll Before deleting"
and click the red button with the white X on it after each
Don't allow the computer to Reboot until you have copied and pasted each to Path of file to delete

C:\WINNT\system32\runner.exe

C:\WINNT\SYSTEM32\d3dne.dll

Restart your computer

Back in Windows, Could you please update your version of Hijackthis to the latest, it was just updated
Open Hijackthis>>Config>>Misc Tools>>Check for updates online

Post back with a fresh hijackthis log
and a new DllCompare log
Title: CWS.HiddenDll removal....
Post by: IvansPappa on December 18, 2004, 11:55:54 AM: Logfile of HijackThis v1.99.0
Scan saved at 9:43:43 AM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINNT\system32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab (http://\"https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab\")
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab (http://\"http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab\")
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\d3dne.dll Fri Apr 16 2004 9:46:26p A...R 35,840 35.00 K
________________________________________________

1,314 items found: 1,314 files, 0 directories.
Total of file sizes: 268,878,937 bytes 256.42 M

Administrator Account = True

--------------------End log---------------------

killbox says that this file no longer exists....
I have my files set to show hidden files as well..
is it possible that this file is gone and dll compare is picking it up from a previous scan?
Title: CWS.HiddenDll removal....
Post by: guestolo on December 18, 2004, 05:39:20 PM: Let's try this

Download and save to desktop
Sphjfix (http://\"http://www.trojaner-info.de/cgi-bin/download.cgi?file=sphjfix\")

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click to run Sphjfix and follow the prompts
After it's finished open up CWShredder and FIX all problems

RESTART your computer

Post back a fresh hijackthis log and a NEW DllCompare log
Title: CWS.HiddenDll removal....
Post by: IvansPappa on December 18, 2004, 08:57:29 PM: Logfile of HijackThis v1.99.0
Scan saved at 6:45:21 PM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07D37645-47DA-4A15-B495-4940C8299A11} - C:\WINNT\system32\ebfdn.dll (file missing)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINNT\system32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab (http://\"https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab\")
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab (http://\"http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab\")
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

1,313 items found: 1,313 files, 0 directories.
Total of file sizes: 268,848,217 bytes 256.39 M

Administrator Account = True

--------------------End log---------------------

that seems to eliminate the dll file that dll compare was finding.
tell me its almost over....
lol
seriously, I do appriciate this a ton.
if there is anyway I can repay you...?
you name it.
Title: CWS.HiddenDll removal....
Post by: guestolo on December 18, 2004, 09:25:52 PM: That looks better
Quote
if there is anyway I can repay you...?
you name it.

You bet there is, here's how, stay clean /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

We should disable System Restore and restart your computer to clear all your restore points--reenable it again at system startup, this will create a fresh restore point

This is to ensure that you don't restore any Nasties
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.If not prompted, restart anyways

Note: To re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

But first

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {07D37645-47DA-4A15-B495-4940C8299A11} - C:\WINNT\system32\ebfdn.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Disable System Restore

RESTART your computer
Re-enable System Restore when your back in Windows

You should install this free app.

Add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
Just run it once, and check for updates every couple of weeks, enable all protection after every update

Hold onto Ad-Aware and Spybot and check for updates every couple of weeks and run scans after an update
Ad-aware= You can run a smart system scan, it's quicker, run a full system scan once in awhile
A little added protection
Open Spybot, Click on Immunize>>OK>>Immunize at the top
Do this after every update

Clear out those temp folders too
Start>>Run>>type in cleanmgr and hit Enter or OK
If you would like a free utility that does a deeper cleaning for temp folders,cookies, prefetch folder
Post back and let me know

Stay safe Ivans>>>My reward! /laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />