TheTechGuide Forum

General Category => Tech Clinic => Topic started by: donna4909 on June 11, 2008, 03:29:27 PM

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 11, 2008, 03:29:27 PM

This thing is driving me nuts. I can't seem to get rid of it. Spybot finds it as -coolwwwsearch.aff.winshow. It tries to delete, but can't because the program is running in the memory. Asks to run again on restart, but is still unable to remove it.

Hijack this log:

Logfile of HijackThis v1.98.1

Scan saved at 4:37:56 PM, on 6/11/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\ps2.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\RunServices: [Generic Host Process for Win32 Services] scvhost.exe

O4 - HKLM\..\RunOnce: [RegisterHPDeviceDetectionDll] regsvr32.exe /s "C:\Program Files\HP\Common\HPDeviceDetection.dll"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: svchost.exe

O4 - Global Startup: taskmgr.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")



--------------------------------------------------------------------

CWShredder:

CWShredder v1.44.2 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Owner\Application Data
Username: Owner

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (4218 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\System32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (975 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (274 bytes, A)

- END OF REPORT -

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 11, 2008, 04:26:11 PM

Your version of Hijackthis is out of date
Can you delete your copy

Then do the following
Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color] (http://\"http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe\")
For an alternate download location, you can try HERE  (http://\"http://fileforum.betanews.com/detail/HijackThis/1071179190/1\")
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open
Can you just close it for now, we'll need it in a bit

NEXT:
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] (http://\"http://deckard.geekstogo.com/dss.exe\") to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back just the Whole contents of Main.txt and Extra.txt

NOTE: Before you copy the logs, click on FORMAT>>and UNCheck Word Wrap if it is checked please

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 11, 2008, 04:48:12 PM

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:52:05 PM, on 6/11/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\ps2.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\RunServices: [Generic Host Process for Win32 Services] scvhost.exe

O4 - HKLM\..\RunOnce: [RegisterHPDeviceDetectionDll] regsvr32.exe /s "C:\Program Files\HP\Common\HPDeviceDetection.dll"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')

O4 - Global Startup: svchost.exe

O4 - Global Startup: taskmgr.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe

O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--


Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-11 17:54:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
11: 2008-06-11 21:54:37 UTC - RP509 - Deckard's System Scanner Restore Point
10: 2008-06-11 19:20:46 UTC - RP508 - Configured CuteFTP 6 Professional
9: 2008-06-11 08:04:39 UTC - RP507 - Spybot-S&D Spyware removal
8: 2008-06-11 08:03:06 UTC - RP506 - Spybot-S&D Spyware removal
7: 2008-06-11 04:48:52 UTC - RP505 - Installed Windows XP KB898461.


-- First Restore Point --
1: 2008-06-11 00:07:20 UTC - RP499 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]
[color=\"red\"]System Drive C: has 1.56 GiB (less than 15%) free.[/color]


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:42 PM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\RunServices: [Generic Host Process for Win32 Services] scvhost.exe
O4 - HKLM\..\RunOnce: [RegisterHPDeviceDetectionDll] regsvr32.exe /s "C:\Program Files\HP\Common\HPDeviceDetection.dll"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: svchost.exe
O4 - Global Startup: taskmgr.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3748 bytes

-- File Associations -----------------------------------------------------------

[color=\"red\"].bat - batfile - shell\edit\command - unable to read value[/color]
[color=\"red\"].cmd - cmdfile - shell\edit\command - unable to read value[/color]
[color=\"red\"].inf - inffile - shell\open\command - unable to read value[/color]
[color=\"red\"].ini - inifile - shell\open\command - unable to read value[/color]
[color=\"red\"].reg - regfile - shell\edit\command - unable to read value[/color]
[color=\"red\"].txt - txtfile - shell\open\command - unable to read value[/color]
[color=\"red\"].vbs - VBSFile - shell\edit\command - unable to read value[/color]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 VFILT (Outpost Firewall Kernel Driver) - c:\program files\firewall\outpost firewall\kernel\2000\filtnt.sys <Not Verified; Agnitum; Virtual Firewall>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
R3 ADBLOCK.DLL (Outpost Firewall PlugIn (ADBLOCK.DLL)) - c:\program files\firewall\outpost firewall\kernel\adblock.dll <Not Verified; Agnitum; Outpost Firewall>
R3 CONTENT.DLL (Outpost Firewall PlugIn (CONTENT.DLL)) - c:\program files\firewall\outpost firewall\kernel\content.dll <Not Verified; Agnitum; Outpost Firewall>
R3 DNSCACHE.DLL (Outpost Firewall PlugIn (DNSCACHE.DLL)) - c:\program files\firewall\outpost firewall\kernel\dnscache.dll <Not Verified; Agnitum; Outpost Firewall>
R3 EPPSCSIx (EPPSCSI Driver) - c:\windows\system32\drivers\eppscan.sys <Not Verified; EPPSCAN WDM Driver; EPPSCAN Parallel Port Device Driver>
R3 FTPFILT.DLL (Outpost Firewall PlugIn (FTPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\ftpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 HTMLFILT.DLL (Outpost Firewall PlugIn (HTMLFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\htmlfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 HTTPFILT.DLL (Outpost Firewall PlugIn (HTTPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\httpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
R3 IMAPFILT.DLL (Outpost Firewall PlugIn (IMAPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\imapfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 MAILFILT.DLL (Outpost Firewall PlugIn (MAILFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\mailfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 NNTPFILT.DLL (Outpost Firewall PlugIn (NNTPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\nntpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 POP3FILT.DLL (Outpost Firewall PlugIn (POP3FILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\pop3filt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 PROTECT.DLL (Outpost Firewall PlugIn (PROTECT.DLL)) - c:\program files\firewall\outpost firewall\kernel\protect.dll <Not Verified; Agnitum; Outpost Firewall>

S3 Freedom (FREEDOM Miniport) - c:\windows\system32\drivers\freedom.sys (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 KBCAM (JamC@m ("JamC@m") USB service) - c:\windows\system32\drivers\kbcam.sys (file missing)
S3 MREMP50 (MREMP50 NDIS Protocol Driver) - c:\program files\common files\motive\mremp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 MREMP50a64 (MREMP50a64 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mremp50a64.sys (file missing)
S3 MRESP50 (MRESP50 NDIS Protocol Driver) - c:\program files\common files\motive\mresp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 MRESP50a64 (MRESP50a64 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mresp50a64.sys (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\windows\system32\drivers\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys (file missing)
S3 S3SavageNB - c:\windows\system32\drivers\s3gnbm.sys <Not Verified; S3 Graphics, Inc.; S3 ProSavage & Twister Miniport Driver>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McciCMService - "c:\program files\common files\motive\mccicmservice.exe" <Not Verified; Motive Communications, Inc.; >
R2 OutpostFirewall (Outpost Firewall Service) - c:\progra~1\firewall\outpos~1\outpost.exe /service <Not Verified; Agnitum; Outpost Firewall>

S4 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Lucent Win Modem
Device ID: PCI\VEN_11C1&DEV_044E&SUBSYS_044E1235&REV_02\4&24AB0D93&0&58F0
Manufacturer: Lucent
Name: Lucent Win Modem
PNP Device ID: PCI\VEN_11C1&DEV_044E&SUBSYS_044E1235&REV_02\4&24AB0D93&0&58F0
Service: Modem

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Standard Modem
Device ID: ROOT\MODEM\0000
Manufacturer: (Standard Modem Types)
Name: Standard Modem
PNP Device ID: ROOT\MODEM\0000
Service: Modem


-- Scheduled Tasks -------------------------------------------------------------

2003-08-11 17:11:37       495 --a------ C:\WINDOWS\Tasks\TASK20030402041953.job


-- Files created between 2008-05-11 and 2008-06-11 -----------------------------

2008-06-11 17:54:23         0 d-------- \Deckard
2008-06-11 16:26:23         0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47         0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10         0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10         0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08         0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52         0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44         0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:42:15         0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-11 00:29:34         0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35         0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35         0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:38:56 534827008 --ahs---- \hiberfil.sys
2008-05-16 15:27:29         0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:28         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-05-16 15:27:27    786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-06-11 17:49:51         0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-11 16:26:08    313283 --a------ C:\Program Files\cwshredder.zip
2008-06-11 16:11:17         0 d-------- C:\Program Files\hp
2008-06-11 15:38:10         0 d-a------ C:\Program Files\Common Files
2008-06-11 15:21:03         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07         0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07         0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-11 00:43:19 786432000 --ahs---- \pagefile.sys
2008-06-10 16:57:37         0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06         0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36         0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35         0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16         0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03         0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02         0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32         0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35         0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

Unable to run batchfile; The process cannot access the file because it is being used by another process.
ComSpec: C:\WINDOWS\system32\cmd.exe


-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-11 17:56:53 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron(tm) CPU                1200MHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 509.98 MiB / 257.39 MiB
Pagefile Memory (total/avail): 1229.61 MiB / 1075.78 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.89 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 32.64 GiB total, 1.56 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 (http://\"http://file://\.PHYSICALDRIVE0\") - SAMSUNG SV4002H - 37.3 GiB - 2 partitions
  \PARTITION0 - Unknown - 4.66 GiB
  \PARTITION1 (bootable) - Installable File System - 32.64 GiB - C:

 

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

Unable to get environment variables; The process cannot access the file because it is being used by another process.
ComSpec: C:\WINDOWS\system32\cmd.exe


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Agnitum Outpost Firewall Pro 2.1 --> "C:\Program Files\Firewall\Outpost Firewall\uninst.exe"
hp center --> C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
SafeCast Shared Components --> C:\WINDOWS\CDAC13BA.EXE /uninstall
Win32 BI Application --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\payload.inf, Uninstall
FolderSizes 4 --> "C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}\FolderSizes4-Setup.exe" REMOVE=TRUE MODIFY=FALSE
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Internet Explorer Q822925 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q822925.inf
DesignPro 5.0 Limited Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{97AE00A8-1336-410F-B467-1C6623127BD6}
Windows XP Hotfix - KB833680 --> C:\WINDOWS\$NtUninstallKB833680$\spuninst\spuninst.exe
Windows XP Hotfix - KB842773 --> C:\WINDOWS\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows Installer 3.1 (KB893803) --> "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Update for Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
Mozilla Firefox (1.0) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0 (en-US)"
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
Outlook Express Update Q330994 --> C:\WINDOWS\Q330994.exe C:\WINDOWS\INF\Q330994.inf
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Real Alternative 1.21 --> "C:\Program Files\Real Alternative\unins000.exe"
S3 Gamma --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3 Gamma'
S3 Savage4 Family Display Switch2 Utility --> S3Uninst.exe -reg 5 HKLM\SOFTWARE\S3\S3Uninst\S3Switch2
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SuperCleaner --> "C:\Program Files\SuperCleaner\Uninst.exe" C:\Program Files\SuperCleaner\Uninst.ini
Visual Labels --> C:\PROGRA~1\VISUAL~1\UNWISE.EXE C:\PROGRA~1\VISUAL~1\INSTALL.LOG
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Window Washer --> C:\WINDOWS\Unwash6.exe
Windows Media Format Runtime Beta --> C:\Program Files\Windows Media Player\Setup_wm.exe /UninstallAll
Windows Media Player 10 Beta --> C:\Program Files\Windows Media Player\Setup_wm.exe /Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD MPEG-4 Codec --> "C:\Program Files\XviD\UninstXviD.exe"
Microsoft FrontPage 2000 --> MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
FolderSizes 4 --> C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}\FolderSizes4-Setup.exe
ACDSee 6.0 PowerPack --> MsiExec.exe /I{271B64EE-3E1B-4381-A8FE-012390050492}
Java(tm) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Veo Digital Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45AEEA61-04F8-11D6-8B35-0080C8F5C4AA}\SETUP.EXE" -l0x9
SoapMaker --> MsiExec.exe /X{500FB6E8-7127-11D8-9EFC-00B0D083537B}
Powertoys For Windows XP --> MsiExec.exe /I{6C31E111-96BB-4ADC-9C81-E6D3EEDDD8D3}
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
The Sims Makin' Magic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A00D1BA-D03A-44E5-AF28-86A1F377DF61}\setup.exe"  -l0009
Veo Stingray --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD88E6DF-A288-4E09-A59B-68E94373BAC7}\SETUP.EXE" -l0x9
Tweakui Powertoy for Windows XP --> MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Namo WebEditor 5.5 Trial --> C:\Program Files\InstallShield Installation Information\{D73B1505-58C4-4CEA-BD95-A6A768D69A0D}\setup.exe -UninstallAll
Full Tilt Poker.Net --> "C:\Program Files\InstallShield Installation Information\{E07B7A31-E160-466D-A003-3BB7B8989D52}\setup.exe" -runfromtemp -l0x0009 -removeonly
MiraScan V3.20 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Twain_32\Mira3_20\Uninst.isu


-- Application Event Log -------------------------------------------------------

Event Record #/Type5474 / Error
Event Submitted/Written: 06/10/2008 04:57:46 PM
Event ID/Source: 11711 / MsiInstaller
Event Description:
Product: CuteFTP 6 Professional -- Error 1711.An error occurred while writing installation information to disk.  Check to make sure enough disk space is available, and click Retry, or Cancel to end the installation.

Event Record #/Type5473 / Error
Event Submitted/Written: 06/10/2008 04:57:45 PM
Event ID/Source: 11711 / MsiInstaller
Event Description:
Product: CuteFTP 6 Professional -- Error 1711.An error occurred while writing installation information to disk.  Check to make sure enough disk space is available, and click Retry, or Cancel to end the installation.

Event Record #/Type5470 / Error
Event Submitted/Written: 06/10/2008 04:56:44 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Tweakui Powertoy for Windows XP -- Internal Error 2502.

Event Record #/Type5469 / Error
Event Submitted/Written: 06/10/2008 04:56:44 PM
Event ID/Source: 11711 / MsiInstaller
Event Description:
Product: Tweakui Powertoy for Windows XP -- Error 1711.An error occurred while writing installation information to disk.  Check to make sure enough disk space is available, and click Retry, or Cancel to end the installation.

Event Record #/Type5467 / Error
Event Submitted/Written: 06/10/2008 04:42:35 PM
Event ID/Source: 1512 / Userenv
Event Description:
Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.  


DETAIL - There is not enough space on the disk.

 

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type57506 / Warning
Event Submitted/Written: 06/11/2008 02:22:42 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type57420 / Error
Event Submitted/Written: 06/11/2008 00:22:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type57419 / Error
Event Submitted/Written: 06/11/2008 00:22:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type57418 / Error
Event Submitted/Written: 06/11/2008 00:22:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type57415 / Error
Event Submitted/Written: 06/11/2008 00:18:51 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

 

-- End of Deckard's System Scanner: finished at 2008-06-11 17:56:53 ------------




 

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 11, 2008, 05:14:35 PM

Can you do the following please

Download
[color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save this to your desktop
We will need it in a bit

Print these set of instructions, or save them to a text file on desktop for reference

Please go to Start >> Run and type or copy/paste the following in the run box:

"%userprofile%\desktop\dss.exe" /daft
 Then press Enter

    * Click on the Scan button.
    * Select everything it is displaying there
    * Click the Fix button.
    * Then rescan with DAFT again - it should say now that "All associations are OK"
    * Close DAFT if you receive that message. This means that it is fixed now.


Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

In Safe mode
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder  

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  

I'll need to see that log later

download Malwarebytes' Anti-Malware from Here (http://\"http://www.besttechie.net/tools/mbam-setup.exe\") or Here (http://\"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html\")
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
     
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
     
  
• Make sure that everything is checked, and click Remove Selected.
      * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
     
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Along with the log from Malwarebytes AntiMalware

 Post the report from SDFix
 and a fresh hijackthis log

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 11, 2008, 10:06:30 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:59 PM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--




Malwarebytes' Anti-Malware 1.17

Database version: 849

11:14:55 PM 6/11/2008

mbam-log-6-11-2008 (23-14-55).txt

Scan type: Full Scan (C:\|)

Objects scanned: 147546

Time elapsed: 59 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---------



SDFix: Version 1.191

Run by Administrator on Wed 06/11/2008 at 07:09 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

 

Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe - Deleted

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe - Deleted

C:\t.rar - Deleted

C:\WINDOWS\didduid.ini - Deleted

C:\WINDOWS\hosts - Deleted

C:\WINDOWS\system32\drivers\etc\hosts.bho - Deleted

C:\WINDOWS\system32\scvhost.exe - Deleted

 

 

 

 

Removing Temp Files

ADS Check :



 

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")

Rootkit scan 2008-06-11 19:21:49

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

Remaining Services :

 

 

 

Authorized Application Key Export:

Remaining Files :

 

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 28 Feb 2007 10,240 A..H. --- "C:\WINDOWS\xntq-v92o4agkyf.exe"

Wed 11 Oct 2006 502,395 ..SH. --- "C:\WINDOWS\SYSTEM32\stwvw.bak1"

Sat 14 Oct 2006 501,391 ..SH. --- "C:\WINDOWS\SYSTEM32\stwvw.bak2"

Sun 10 Feb 2002 2,045 A..H. --- "C:\WINDOWS\SYSTEM32\whla32dd.dll"

Tue 22 Apr 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 22 Apr 2003 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"

Fri 12 Dec 2003 36,352 ...H. --- "C:\Documents and Settings\All Users\Application Data\X0ff\X0ff.dll"

Wed 11 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\BIT1.tmp"

Finished!


Everything looks clean now? I think... I hope. Thank you so so much for taking the time to help! Let me know if I need to do anything else.

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 12, 2008, 12:43:02 AM

Everything looks better, we still have a bit more cleaning to do however

Can you do the following please

Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop

Don't run it yet
Physically disconnect the internet cable connection to your computer
Temporarily disable Outpost Firewall, it's components may interfere with the fix
Right click it's icon by the desktop and Exit

Double click on ComboFix.exe to run the program

Follow the prompts
normally this fix takes anywhere from 10 to 30 minutes
After reboot
 ComboFix will run again, then continue to create a log, this can take a few minutes
Let it run uninterrupted please
I'll need to see this log later

Note:
[color=\"#4169E1\"]Do not mouseclick combofix's window while it's running. That may cause it to stall[/color]

After ComboFix runs, and after it's log opens, ensure Outpost is running
Connect Internet cable, if you have no Internet connection
Simply reboot your computer
By default, the location of the combofix log is located at this location
C:\combofix.txt

Post back the log from ComboFix and a Fresh hijiackthis log please

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 12, 2008, 03:30:48 PM

ComboFix 08-06-11.1 - Owner 2008-06-12 16:18:51.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.310 [GMT -4:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\37591283.exe

C:\57062596.exe

C:\Program Files\Common Files\SLMSS

C:\Program Files\internet explorer\setup.exe

C:\setup.exe

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\SYSTEM32\stwvw.bak1

C:\WINDOWS\SYSTEM32\stwvw.bak2

.

((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))

.

2008-06-11 20:07 . 2008-06-11 20:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-11 20:07 . 2008-06-11 20:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-06-11 20:07 . 2008-06-11 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-11 20:07 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\drivers\mbamcatchme.sys

2008-06-11 20:07 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\drivers\mbam.sys

2008-06-11 18:58 . 2008-06-11 18:59 <DIR> d-------- C:\WINDOWS\ERUNT

2008-06-11 18:58 . 2008-06-12 16:14 <DIR> d-------- C:\SDFix

2008-06-11 17:54 . 2008-06-11 17:54 <DIR> d-------- C:\Deckard

2008-06-11 16:26 . 2008-06-11 16:26 <DIR> d-------- C:\Program Files\InterMute

2008-06-11 15:48 . 2008-06-11 15:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software

2008-06-11 15:38 . 2008-06-11 15:38 <DIR> d-------- C:\Program Files\SpaceAnylizer

2008-06-11 15:38 . 2008-06-11 15:38 <DIR> d-------- C:\Program Files\Common Files\Key Metric Software

2008-06-11 15:38 . 2008-06-11 15:38 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}

2008-06-11 00:48 . 2008-06-11 00:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2008-06-11 00:48 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe

2008-06-11 00:29 . 2008-06-11 00:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits

2008-06-11 00:23 . 2004-07-01 18:08 361,984 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\qmgr.dll

2008-06-11 00:23 . 2004-07-01 18:08 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll

2008-06-11 00:23 . 2004-07-01 18:08 331,776 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\winhttp.dll

2008-06-11 00:23 . 2004-06-30 19:59 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll

2008-06-11 00:23 . 2004-07-01 18:08 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll

2008-06-11 00:23 . 2004-07-01 18:08 17,408 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\qmgrprxy.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,680 -----c--- C:\WINDOWS\SYSTEM32\dllcache\bitsprx2.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,168 -----c--- C:\WINDOWS\SYSTEM32\dllcache\bitsprx3.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll

2008-06-11 00:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui

2008-06-11 00:19 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui

2008-06-11 00:19 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui

2008-06-11 00:19 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui

2008-06-10 05:19 . 2008-06-10 05:19 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared

2008-06-10 05:19 . 2008-06-10 05:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot

2008-06-10 05:18 . 2007-11-26 14:47 194,888 --a------ C:\WINDOWS\Unwash6.exe

2008-05-16 15:27 . 2001-11-16 10:30 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-16 15:27 . 2001-11-16 10:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust

2008-05-16 15:27 . 2001-11-16 10:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel

2008-05-16 15:27 . 2008-05-16 15:27 <DIR> d-------- C:\Documents and Settings\Administrator

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-12 06:45 --------- d-----w C:\Program Files\Full Tilt Poker.Net

2008-06-11 20:11 --------- d-----w C:\Program Files\hp

2008-06-11 19:22 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!

2008-06-11 19:21 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-06-11 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-11 06:12 --------- d-----w C:\Program Files\Visual Labels

2008-06-11 06:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire

2008-06-10 20:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\GlobalSCAPE

2008-06-10 09:22 --------- d-----w C:\Program Files\Winamp

2008-06-10 09:19 --------- d-----w C:\Program Files\Webroot

2008-06-10 09:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Webroot

2008-06-05 02:26 --------- d-----w C:\Program Files\SoapMaker

2008-05-14 18:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-05-14 17:36 --------- d-----w C:\Program Files\Common Files\ACD Systems

2008-05-14 17:36 --------- d-----w C:\Program Files\ACD Systems

2008-05-14 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems

2008-04-30 07:13 --------- d-----w C:\Program Files\Common Files\Motive

2008-04-30 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive

2007-01-25 19:20 24,192 -c--a-w C:\Documents and Settings\Owner\usbsermptxp.sys

2007-01-25 19:20 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys

2004-01-20 15:11 125 -c--a-w C:\Program Files\I.HTM

2004-01-09 04:48 107,008 -c--a-w C:\Program Files\CWShredder.exe

2003-09-04 02:21 16,384 -c--a-w C:\Program Files\msfind.exe

2003-08-08 20:43 154,624 -c--a-w C:\Program Files\uninstcp.exe

2003-02-19 02:16 61,900,782 -c--a-w C:\Program Files\2-18.reg

2001-11-09 22:44 8 -c--a-w C:\Program Files\USER

1998-05-31 04:00 295,696 -c--a-w C:\Program Files\Common Files\MSJTOR35.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [2004-04-09 17:18 87040]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 21:25 143360]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 20:36 90112]

"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 18:13 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2003-07-16 16:37 51200 C:\WINDOWS\SYSTEM32\narrator.exe]

"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2003-07-16 16:48 40960]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\

AutoPlay.exe [2001-09-17 15:22:52 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"IMEKRMIG6.1"= 108209130520750479696720982160565757815579836

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoSMHelp"= 01000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3acm"= L3codecp.acm

"vidc.XVID"= xvid.dll

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

"vidc.3ivx"= 3ivxVfWCodec.dll

"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk

backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate Engine Monitor.lnk]

backup=C:\WINDOWS\pss\WinGate Engine Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate VPN Monitor.lnk]

backup=C:\WINDOWS\pss\WinGate VPN Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]

backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]

--a--c--- 2001-10-08 13:59 45632 C:\WINDOWS\System32\taskswitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DM_Server]

C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastUser]

--a--c--- 2001-10-08 13:59 49216 C:\WINDOWS\System32\fast.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FSW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Generic Host Process for Win32 Services]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2001-08-07 20:36 90112 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

--a--c--- 1998-05-07 13:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2001-08-07 21:25 143360 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]

C:\PROGRA~1\INCRED~1\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inet Delivery]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inmr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keymgrldr]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ltimg80n]

--a--c--- 2004-03-15 21:02 50042 C:\WINDOWS\system32\ltimg80n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPeeker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoAds]

C:\Program Files\NoAds\NoAds.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]

C:\Program Files\Eset\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

--a------ 2001-07-03 18:13 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2006-12-16 03:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDLL]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a--c--- 2001-06-15 19:34 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

--a--c--- 2004-08-04 00:41 27136 C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]

--a--c--- 2001-10-04 15:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanInicio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]

--a--c--- 2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateStats]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VB_run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Washer]

C:\Program Files\Washer\washer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xp_system]

--a--c--- 2004-08-04 00:41 27136 C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Messenger"=2 (0x2)

"wuauserv"=2 (0x2)

R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Firewall\OUTPOS~1\kernel\2000\FILTNT.SYS [2004-04-09 17:16]

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2008-02-21 14:36]

R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]

R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2000-04-08 16:14]

S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\ADBLOCK.DLL [2004-04-09 17:16]

S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\CONTENT.DLL [2004-04-09 17:16]

S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\System32\Drivers\ubVeo532.sys [2002-07-01 19:30]

S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\DNSCACHE.DLL [2004-04-09 17:16]

S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\FTPFILT.DLL [2004-04-09 17:17]

S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\HTMLFILT.DLL [2004-04-09 17:16]

S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\HTTPFILT.DLL [2004-04-09 17:16]

S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\IMAPFILT.DLL [2004-04-09 17:17]

S3 KBCAM;JamC@m USB service;C:\WINDOWS\System32\Drivers\KBCAM.sys []

S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\MAILFILT.DLL [2004-04-09 17:16]

S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2008-02-21 14:36]

S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []

S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2008-02-21 14:36]

S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\NNTPFILT.DLL [2004-04-09 17:17]

S3 PCDRDRV;Pcdr Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\POP3FILT.DLL [2004-04-09 17:16]

S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\PROTECT.DLL [2004-04-09 17:17]

.

Contents of the 'Scheduled Tasks' folder

"2003-08-11 21:11:37 C:\WINDOWS\Tasks\TASK20030402041953.job"

- C:\Documents and Settings\Owner\Application Data\Ipswitch\WS_FTP\Scheduler\sch1D.tmp

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")

Rootkit scan 2008-06-12 16:20:21

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

 

**************************************************************************

.

Completion time: 2008-06-12 16:24:00

ComboFix-quarantined-files.txt 2008-06-12 20:22:57

Pre-Run: 11,881,594,880 bytes free

Post-Run: 11,877,179,392 bytes free

262 --- E O F --- 2008-06-11 04:49:05



-----------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:21 PM, on 6/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Firewall\Outpost Firewall\outpost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3603 bytes

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 12, 2008, 03:47:17 PM

That's looking better
But we need to get an AntiVirus software on your computer

And I would also like to run another scanner

First:
Download and save to your Desktop
> [color=\"#FF0000\"]Avira AntiVir[/color] (http://\"http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html\") <

Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time

NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it

A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"

Quarantine or delete everything it finds
When the scan is finished
Reboot the computer

Back in Windows
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"
Ensure to click on FORMAT and UNCheck Word Wrap if it is checked, before copying the contents
Post the contents of this report please in your next reply

EDITED out running Malwarebytes AntiMalware again

Then we'll just deal with some leftovers, and get your protections updated

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 12, 2008, 11:56:49 PM

Ok, I ran the anti-virus. It found and quarantined like 14,000 infected files. Seems most of it was a worm (WORM/Rbot.155648) in the C:\System Volume Information directory. That report log is soooooo long. I'm not sure if you want me to post it here.

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 13, 2008, 12:13:22 AM

Can you try the following

Go back and open the Report File in Avira again
This time in the open log, click on FILE>>SAVE AS

In the drop down bar Save in: Select DESKTOP then click Save
The file will now be on desktop

Come back here, click on ADD REPLY at the bottom then attach the file you just saved on desktop
On the bottom right of the reply box choose BROWSE...
Browse to the log on your desktop, right click on it and SELECT it
Then click the UPLOAD button

EDIT>>If you have trouble attaching the file because it has a
.log extension

Can you right click on the saved file on desktop and choose RENAME
Change the .log to a .txt
Then try uploading it

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 13, 2008, 04:56:56 PM

File is too big to attach. 7 MB.

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 13, 2008, 05:35:23 PM

Can you go to RapidShare (http://\"http://rapidshare.com/\")
Browse to the file and upload it
Share the download link with me, you can Private message me the link

Save a copy of the deletion link for yourself

I have to step out for a bit, I'll let you know when I have downloaded the file
So you can use the deletion link to remove the file after I have it
Post back here and let me know when you have PM'ed me the download link please

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 13, 2008, 06:28:11 PM

PM'd you the link.

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 13, 2008, 10:24:23 PM

That cleared more files, don't worry about the ones in the System Volume information folders
That's your System Restore points, we'll clear those later
Your safe just as long you don't try and restore to an old restore point

Now, the final recommendation

Your running a very outdated version of Spybot
Can you access your add and remove programs and uninstall Spybot 1.3
Reboot your computer when your done

Back in Windows
Download and install the latest version of Spybot from the following link
http://fileforum.betanews.com/detail/Spybo...oy/1043809773/1 (http://\"http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1\")

When installing, Please uncheck TEA TIMER so it won't interfere with any future fixes we have
P.S. We're almost done here, so let's not let TeaTimer disrupt the final fixes
Ensure you have Spybot check for updates

When Spybot opens, again "Search for updates"
Select the closest location to you then Download all updates
After updates are successful>>click EXIT
Check for Problems, let the scan run complete
After the scan completes, Ensure ALL [color=\"#FF0000\"]RED [/color]entries are selected and click FIX CHECKED

Reboot the computer one more time

Back in windows
Run dss.exe again and post the log from Main.txt
Also ensure you let me know how things are running please

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 14, 2008, 12:05:17 AM

Downloaded and ran the new Spybot. It found the coolwwwsearch.aff.winshow again, but was able to delete this time. System is running a little slow, but I'm pretty positive it's the antivirus program. Here's the new DSS log:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 01:10:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:35 AM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3957 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 01:02:00         0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-12 17:29:23         0 d-------- C:\Program Files\Avira
2008-06-12 17:29:23         0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 17:05:40         0 d--hs---- \RECYCLER
2008-06-12 16:18:01         0 d-------- \QooBox
2008-06-12 16:18:00     68096 --a------ C:\WINDOWS\zip.exe
2008-06-12 16:18:00     49152 --a------ C:\WINDOWS\VFind.exe
2008-06-12 16:18:00    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-12 16:18:00    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-12 16:18:00    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-12 16:18:00     98816 --a------ C:\WINDOWS\sed.exe
2008-06-12 16:18:00     80412 --a------ C:\WINDOWS\grep.exe
2008-06-12 16:18:00     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 15:55:14 534827008 --ahs---- \hiberfil.sys
2008-06-11 20:07:03         0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 20:07:00         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:07:00         0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:58:53         0 d-------- C:\WINDOWS\ERUNT
2008-06-11 18:58:17         0 d-------- \SDFix
2008-06-11 17:54:23         0 d-------- \Deckard
2008-06-11 16:26:23         0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47         0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10         0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10         0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08         0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52         0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44         0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:29:34         0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35         0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35         0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:27   2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-06-14 01:03:28 786432000 --ahs---- \pagefile.sys
2008-06-13 19:31:19         0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-12 17:46:59         0 d-------- C:\Documents and Settings\Owner\Application Data\ield
2008-06-12 16:19:00         0 d-a------ C:\Program Files\Common Files
2008-06-11 16:11:17         0 d-------- C:\Program Files\hp
2008-06-11 15:21:03         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07         0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07         0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-10 16:57:37         0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06         0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36         0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35         0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16         0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03         0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02         0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32         0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35         0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [04/09/2004 05:18 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/07/2001 09:25 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 08:36 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/03/2001 06:13 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"IMEKRMIG6.1"=108209130520750479696720982160565757815579836
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk
backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate Engine Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate Engine Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate VPN Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate VPN Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
C:\WINDOWS\System32\taskswitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DM_Server]
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastUser]
C:\WINDOWS\System32\fast.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FSW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Generic Host Process for Win32 Services]
scvhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inet Delivery]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inmr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keymgrldr]
rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ltimg80n]
C:\WINDOWS\system32\ltimg80n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPeeker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoAds]
"C:\Program Files\NoAds\NoAds.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDLL]
RunDll16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
S3tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanInicio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateStats]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VB_run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Washer]
C:\Program Files\Washer\washer.exe /1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xp_system]
C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)

 


-- End of Deckard's System Scanner: finished at 2008-06-14 01:11:05 ------------

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 14, 2008, 12:12:06 AM

Can you do one more following step
Can you go to START>>RUN>>type the following

msconfig
Hit OK

When the System Configuration Utility opens
Select NORMAL STARTUP under the General tab
APPLY and CLOSE, but choose NOT to Restart the computer yet

Instead, come back here and run a fresh scan and save logfile with hijackthis and post it's new log
We'll clear some entries this way first, then you can later disable what you prefer

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 14, 2008, 01:26:43 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:36 AM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetg\services.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [keymgrldr] rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Generic Host Process for Win32 Services] scvhost.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ltimg80n] C:\WINDOWS\system32\ltimg80n.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6099 bytes

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 14, 2008, 01:54:50 AM

Let's try and remove some of those entries

But first, your version of Sun Java is out of date, for security reasons, let's uninstall it
and get it updated a bit later
Close down all browser windows
Access your Add and Remove Programs
And Uninstall
Javaâ„¢ SE Runtime Environment 6 Update 1


Don't reboot the computer after removal
Instead
==Download [color=\"#FF0000\"]ATF-Cleaner[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune.
Save it to your desktop
======================================
Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
NOTE: Bootup will be a bit slower as we have cleared your Prefetch folder
Bootup time will increase as this folder is repopulated
========================================

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetg\services.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

O4 - HKLM\..\Run: [keymgrldr] rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Generic Host Process for Win32 Services] scvhost.exe

O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot


O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ltimg80n] C:\WINDOWS\system32\ltimg80n.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Download [color=\"blue\"]OTMoveIt2.exe[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt2.exe to run it.
  
• Copy the entries below in BLUE to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
  
  ================================================
  
  [color=\"#0000FF\"]C:\WINDOWS\system32\ltimg80n.exe
  C:\Program Files\NoAds
  C:\Program Files\Comet Systems
  C:\WINDOWS\SYSTEM32\whla32dd.dll
  C:\WINDOWS\Tasks\TASK20030402041953.job[/color]
  
  ======================================================
  
• Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window  and choose "Paste".
  
• Click the red "[color=\"red\"]MoveIt![/color]" button.
  
• Close OTMoveIt when it has completed.
  

[color=\"red\"]Note[/color]:  If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

NOTE: If you are not asked to reboot the computer, reboot manually anyways

OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log

=====================================================

After you have rebooted
[color=\"blue\"]Updating Java:[/color]

• Download the latest version of  Java Runtime Environment (JRE) 6 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
  
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Then from your desktop double-click on jre-6u6-windows-i586-p.exe that you downloaded to install the newest version.
  

Come back here, this time, instead of running Hijackthis
Can you run dss.exe on desktop again
Post the new log from MAIN.txt
Also include the log from OTMoveit please

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 14, 2008, 03:13:36 AM

File/Folder C:\WINDOWS\system32\ltimg80n.exe not found.
File/Folder C:\Program Files\NoAds not found.
File/Folder C:\Program Files\Comet Systems not found.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\whla32dd.dll
C:\WINDOWS\SYSTEM32\whla32dd.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\whla32dd.dll moved successfully.
C:\WINDOWS\Tasks\TASK20030402041953.job moved successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06142008_040802

----------------

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 04:22:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:45 AM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Generic Host Process for Win32 Services] scvhost.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 4921 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 04:19:02         0 d-------- C:\Program Files\Java
2008-06-14 04:18:27         0 d-------- C:\Program Files\Common Files\Java
2008-06-14 04:08:53         0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-14 04:08:02         0 d-------- \_OTMoveIt
2008-06-12 17:29:23         0 d-------- C:\Program Files\Avira
2008-06-12 17:29:23         0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 17:05:40         0 d--hs---- \RECYCLER
2008-06-12 16:18:01         0 d-------- \QooBox
2008-06-12 16:18:00     68096 --a------ C:\WINDOWS\zip.exe
2008-06-12 16:18:00     49152 --a------ C:\WINDOWS\VFind.exe
2008-06-12 16:18:00    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-12 16:18:00    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-12 16:18:00    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-12 16:18:00     98816 --a------ C:\WINDOWS\sed.exe
2008-06-12 16:18:00     80412 --a------ C:\WINDOWS\grep.exe
2008-06-12 16:18:00     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 15:55:14 534827008 --ahs---- \hiberfil.sys
2008-06-11 20:07:03         0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 20:07:00         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:07:00         0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:58:53         0 d-------- C:\WINDOWS\ERUNT
2008-06-11 18:58:17         0 d-------- \SDFix
2008-06-11 17:54:23         0 d-------- \Deckard
2008-06-11 16:26:23         0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47         0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10         0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10         0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08         0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52         0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44         0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:29:34         0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35         0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35         0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:27   2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-06-14 04:18:27         0 d-a------ C:\Program Files\Common Files
2008-06-14 04:09:59 786432000 --ahs---- \pagefile.sys
2008-06-13 19:31:19         0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-12 17:46:59         0 d-------- C:\Documents and Settings\Owner\Application Data\ield
2008-06-11 16:11:17         0 d-------- C:\Program Files\hp
2008-06-11 15:21:03         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07         0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07         0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-10 16:57:37         0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06         0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36         0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35         0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16         0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03         0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02         0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32         0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35         0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [04/09/2004 05:18 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/07/2001 09:25 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 08:36 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/03/2001 06:13 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"Tweak UI"="TWEAKUI.CPL" [06/18/2000 02:03 PM C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"S3TRAY2"="S3tray2.exe" [10/04/2001 03:06 PM C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [06/15/2001 07:34 PM]
"NvCplDaemon"="NvQTwk" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 01:04 PM]
"Generic Host Process for Win32 Services"="scvhost.exe" []
"FastUser"="C:\WINDOWS\System32\fast.exe" [10/08/2001 01:59 PM]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [10/08/2001 01:59 PM]
"1A:Stardock TrayMonitor"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Washer"="C:\Program Files\Washer\washer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"IMEKRMIG6.1"=108209130520750479696720982160565757815579836
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate Engine Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate Engine Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate VPN Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate VPN Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FSW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inet Delivery]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inmr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPeeker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanInicio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateStats]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VB_run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

 


-- End of Deckard's System Scanner: finished at 2008-06-14 04:23:14 ------------

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 14, 2008, 10:24:58 AM

Can you check for me in your Add and Remove Programs if the next 2 entries are still around
SafeCast Shared Components
and
Win32 BI Application

If they are, can you try and uninstall them, or if prompted to remove from list
Do so please, let me know later if you were able to remove both

Let's do a registry script to remove some entries on startup, but also remove some entries that are still disabled
Then you let me know out of the new log, what you don't need enabled on startup

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=-
"NvCplDaemon"=-
"Generic Host Process for Win32 Services"=-
"1A:Stardock TrayMonitor"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate Engine Monitor.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate VPN Monitor.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explore]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FSW]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inet Delivery]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inmr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPeeker]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanInicio]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateStats]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VB_run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

Double click on fix.reg and allow to add/merge to the registry at the prompt

Reboot the computer

Come back here, run a fresh scan with dss.exe once again and post it's log that opens

Let me know how things are running

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 14, 2008, 06:15:20 PM

SafeCast Shared Components wasn't in the add/remove programs list. Win32 BI Application says:
Error: could not locate the INF file 'C:\WINDOWS\INF\payload.inf'.

The only programs I need on startup are Outpost & Avira. System is still running sluggish. Has been since I installed Avira. I knew it would be though. That's why I uninstalled previous AV software. I had Panda at one point. I was hoping to just be able to run a firewall, but I guess I need both. Ah well...


Here's the new DSS log:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 19:17:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:18 PM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 4760 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 19:09:18         0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-14 04:19:02         0 d-------- C:\Program Files\Java
2008-06-14 04:18:27         0 d-------- C:\Program Files\Common Files\Java
2008-06-14 04:08:02         0 d-------- \_OTMoveIt
2008-06-12 17:29:23         0 d-------- C:\Program Files\Avira
2008-06-12 17:29:23         0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 17:05:40         0 d--hs---- \RECYCLER
2008-06-12 16:18:01         0 d-------- \QooBox
2008-06-12 16:18:00     68096 --a------ C:\WINDOWS\zip.exe
2008-06-12 16:18:00     49152 --a------ C:\WINDOWS\VFind.exe
2008-06-12 16:18:00    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-12 16:18:00    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-12 16:18:00    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-12 16:18:00     98816 --a------ C:\WINDOWS\sed.exe
2008-06-12 16:18:00     80412 --a------ C:\WINDOWS\grep.exe
2008-06-12 16:18:00     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 15:55:14 534827008 --ahs---- \hiberfil.sys
2008-06-11 20:07:03         0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 20:07:00         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:07:00         0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:58:53         0 d-------- C:\WINDOWS\ERUNT
2008-06-11 18:58:17         0 d-------- \SDFix
2008-06-11 17:54:23         0 d-------- \Deckard
2008-06-11 16:26:23         0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47         0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10         0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10         0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08         0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52         0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44         0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:29:34         0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35         0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35         0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28         0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28         0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:27   2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-06-14 19:10:33 786432000 --ahs---- \pagefile.sys
2008-06-14 04:18:27         0 d-a------ C:\Program Files\Common Files
2008-06-13 19:31:19         0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-12 17:46:59         0 d-------- C:\Documents and Settings\Owner\Application Data\ield
2008-06-11 16:11:17         0 d-------- C:\Program Files\hp
2008-06-11 15:21:03         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07         0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07         0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-10 16:57:37         0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06         0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36         0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35         0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16         0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03         0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02         0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32         0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35         0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [04/09/2004 05:18 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 08:36 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/03/2001 06:13 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"Tweak UI"="TWEAKUI.CPL" [06/18/2000 02:03 PM C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"S3TRAY2"="S3tray2.exe" [10/04/2001 03:06 PM C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [06/15/2001 07:34 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 01:04 PM]
"FastUser"="C:\WINDOWS\System32\fast.exe" [10/08/2001 01:59 PM]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [10/08/2001 01:59 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Washer"="C:\Program Files\Washer\washer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"IMEKRMIG6.1"=108209130520750479696720982160565757815579836
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=1 (0x1)

 


-- End of Deckard's System Scanner: finished at 2008-06-14 19:18:43 ------------

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 15, 2008, 08:47:25 AM

Open HijackThis>>Open The Misc tools section>>Open the Uninstall Manager
Left click to highlight Win32 BI Application on the left side
On the right side click the "Delete this entry"
Ok the prompt then close Hijackthis

Some entries in your Hijackthis log are created by Tweakui Powertoy for Windows XP
Do you actually use it?

Or you can remove it from Add and Remove Programs

If you decide to remove it, can you come back here and post a fresh hijackthis log please

In addition, can you let me know that last time you ran a Disk Defragmenter on this computer
Also, is this verion of Windows XP legit? I see that your way behind on Windows updates

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 15, 2008, 03:04:17 PM

Ok, I removed the Win 32 & uninstalled TweakUI. I hardly ever used it anyway. Rebooted, but it seems TweakUI is still installed.

Haven't defragged in a long time. Maybe a year or so. I'll set it up to defrag when we go out for dinner tonight.

Yes, my XP is a legitimate copy. I don't have the disc for it, but it came preinstalled on this computer (HP) when I bought it.

I'll go check Microsoft and see what updates I need to get.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:17 PM, on 6/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab (http://\"https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab\")
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213061818452\")
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (http://\"http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab\")
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 4453 bytes

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 15, 2008, 03:34:20 PM

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
There should be 2 entries related to Powertoys + Tweak UI in add and remove programs
They are
Powertoys For Windows XP
and
Tweakui Powertoy for Windows XP

Before you go visit Microsoft Windows updates
Can you post back,
We should make some room on your harddrive, it's running low on space
What is the size of the harddrive?
Open MyComputer>>Right click on C: drive and select Properties, should give you the info
Do you have a lot of pictures, songs, etc on this drive taking a lot of space up?

DON'T do the below yet
============================================================
I would opt to disable any power schemes and screen savers
Temporarily disable Avira by right clicking it's icon by the clock and Uncheck AntiVir Guard Enable
Then manually run the Disk defragmenter on your C: drive
Start>>all programs>>accessories>>system Tools>>Disk Defragmenter
Reboot  afterwards

If you manually go to visit Windows updates
Run the Express scan, can you let me know if it first offers Service pack 2 before SP3
Can you refrain from installing SP3 for a bit till you get back to me please

Note: might be a good idea to temporarily disable Avira while installing Windows updates of this size
Same procedure, right click it's icon and Uncheck AntiVir Guard Enable
==============================================================
Additional NOTE: We still have some cleaning to do of the tools that we used
I'll post those steps next when you get back to me

Title: Can't get rid of coolwwwsearch
Post by: donna4909 on June 15, 2008, 09:11:47 PM

I did uninstall the two tweak ui entries. But I still have a TweakUIXP icon in my control panel.

The hard drive is 32GB. When I first posted, I was very low on HD space. Less than a gig. But I couldn't figure out what was taking up all my extra space. I finally found the hidden folder when I ran a HD space anylizer. Anyway, it had like 11 gig of movie and tv show exe files. No clue how they got there. I certainly didn't put them there. It looked to be just an empty shared folder (no icons showing), but in it's properties I could see the 11GB of space it was using, and during the AV scan I saw it go through all the filenames in that directory. I eventually just deleted the folder.

After deleting that folder, I had about 12 gig of space. After the AV proggy & scanners, I came down to 10 gig or so, but sufficient to dl the update. I just installed service pack 2. It has like 89 more downloads listed for me to get...

I really thought I already had SP2. I thought I installed it a long time ago, like shortly after it became available. I thought I'd had it already installed this whole time... I even bugged my hubby like 2 months ago to get it because I noticed he didn't have it updated on his computer. *lol*

So, I currently have 7.59 gig of HD space left. I do have some pics and songs on here, but not more than 3 or 4 gig combined. I also have a few larger programs that I use, and don't want to get rid of. A couple graphics programs, web page builders, and The Sims game. I've uninstalled pretty much every program I don't use at this point, and even some I didn't want to get rid of. But that was before I found the hidden folder, and I was so low on space I was getting errors. Had to do something.

Title: Can't get rid of coolwwwsearch
Post by: guestolo on June 15, 2008, 11:16:48 PM

It's great to hear you cleared off some free space, you needed it  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Let's remove some of the tools that we used and make a bit more room
Optionally, you can hold onto MalwareByte's AntiMalware
Or uninstall it from Add and Remove programs
You may opt to hold onto it and update and run a quick scan occassionally, it's a small program
Don't reboot the computer yet if you choose to uninstall it

I would choose to hold onto Spybot Search and Destroy also
Check for Updates every couple of weeks and ensure to Immunize after every update if possible
Run a scan occasionally

You can manually delete ATF-Cleaner.exe or hold onto it, your option
It's a great little utility to help clean temp files, cookies, etc..

Include this next small program in your security, like Spybot's Immunization, it doesn't run in the background
using valuable resources
SpywareBlaster  by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection


Hold onto Avira AntiVir, you are not well protected without appropriate AV software
Can you open Avira by double click it's icon by the clock
Left click on ADMINISTRATION on the left
Ensure QUARANTINE is selected, look on the right side pane
Select all objects and use the Trash icon to delete all objects

Look at the Scheduler under Administration, leave the Daily update selected
You may want to choose to Enable the Complete Scheduled scan
You can Edit the job from daily to weekly and choose what is the most appropriate time

Go to START>>RUN>>Copy and Paste the next command in bold

ComboFix /u

Then hit OK
This will uninstall Combofix and it's components

OTMoveit2.exe

• Double-click OTMoveIt2.exe to run it.
  
• Click the Cleanup! button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Don't change anything in this list
  
• Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer
  Don't mouseclick during the wait as you may cause the tool to stall
  
• Select Yes to reboot Now
  

NOTE: This procedure will also delete OTMoveit.exe from desktop

Back to Windows updates and defragging
After XP Service Pack 2 is installed, but before SP3
I would opt to disable any power schemes and screen savers
Temporarily disable Avira by right clicking it's icon by the clock and Uncheck AntiVir Guard Enable
Then manually run the Disk defragmenter on your C: drive
Start>>all programs>>accessories>>system Tools>>Disk Defragmenter
Reboot afterwards

Let me know when you have that done
SOME Users with HP computers and non intel processors are having difficult times with Service Pack 3 for XP
Constant reboots and error messages
Before attempting to install it
Can you come back here and post a fresh hijackthis log
Let's ensure your computer is prepared

Title: Can't get rid of coolwwwsearch
Post by: guestolo on July 06, 2008, 08:15:05 PM

I'll lock this topic as your problems appear resolved
Take care