CWS problem :(

[guestolo]

Ok, let's deal with some problems
As I stated before
WinPatrol is a good program but can deter any changes that you try and make in the registry
Also try and shut down TrojanHunters
TrojanGuard
Something is blocking these fixes, try to track down which one is the problem
It is probably a legit program doing this
I've even read special cases where the user had to uninstall Spybot completely before the changes could take effect
Of course Reinstall later...

Did you make your Host file READ ONLY?

Download this zipped file from Winhelp that will make a custom Host file
http://www.mvps.org/winhelp2002/hosts.zip
Save this to your desktop for now

We should Disable System Restore at this point---This will clear all your system restore points---we can reenable it when you start back up in Normal mode
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm

Try and start in safe mode
You can do this by tapping F8 on system startup or use msconfig from the START >>RUN menu and put a check in safeboot under the Boot.ini tab

In safe mode navigate to this folder
C:\WINDOWS\SYSTEM32\DRIVERS\ETC

Delete any Hosts files again, you may have to uncheck READ ONLY if you checked it earlier
Open Hoster and Restore Original Hosts

Next: Unzip the Custom Host file you saved on desktop to this directory
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Allow to overwrite if prompted
Make the file READ ONLY or use Hoster to do the same

Try and Run Trojan Hunter in safe mode, make sure you unzipped the Latest Ruleset
to the Trojan Hunter in advance

Allow it to fix whatever it finds

Stay in safe mode and open Hijackthis
Put a check next to these entries

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
After you have ticked the above entries, close down ALL other open windows
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis

Open Ad-Aware in safe mode and run a scan
Remove All critical objects

Open Cleanup! and use the cleanup button to clean your temp folders and such

Open VX2 finder and "Click to Find VX2.Betterinternet
On the right hand side click the
Click 'User Agent'
Ok it...

Restart back in Normal mode
Go back an Enable System Restore

Post back with a fresh hijackthis log and VX2 log
Let's see if that user agent string is gone

EDIT--Do you have other users on your computer
Could I see a Hijackthis log from another account if you do

[guestolo]

Once again I'll remind you, I'm not sure what the reasons are that your way behind on Windows updates
But if you haven't done so already, this is a good time to do so
You keep chopping off the top part of your Hijacthis log

I'm not recommending installing Service Pack2 but you should at minimum get SP1 installed
This will install needed security patches

I forgot to ask you to run this file through that Online Malware Scan
http://virusscan.jotti.dhs.org/
C:\Windows\system32\xcidcore.dll <--file
Are you sure it's spelled that way

[Guest]

Phew, I've been away the last few days so had to put the virus on hold. Well today I got a windows critical at start-up so I went and looked at the dll and no results matching its name on google, so I deleted it and every other file in the system32 directory that was the same size. Probably caught a few innocents in there but war ain't pretty.

Anyway, rebooted my machine and what do you know, taskbar no longer flashes colour while booting up anymore and only two instances of rundll32 as opposed to 3 and neither of those are asking for i-net access. Pretty sure those are my Nvidia proggies so I for one feel the virus has been purged and I wasn't going insane with the explorer and rundll32 route.

I deleted the three O1 entries using hijack this and heres a fresh log

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\VirusHunting\hijack this\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

Done a few reboots and the O1's don't look to be coming back, fingers crossed thats an end to it all http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' /> Thanks for the help you provided mate and sorry I just kinda vanished but alls well that ends well http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

Good to hear, thought you were maybe upset with me for putting you thru the ringers  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

You have, or should I say had an infection I've dealt with many times, your symptoms were all there but nothing was fixing it  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Glad you figured it out
You don't remember the files you deleted do you?

One more free utility if you want it to help protect your system from getting infected again
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!

With SpywareBlaster and IE-Spyad, Check for updates every couple of weeks
Ie-spyad works a little different for updates
Keep the link to the site bookmarked, when there's an update follow the tutorial for updating

Thanks for posting back, by the way, your log looks good

I hope you installed SP1  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

[Guest]

No I wasn't upset with you at all, very grateful for the help you provided and I know you have to go through the motions just to eliminate every possibility http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

And yeah it was really odd how nothing fixed or even detected the problem, I must have got a new strain or something, damn thing was like cancer. A few of the files were guard.tmp(this one seemed to appear quite a lot) but that could have been a valid file, c4000edmh.dll, i6600gjme.dll, oaesvr.dll(this was the one that caused the last windows critical), there were more but I only noted down the ones that killbox couldnt destroy. I had to get killbox to delete on reboot and then reboot into safe mode to kill all of them. They all had a file size of 221kb though so I fragged everything in the system32 of that length, proly got a few innocent files as well but nothing important as my system is working fine http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

I'm definately gonna try that SPYAD thing out, thanks for the link dude http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' /> My advice to anyone suffering the same or similar symptoms would be to immediately close access to the internet off for anything running as rundll32, explorer.exe or winlogon.exe. These things have no business connecting to the i-net and they were the things responsible for ensuring the virus wasn't removed(not sure how still). Then its a case of finding the dll's responsbile, could be different file sizes to the ones I had cause might be a different strain, wait for a windows critical and then delete all non-windows files of the same size as this dll(including the one that gave you the windows critical). If you dont get any criticals then I guess look for dll's that were created recently and that have no google hits for them and follow the procedure above for these.

Installing SP1 for me isn't as simple as it should be, requires a whole OS reinstall, I'll say no more incase these forums are monitored  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

[guestolo]

An automatic fix is in the process, the fix for this is long and takes patience

All those files caught by DllCompare were part of the problem
Just if I can figure how you found the main culprit

[wendt]

Use Opera for browsing.  Use BlackICE for anti-intrusion.  Use McAfee or Norton for anti-virus.  Use a decent anti-spyware program (Spy Sweeper...etc).  Avoid using Microsoft products like the plague.

If you use those rules, you avoid lots of headaches.

Partition (or repartition) your hard drive to keep your C:\\ drive small (at 10 Gig or less).  Store everything that you don't want to lose on alternate partitions.  Then you can wipe the C:\\ partition and install a totally clean OS when ever you need to.  That takes you about 20 minutes.

Instead of all night....

Interesting thread.....one of the better threads I've read this year.  guestolo is probably someone I would hire.

Bill