Author Topic: CWS.HiddenDll (Read 1130 times)

Earendil · « **on:** February 24, 2005, 10:17:43 PM »

It looks like I'm infected by CWS.HiddenDll. I already runned Spybot, Adware and CWShredder and none where able to remove it. Can anybody help me with this problem? Thanks

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #1 on:** February 24, 2005, 10:42:38 PM »

Can you Download Hijackthis 1.99.1
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Could you also Download and save to Desktop DLLCompare

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log too, thanks

Earendil · « **Reply #2 on:** February 24, 2005, 10:50:39 PM »

Logfile of HijackThis v1.99.1
Scan saved at 00:46:12, on 26/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83E0D9E3-D802-48BB-BFB1-80BBEA781511} - C:\WINDOWS\System32\ibln.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O2 - BHO: Name - {CCA09525-15FB-4939-B0B7-B47DE7B755D1} - C:\WINDOWS\System32\msntc.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213/users/alex/web/axe/x.chm::/update.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBD25FB2-FB80-4EC4-870C-BAD5988343D0}: NameServer = 69.50.176.196,195.225.176.37
O18 - Filter: text/html - {68E87B27-4397-4D6C-8365-7E3A0A599B2D} - C:\WINDOWS\System32\ibln.dll
O18 - Filter: text/plain - {68E87B27-4397-4D6C-8365-7E3A0A599B2D} - C:\WINDOWS\System32\ibln.dll
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

---

No files appeared in the lower plane of the dllcompare program

guestolo · « **Reply #3 on:** February 24, 2005, 11:28:05 PM »

Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Install for now but Don't run a scan yet

If you didn't pay for SpywareVanisher we should get rid of it, look at this link for explanation
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Remove it now, don't worry about restarting yet

Print the rest of this out or save to a notepad file on the desktop for reference
Disconnect from the Internet
and know how to start into safe mode, I'll be asking you to do that shortly

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {83E0D9E3-D802-48BB-BFB1-80BBEA781511} - C:\WINDOWS\System32\ibln.dll (file missing)

O2 - BHO: Name - {CCA09525-15FB-4939-B0B7-B47DE7B755D1} - C:\WINDOWS\System32\msntc.dll

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll,DllInstall

O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213/users/alex/web/axe/x.chm::/update.exe

O18 - Filter: text/html - {68E87B27-4397-4D6C-8365-7E3A0A599B2D} - C:\WINDOWS\System32\ibln.dll
O18 - Filter: text/plain - {68E87B27-4397-4D6C-8365-7E3A0A599B2D} - C:\WINDOWS\System32\ibln.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Once again in Hijackthis>>Open the Misc tools Section
Open Delete file on Reboot
In the File Name field copy and Paste the Whole bold line below into the blank box

C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll

Then click OPEN
Hijackthis should prompt you that the file will be deleted and you must Restart your computer
Do so, but
Please Restart into Safe mode by tapping the F8 key as the system is booting up

In safe mode, ensure these files and folder are gone, if not, delete them
C:\WINDOWS\System32\msntc.dll <--this file
C:\WINDOWS\System32\iecustom32.dll <--file

c:\spywarevanisher-free <--folder

Stay in safe mode
Open Windows CleanUp!
START>>All Programs>Cleanup
Click the CleanUp! button
Let it finish scanning for files, when it's done it will prompt you to Restart your computer or Log off, Don't yet

Instead run CWShredder again in safe mode

Restart back to Normal Mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back with a fresh Hijackthis log afterwards

Guest · « **Reply #4 on:** February 25, 2005, 12:13:14 AM »

Logfile of HijackThis v1.99.1
Scan saved at 02:11:34, on 26/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBD25FB2-FB80-4EC4-870C-BAD5988343D0}: NameServer = 69.50.176.196,195.225.176.37
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

---

Ando also when Windows was restarted back on normal mode there was a complaint about se.dll being missing

Earendil · « **Reply #5 on:** February 25, 2005, 12:15:33 AM »

Ops... sorry... I am Guest

guestolo · « **Reply #6 on:** February 25, 2005, 12:23:45 AM »

Ensure your running Ad-Aware Se 1.05, if not uninstall your version and download the latest from http://www.download.com/3000-2144-10045910...page&tag=button

After it's installed <<No need to do this if you have the latest version
Check for updates

Can you do another scan with Hijackthis and fix this entry
With all other windows closed
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Rafael\CONFIG~1\Temp\se.dll,DllInstall

Restart one more time to safe mode

Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART back to Normal mode and post a fresh Hijackthis log and let me know how things are running

EDIT>>>I missed these 2, am quite sure now there bad guys
O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBD25FB2-FB80-4EC4-870C-BAD5988343D0}: NameServer = 69.50.176.196,195.225.176.37

After you post back we will have to take care of them, don't fix them yet
I want to try one more process

Earendil · « **Reply #7 on:** February 25, 2005, 01:09:58 AM »

Logfile of HijackThis v1.99.1
Scan saved at 03:14:32, on 26/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 200.176.2.10,200.176.2.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBD25FB2-FB80-4EC4-870C-BAD5988343D0}: NameServer = 69.50.176.196,195.225.176.37
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

EDIT:

I took time to respond because I think those 2 changed some of my Internet Options (DNS server) and I had to discover what were the actual numbers

guestolo · « **Reply #8 on:** February 25, 2005, 01:21:25 AM »

Good work

I need you to save this to a Notepad file on your desktop for reference
Or Print out these instructions

I've uploaded a file called Remv3.zip at the bottom of this reply
Download it and UNZIP the contents
Don't run it from within the zipped file
We'll need this later

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

You must be In Safe mode for this too work
Restart to Safe mode

Navigate to the unzipped folder
remv3
open it and double click on remv3.bat
Let this finish, won't take long>>wait until it's finished

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBD25FB2-FB80-4EC4-870C-BAD5988343D0}: NameServer = 69.50.176.196,195.225.176.37

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Hilight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.

Restart your computer again and come back here and post a fresh hijackthis log
I hope to see it tonight, but if not I will see it tomorrow

guestolo · « **Reply #9 on:** February 25, 2005, 01:23:03 AM »

Forgot to upload the file, take a look again, I've added it now

My EDIT>>>I didn't see your edit
but if this is your ISP or Domain don't fix it

O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 200.176.2.10,200.176.2.12

The other one has to go.....

Earendil · « **Reply #10 on:** February 25, 2005, 01:43:40 AM »

Logfile of HijackThis v1.99.1
Scan saved at 03:40:29, on 26/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 200.176.2.10,200.176.2.12
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

-----

From the file you uploaded there was also:

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hddwk.dll
msi.dll
Finished

Earendil · « **Reply #11 on:** February 25, 2005, 01:49:55 AM »

Ah... I didn't follow the:

- Hilight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.

Because my ip doesn't change... (I guess it was originaly configured like this)

guestolo · « **Reply #12 on:** February 25, 2005, 01:59:38 AM »

That's ok, It appears thay you know that the remaining DNS adress is legit
I was a little late seeing your edit

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
How's everything running

Find and delete this file
c:\windows\system32\hddwk.dll <--file
After deleting you can go back and rehide hidden files

I forgot to ask for the whole log, can you post this log please
C:\log.txt

You should be clean

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

I just want to leave this topic open for a couple days
after a day or so do you think you can delete
log.txt
Show hidden files and folders
Restart in safe mode
Run remv3.bat again and post the c:\log.txt and a fresh hijackthis log, thanks

Earendil · « **Reply #13 on:** February 25, 2005, 02:43:11 AM »

1)I accidentaly ran the program twice and I beleave the log file is about the second one (In the first one there were more files found, but non not deleted):

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hddwk.dll
msi.dll
Finished

------------------------------------------------------

2) I wasn't able to locate hddwk.dll on c:\windows\system32

guestolo · « **Reply #14 on:** February 25, 2005, 02:37:26 PM »

Can you try this again
Delete C:\log.txt
Set Windows to show Hidden files and folders

Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet

Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM32\hddwk.dll

Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select Yes.

Restart into safe mode

Run remv3.bat again

Restart back to Normal mode

Post a fresh hijackthis log and the C:\log.txt

Earendil · « **Reply #15 on:** February 25, 2005, 10:27:06 PM »

Logfile of HijackThis v1.99.1
Scan saved at 00:25:48, on 27/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe
C:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\SpywareBlaster\spywareblaster.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Arquivos de programas\Trend Micro\PC-cillin 11\TMOAgent.exe" /run
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11B6EEE9-B279-4E91-B59C-9BBE5DEC96AF}: NameServer = 200.176.2.10,200.176.2.12
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Arquivos de programas\Trend Micro\PC-cillin 11\tmproxy.exe

----

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hdkak.dll
msi.dll
Finished

guestolo · « **Reply #16 on:** February 26, 2005, 03:39:10 AM »

Could you do me a favor please
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract
You may have to temporarily disable Pccillin

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log afterwards too

I would like to see a fresh hijackthis log
The Mwav scan is optional at this point, wouldn't hurt however

But could I also get you to run this tool
Download STARTDRECK

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log

TheTechGuide Forum

News:

Author Topic: CWS.HiddenDll (Read 1130 times)

Earendil

CWS.HiddenDll

guestolo

CWS.HiddenDll

Earendil

CWS.HiddenDll

guestolo

CWS.HiddenDll

Guest

CWS.HiddenDll

Earendil

CWS.HiddenDll

guestolo

CWS.HiddenDll

Earendil

CWS.HiddenDll

guestolo

CWS.HiddenDll

guestolo

CWS.HiddenDll

Earendil

CWS.HiddenDll

Earendil

CWS.HiddenDll

guestolo

CWS.HiddenDll

Earendil

CWS.HiddenDll

guestolo

CWS.HiddenDll

Earendil

CWS.HiddenDll

guestolo

CWS.HiddenDll