Author Topic: CWS.HiddenDll (Read 6615 times)

Felix · « **on:** November 14, 2004, 07:25:37 PM »

Ok, I've had a really annoying spyware problem recently.

Basically my IE Startpage was constantly changed to about:blank and had a Search engine site called Search Now. (isnt about:blank just supposed to be blank?). Also, other random sites were constantly beeing forwarded to this while I was browsing the internet.

I googled it and found out that I, like many, was infested with the CWS Spyware. I downloaded CWShredder and ran it. The program found CWS.HiddenDll and removed it along with 6 apparent registry entries. After doing this my IE was back to normal. After a while it came back though. I ran CWShredder again and it again found the above.

This keeps coming back and all I can do is rerun CWShredder every time, but its really annoying.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

Any thoughts on how to get rid of it for good?

guestolo · « **Reply #1 on:** November 14, 2004, 08:56:38 PM »

Let's get a closer look Felix

Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE or HERE
Save it to that new folder

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important

Guest · « **Reply #2 on:** November 15, 2004, 08:49:27 AM »

Hi,
I did as you told me to. Here's what turned up. I appreciate that my computer knowledge is minimal. Thanx for your help.

Logfile of HijackThis v1.98.2
Scan saved at 13:55:39, on 15.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\eMule.de\emule.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmjb.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\IDA\ida.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

guestolo · « **Reply #3 on:** November 15, 2004, 11:38:26 AM »

I see a couple entries that need removed in your log, but unfortunately I'm not seeing everything
Could you from this point on, not use CWShredder to fix your Home page problem

I need to see the log in it's complete infection

Try this for now
Can you Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button

Post this log
Also try restarting your computer and see if the hijacker returns or set your clock
a couple of days in advance in the system tray and restart your computer
I'm trying to reveal what method we must use for this infection
Post back a fresh hijackthis log too, once you get hit again with about:blank

Again, try not to use CWShredder again, until we apply a fix

Felix · « **Reply #4 on:** November 15, 2004, 09:04:41 PM »

Ok, I got infested again.
It didn't seem to be linked to either restarting or setting the clock back as you said. It just happens randomly following no apparent rhythm.

Here's the log from HijackThis.

Logfile of HijackThis v1.98.2
Scan saved at 02:04:05, on 16.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\eMule.de\emule.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmjb.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1D4869AC-99D4-4872-86C2-FC9CF8514C5D} - C:\WINDOWS\System32\jjbc.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Filter: text/html - {5B520122-A908-4070-90D6-F20B9AF575B9} - C:\WINDOWS\System32\jjbc.dll
O18 - Filter: text/plain - {5B520122-A908-4070-90D6-F20B9AF575B9} - C:\WINDOWS\System32\jjbc.dll

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

and the one from DllCompare...

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\kbd.dll Thu 21 Oct 2004 11:46:02 A...R 57.344 56,00 K
C:\WINDOWS\SYSTEM32\u2rl0gw.dll Thu 21 Oct 2004 18:07:58 ..SHR 433.173 423,02 K
________________________________________________

1.146 items found: 1.146 files (1 H/S), 0 directories.
Total of file sizes: 214.671.193 bytes 204,72 M

Administrator Account = True

--------------------End log---------------------

Do you know what's going on?
Cheers for the help. Appreciated!

guestolo · « **Reply #5 on:** November 15, 2004, 10:11:28 PM »

Well, that identified a hidden installer

Download and save to desktop this Removal Tool developed by Symantec

Don't run it yet

Also
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES now!
Download all updates
Don't run a scan yet

Let's try some fixes
Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
RESTART your computer when Done

==Double click to Run CWShredder, Let it FIX all problems
RESTART your computer again

==Open Ad-Aware, do a Full System Scan with Ad-Aware
Remove All Critical objects by right clicking in the Criticals pane and selecting all objects--Click next
Exit out of Ad-Aware after fixing criticals
Restart your computer one more time to finish the cleaning process

Post back a fresh hijackthis log afterwards
Also post the FxAgentB.log
Could you also run another scan with DllCompare and post that log too

Felix · « **Reply #6 on:** November 16, 2004, 09:29:18 AM »

Ok, did what you said.

Here's the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 14:28:39, on 16.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

And here the one from FxAgentB:

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 00000248 (terminated)
process: services.exe, thread: 0000029C (terminated)
process: lsass.exe, thread: 00000294 (terminated)
process: svchost.exe, thread: 0000034C (terminated)
process: svchost.exe, thread: 0000038C (terminated)
process: svchost.exe, thread: 0000045C (terminated)
process: svchost.exe, thread: 00000474 (terminated)
process: spoolsv.exe, thread: 000005B0 (terminated)
process: explorer.exe, thread: 000005F8 (terminated)
process: hpztsb05.exe, thread: 00000674 (terminated)
process: atiptaxx.exe, thread: 000006AC (terminated)
process: jusched.exe, thread: 00000770 (terminated)
process: realsched.exe, thread: 0000076C (terminated)
process: ctfmon.exe, thread: 00000778 (terminated)
process: msnmsgr.exe, thread: 0000073C (terminated)
process: stjlefa.exe, thread: 000007D0 (terminated)
process: ati2evxx.exe, thread: 000000CC (terminated)
process: tcpsvcs.exe, thread: 000001C0 (terminated)
process: IEXPLORE.EXE, thread: 000008F0 (terminated)
process: ida.exe, thread: 00000E6C (terminated)
process: FxAgentB.exe, thread: 00000950 (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\System Volume Information: (not scanned)
C:\WINDOWS\system32\kbd.dll: (will be deleted on next reboot)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 24480
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 21

And finally the DllCompare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\u2rl0gw.dll Thu 21 Oct 2004 18:07:58 ..SHR 433.173 423,02 K
________________________________________________

1.145 items found: 1.145 files (1 H/S), 0 directories.
Total of file sizes: 214.613.849 bytes 204,67 M

Administrator Account = True

--------------------End log---------------------

Also, Ad-Aware found about 8 critical items for CoolWebSearch.... which I deleted.
Cheers.

guestolo · « **Reply #7 on:** November 16, 2004, 09:00:29 PM »

Hi again Felix, can you set Windows to show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for know File Types
* Click Yes to confirm.
* Click OK.

Go to this site and do an free Online File virus scan
http://virusscan.jotti.dhs.org/
Give it time to load

Use the Browse button to Navigate to this file
C:\WINDOWS\System32\stjlefa.exe <--file

Right click on it and Select it and use the Submit key to scan it
Copy and paste the results back here

Before you post back
Do another scan with Hijackthis and put a check next to this entry

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Programme\IEMenuExtension\tbextn.dll

After you have ticked the above entry, close down all other windows, including this one
Leave Hijackthis open and click the FIX CHECKED
Yes to the prompt and exit Hijackthis

Restart your computer

Post back a fresh hijackthis log

Could you also download VX2 Finder
Double click to open it
"Click to Find VX2.Betterinternet"
next click the "Make log"
Post back that log here too, thanks

Felix · « **Reply #8 on:** November 17, 2004, 05:57:59 AM »

Ok, here are the logs:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

------------------------------------------------------

File: stjlefa.exe
Status: INFECTED/MALWARE
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.55 seconds taken)
ClamAV No viruses found (0.33 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Backdoor.Win32.Agent.ec (1.09 seconds taken)
mks_vir Trojan.Agent.Ec (0.20 seconds taken)
NOD32 Win32/Agent.EC (0.36 seconds taken)
Norman Virus Control W32/Agent.EH (0.12 seconds taken)

------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 11:03:02, on 17.11.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\stjlefa.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Programme\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programme\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programme\IDA\ida.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

Cheers

guestolo · « **Reply #9 on:** November 17, 2004, 08:23:13 PM »

Let's try this Felix

Open Hijackthis>>>Config>>Misc Tools>>Open Process Manager
Left click to Highlight and then Kill this process

C:\WINDOWS\System32\stjlefa.exe

After you have killed that process, click the Back button in Hijackthis
>>Config>>Misc Tools>>Click the Delete File on Reboot button

Copy and paste the bolded text below into the File Name box

C:\WINDOWS\System32\stjlefa.exe

Click the OPEN button
Hijackthis will warn the file will be deleted and you must restart your computer
Don't restart yet

Instead, do another scan with Hijackthis and put a check next to these entries

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\stjlefa.exe

After you have ticked the above entry, Close All other open Windows, including this one
Leave Hijackthis open and Click FIX CHECKED
Yes to the prompt and exit Hijackthis

Restart your computer
Post back a fresh Hijackthis log and let me know if you are still having problems

I strongly urge you to visit Windows updates and download the latest Critical(High Priority) updates
and Service Packs, Including updating IE to SP1
This will help to keep your system secure

Don't update to SP2 right now, you must ensure you are totally clean
and don't install Recommended updates unless you really want them

I believe that Microsoft recommends disabling any Download Accelerator before visiting
It will interfere with the install

We should also get some other Preventive tools on your computer to tighten up your security
I have some free downloads, but lets make sure your clean first

Felix · « **Reply #10 on:** November 18, 2004, 02:52:37 PM »

Hi, thanx again for the help. The problem seems to be gone! Well done on that, coz I was beginning to go insane.

Ill post the HijackThis log anyways, who knows maybe there is still something compromising my pc.

I also installed SP1 and the other critical security updates. I woll not however install SP2 because of everyone I heard who had installed it it caused numerous problems, deinstalliung radnom drivers that weren't Microsoft as well as disabling various Programms (in one case even disabling propper startup of Windows itself).

If you have any good free programms to further enhance my security and detection I would be greatful if you'd let me know... can always do with that.
What is the best Firewall freely available on the net? At the moment I'm running ZoneAlarm (freeware). What about AntiVirus software? Currently i dont have any.

Logfile of HijackThis v1.98.2
Scan saved at 19:55:05, on 18.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mmjb.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Programme\MusicMatch\MusicMatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098355668218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

Cheers for the help so far.... appreciated.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #11 on:** November 18, 2004, 07:32:18 PM »

Good Work Felix, let's see about getting you those tools

But First, if everything is running better you may want to Clear your System Restore Points
Don't need to be restoring any Nasties to your computer
Simply Disable System Restore----Restart your computer---Enable System Restore
This will create a Fresh Restore point and clear all the old ones
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm

Next: I would go download these 2 free applications

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks

Now for the Anti-Virus software
I use AVG on this machine and I use Avast on my other machine

Why don't you give AVG a try, the free version has just been updated
Includes a better scanning engine

Here's a link
http://free.grisoft.com/freeweb.php/doc/1/
Let that page load, it sometimes may take a while as the new version is being installed by many
Once installed, make sure that you check for updates
Do a Full system scan on your computer
Let me know if it finds anything.....

Windows SP2 I figure right now is users choice
I chose to install it right away, without no problems
But I have a sequence of events I do before installing on any machines
Haven't had trouble so far.....

The free version of Zone Alarm is used and recommended by many. So you seem okay in that department
Personally, I use Sygates' free version on my machine

Stay Safe Felix, and get IE-Spyad and SpywareBlaster installed
Hold onto Ad-Aware and check for updates every couple of weeks and run a scan...

Let me know how you make out with the virus scanner, curious if it picks up anything....

Andreas S. · « **Reply #12 on:** December 01, 2004, 04:19:37 AM »

Hi, this is the way I successfully Removed CWS.HiddenDLL :
CWSShredder and other Programs can successfully recognize the threat and deal with the registry entries, but you'll have to remove the DLL's yourself.

The thing is that there are two DLL's. If you remove only one of them, the second one will reinstall the first one.
The're found in %Windows% (On WinNT or Win200 it's c:\WINNT), their names are "dpe.dll" and "Copy of dpe.dll". I open them with the Notepad, delete all the text (ie, the program code), save them, and set them to "read only" (Original size is 33k, new they should be 0 or 1 k).

Then run CWSShredder, AdAware, Giant AntiSpy or what have you to clean the registry.

Reset all the home pages of Internet Explorer from Internet Options (WITHOUT STARTING THE BROWSER!!), because some of the pages will immediately re-infect you.

Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN, so you can't be reinfected in the future.

Restart the computer and that's it.

Be careful never to open a browser, Messenger or other browser-based tools during the process!

nabla98-dmoz (at ) yahoo (DOT) com

Dee · « **Reply #13 on:** December 03, 2004, 07:39:41 PM »

[quote name=\'Andreas S.\' date=\'Dec 1 2004, 03:19 AM\']Hi, this is the way I successfully Removed CWS.HiddenDLL :
CWSShredder and other Programs can successfully recognize the threat and deal with the registry entries, but you'll have to remove the DLL's yourself.

The thing is that there are two DLL's. If you remove only one of them, the second one will reinstall the first one.
The're found in %Windows% (On WinNT or Win200 it's c:\WINNT), their names are "dpe.dll" and "Copy of dpe.dll". I open them with the Notepad, delete all the text (ie, the program code), save them, and set them to "read only" (Original size is 33k, new they should be 0 or 1 k).

Then run CWSShredder, AdAware, Giant AntiSpy or what have you to clean the registry.

Reset all the home pages of Internet Explorer from Internet Options (WITHOUT STARTING THE BROWSER!!), because some of the pages will immediately re-infect you.

Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN, so you can't be reinfected in the future.

Restart the computer and that's it.

Be careful never to open a browser, Messenger or other browser-based tools during the process!

nabla98-dmoz (at ) yahoo (DOT) com[/quote]

Hi, Ive been having the same problem with CWS.hiddenDLL myslelf just as FELIX was. Ive been fighting it for sometime and have ran CWS shredder and other programs many times to get them removed. Then the dang about:blank keeps effecting my homepage on IE.

However, Im not following what I should be doing to fix this problem. I see here that there are 2 ways to take care of it yet I cant determine which might be easier. Even though Im comfortable with the computer and feel I understand it OK - I have many questions when figuring out what you might be referring to.

As for the later of the two solutions here are my questions:

First how do I get to the %Windows%.

Then I understand it from there yet not sure if I have ever set them to read only. I may be able to figure that out on my own.

Then I can run CWSShredder just fine and so on.

However, I dont know what you mean when you say:
Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN

Any help with this would be greatly appreciated

Thanks
-D

Dee · « **Reply #14 on:** December 03, 2004, 07:39:57 PM »

[quote name=\'Andreas S.\' date=\'Dec 1 2004, 03:19 AM\']Hi, this is the way I successfully Removed CWS.HiddenDLL :
CWSShredder and other Programs can successfully recognize the threat and deal with the registry entries, but you'll have to remove the DLL's yourself.

The thing is that there are two DLL's. If you remove only one of them, the second one will reinstall the first one.
The're found in %Windows% (On WinNT or Win200 it's c:\WINNT), their names are "dpe.dll" and "Copy of dpe.dll". I open them with the Notepad, delete all the text (ie, the program code), save them, and set them to "read only" (Original size is 33k, new they should be 0 or 1 k).

Then run CWSShredder, AdAware, Giant AntiSpy or what have you to clean the registry.

Reset all the home pages of Internet Explorer from Internet Options (WITHOUT STARTING THE BROWSER!!), because some of the pages will immediately re-infect you.

Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN, so you can't be reinfected in the future.

Restart the computer and that's it.

Be careful never to open a browser, Messenger or other browser-based tools during the process!

nabla98-dmoz (at ) yahoo (DOT) com[/quote]

Hi, Ive been having the same problem with CWS.hiddenDLL myslelf just as FELIX was. Ive been fighting it for sometime and have ran CWS shredder and other programs many times to get them removed. Then the dang about:blank keeps effecting my homepage on IE.

However, Im not following what I should be doing to fix this problem. I see here that there are 2 ways to take care of it yet I cant determine which might be easier. Even though Im comfortable with the computer and feel I understand it OK - I have many questions when figuring out what you might be referring to.

As for the later of the two solutions here are my questions:

First how do I get to the %Windows%.

Then I understand it from there yet not sure if I have ever set them to read only. I may be able to figure that out on my own.

Then I can run CWSShredder just fine and so on.

However, I dont know what you mean when you say:
Remove the Microsoft Java VM and install either the newest version of Microsoft, or install the one from SUN

Any help with this would be greatly appreciated

Thanks
-D

guestolo · « **Reply #15 on:** December 03, 2004, 07:55:19 PM »

It wouldn't hurt to post a Hijackthis log, you can download it from the Links in my first reply in this post
I can suggest what you can try, if you don't want to
So be it.....
But like I said, it wouldn't hurt to have a look at your log

Dee · « **Reply #16 on:** December 03, 2004, 08:09:45 PM »

No I don't mind a bit -

I appreciate all the help I can get - Thanks

Here it is

Logfile of HijackThis v1.98.2
Scan saved at 7:19:27 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: ICOODownloadManager Class - {BA7270AE-5636-4618-BAF3-F86ADA39F036} - C:\Program Files\ICOO Loader\addons4\icoourl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: ICOOExternalHandler Class - {ED657BAF-1EE5-4A07-9D2E-6D0525EFC69B} - C:\Program Files\ICOO Loader\addons4\icoourlext.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb028.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedat...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedat.../ActiveData.cab
O16 - DPF: {FAF76D4D-6525-443F-8C27-EA8898DDD745} - http://www.candid.com/ccsftp/default.cab

-Dee

guestolo · « **Reply #17 on:** December 03, 2004, 08:18:20 PM »

Good work, I see you have Spybot installed
It's a great program, is it the latest version 1.3?
Do you also have the free version of Ad-Aware SE Personal 1.05?
If not you should download it, I can supply a link for it

But if you wouldn't mind, let's see if there's a hidden Installer causing this

Can you Download DLLCompare
It's a small download

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button

Dee · « **Reply #18 on:** December 03, 2004, 08:24:40 PM »

One other thing that Ive been needing to fix is how many programs start up when I boot my computer. I noticed from this log I just posted that they are the listed as:

HKLM\..\Run

and

Global Startup

I dont want all of these progams running on my computer as I boot.

Ive tried to go to:
Run

then type in: MSCONFIG.

Go to the startup tab and then deselect the onces that are obvious to not be running - yet that hasn't been successful.

Any suggestions -

-Dee

guestolo · « **Reply #19 on:** December 03, 2004, 08:27:58 PM »

We can get something on your computer to control those startup entries
I Have Windows XP SP2 installed on this computer but I don't like using msconfig
I prefer to use a small download third party program called Codestuff's Starter
I can get you a link if you would like

But first you need to clean your log
You should post the log from DLLCompare

You also have a trojan and some other spyware on your computer besides the About:blank infection

News:

Author Topic: CWS.HiddenDll (Read 6615 times)

Felix

Guest

Felix

Felix

Felix

Felix

Andreas S.

Dee

Dee