« previous next »
Pages: [1]

Author Topic: CWS.HiddenDLL  (Read 2547 times)

Sushil

  • Guest
CWS.HiddenDLL
« on: November 19, 2004, 04:17:36 PM »
Hi,

My machine seems to be infected with CWS.HiddenDLL spyware. I used to CWShredder program to remove it a couple of time but it keeps on coming back every time I reboot the machine. Can you please help? Following is the HJT log file:

Logfile of HijackThis v1.97.7
Scan saved at 1:25:02 PM, on 11/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Java\j2re1.4.2_05\bin\javaw.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\AlarmApp.exe
C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sxkumar\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.oracle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com; *.oraclecorp.com;<local>
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINNT\system32\mseggo.gif
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AboutTime Setup] regedit /s "C:\Program Files\AboutTime\setup.reg"
O4 - HKLM\..\Run: [AboutTime TimeServer] C:\Program Files\AboutTime\abouttime.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\Orl\Vnc\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINNT\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINNT\dhbrwsr.exe
O4 - HKLM\..\Run: [sain] c:\winnt\system32\sain.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [svrrun] C:\WINNT\svrrun.exe
O4 - HKLM\..\Run: [vmetera] C:\WINNT\system32\vmetera.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msedpb.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: ProfileCopier.lnk = C:\Program Files\Profile Copier\ProfileCopier.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O12 - Plugin for .com/: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppl3260.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://adsweb.oracleads.com
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/ja...jar/cnsload.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.rediff.com/hindi/wfplayer/tdserver.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17EB9D9F-A863-4C04-B1E7-8412F538388E} (Collaboration Audio Recording Control) - http://appseminar.oracle.com/atc/signedenc...er_1,23,0,0.cab
O16 - DPF: {1A7AEDAF-81DC-47A1-AAED-CBC0E9DEB274} (Oraster) - http://www.oracle.com/broadband/3winviewer/oraster.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://80.96.118.2/we/mw/MSN_QTPieJess01.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3B926A18-F7FA-445B-8AE8-3A7BCDF35A56} (NDTVVideo.MPlayer) - http://www.ndtv.com/video/NDTVvideo.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/c...ontent/opuc.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20c2bf2dc33bc9cf4017/...ip/RdxIE601.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/iden/client...eAutoLaunch.ocx
O16 - DPF: {689ff870-2ac0-11d5-b634-00c04faedb18} - http://atc-hied3.oracleicenter.com:8039/ja.../jinit11810.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/r...ader/isetup.cab
O16 - DPF: {95EEE69E-27B4-4D13-BD32-766617A16909} (NDTVVideo.MPlayer) - http://www.ndtv.com//video/NDTVseekvideo.CAB
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {9723C992-7B0B-4479-BDC4-6B6D3F5D9079} (Oracle iMeeting Installer) - http://imeetingbeta1.oracle.com/imtapp/res...ar/instctrl.dll
O16 - DPF: {9723C9A2-7B0B-4479-BDC4-6B6D3F5D9079} (Oracle iMeeting Installer) - http://imeetingbeta1.oracle.com/imtapp/res...ar/instctrl.dll
O16 - DPF: {9723C9A8-7B0B-4479-BDC4-6B6D3F5D9079} (Oracle iMeeting Installer) - https://webconferencingbetahq.oracle.com/im...ar/instctrl.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7696.4467592593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - http://www.adsrvr.com/promos/Aff_Installer_5.exe
O16 - DPF: {B0EDD230-9458-11D4-B700-0050BA881E87} (WdHinIocCtrl Class) - http://www.epatra.com/components/activex/wdhinioc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {C518A9DE-6C22-416B-BD84-AC759ACA3F99} (NDTVVideo.MPlayer) - http://www1.ndtv.com/video/NDTVvideo.CAB
O16 - DPF: {C54A28A1-5EBF-11D5-9F0E-00A0C99A7357} (SpeedCtl Class) - http://iweb.intertainer.com/eod/downloads/...s/SpeedTest.dll
O16 - DPF: {C7F626D2-0645-4FD8-8212-446707501F82} (Intava Mobile Experience Framework Control) - http://www.mmodemagazine.com/emulator/IntavaMEF.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DA983D04-642D-49BF-A241-80BC6BD0F96A} (Collaboration Application Sharing Control) - http://appseminar.oracle.com/atc/signedsha...re_1,22,0,0.cab
O16 - DPF: {DFC9A7BC-27DA-11D6-9FCC-0002A51D1B02} (OraBcnTxnRec.Recorder_UC) - http://gbtech9.us.oracle.com:7777/em/monit...raBcnTxnRec.CAB
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc02.rightnowtech.com/swoosh/ni...l/java/RntX.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - http://reversesweep.com/PlayerWebApp/msxml3.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0884AEEE-5E40-4B37-BB6D-E6A72F60E719}: NameServer = 130.35.249.41,138.2.202.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F0AF3FF-2897-4E2B-8834-CD905A8E8B92}: NameServer = 130.35.249.41,138.2.202.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{73AED5A2-5559-4AD6-A425-52EB322459DE}: Domain = attbi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{73AED5A2-5559-4AD6-A425-52EB322459DE}: NameServer = 130.35.249.41,138.2.202.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0884AEEE-5E40-4B37-BB6D-E6A72F60E719}: NameServer = 130.35.249.41,138.2.202.15
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0884AEEE-5E40-4B37-BB6D-E6A72F60E719}: NameServer = 130.35.249.41,138.2.202.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.oracle.com
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.HiddenDLL
« Reply #1 on: November 19, 2004, 07:44:47 PM »
Hi Sushil, can you delete your copy of Hijackthis and download the latest version

Please make a Permanent folder for Hijackthis

Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE or HERE
Save it to that new folder

Post back with a log from the new version

Could you also
Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\WINNT\system32\directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log too, thanks
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »