Author Topic: CWS problem :( (Read 5456 times)

wtc · « **on:** November 26, 2004, 02:01:25 AM »

Hi,

I have a serious case of CWS infection. I've tried throwing everything at this except the kitchen sink and it still persists, happily respawning itself and sending me pop-ups.

Heres my latest hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 06:57:41, on 26/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Temp\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/...r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab

The O1's are just symptoms rather than the disease itself, removing them is useless as they reappear almost instantly.

Heres a S+D log

--- Search result list ---
IGetNet: Redirected host (Redirected host, nothing done)

Common hijacker: Redirected host (Redirected host, nothing done)

Common hijacker: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Bootconf: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Loadbat: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Msconfd: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Oslogo: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Tapicfg: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Xmlmimefilter: Redirected host (Redirected host, nothing done)

--- Spybot - Search && Destroy version: 1.3 ---
2004-08-11 Includes\Cookies.sbi
2004-11-17 Includes\Dialer.sbi
2004-11-17 Includes\Hijackers.sbi
2004-11-17 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-11-17 Includes\Malware.sbi
2004-10-05 Includes\Revision.sbi
2004-10-25 Includes\Security.sbi
2004-11-17 Includes\Spybots.sbi
2004-10-21 Includes\Tracks.uti
2004-11-17 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600)
/ Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329048 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q329170
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329390 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329441 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329834 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810577
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811630
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q817606
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB840987
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix - KB887822
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]

--- Startup entries list ---
Located: HK_LM:Run, ASUS Probe
command: C:\Program Files\ASUS\Probe\AsusProb.exe
file: C:\Program Files\ASUS\Probe\AsusProb.exe
size: 617984
MD5: b7e260f00988380f72ff06d2fe181d70

Located: HK_LM:Run, CTDVDDet
command: C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
file: C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
size: 45056
MD5: 49530ea45ebd73e2c11c74dfebc30d57

Located: HK_LM:Run, CTHelper
command: CTHELPER.EXE
file: C:\WINDOWS\system32\CTHELPER.EXE
size: 28672
MD5: 32a012de5b240436596e3e62622f6ba2

Located: HK_LM:Run, CTSysVol
command: C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
file: C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
size: 49152
MD5: c88806e6c9ae0ad88d20e1bda995355a

Located: HK_LM:Run, LiveMonitor
command: C:\Program Files\MSI\Live Update 3\LMonitor.exe
file: C:\Program Files\MSI\Live Update 3\LMonitor.exe
size: 477696
MD5: 54260d083de9d9fb3e8ae0eb38ce2127

Located: HK_LM:Run, Logitech Utility
command: Logi_MwX.Exe
file: C:\WINDOWS\Logi_MwX.Exe
size: 20992
MD5: c921a733fa3f1e4c3505d436dbc5ea47

Located: HK_LM:Run, MCAgentExe
command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
file: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 245760
MD5: 8b5a97e5c16db873092cf3d27b8145a6

Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
file: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
size: 184320
MD5: 5c50f41e60a03146e029d5a408ebbc32

Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 921600
MD5: fbbecaa0be1dfe02e91ece580af3e0c8

Located: HK_LM:Run, SBDrvDet
command: C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

Located: HK_LM:Run, VirusScan Online
command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: 3fe1e841ed8483f7a75a1e86f6fc2216

Located: HK_LM:Run, VSOCheckTask
command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
size: 122880
MD5: 90cf41e5d4e8d3a88d8630da5c3b7a3a

Located: HK_LM:Run, Zone Labs Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 902416
MD5: 05bd6fe6f859912f4167b60485d7f55f

Located: HK_LM:Run, msnappau (DISABLED)
command: "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
file: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
size: 86016
MD5: e377c992dfbb5837826ea311e436c66d

Located: HK_CU:Run, Creative MediaSource Go
command: C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS

Located: HK_CU:Run, LDM
command: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
file: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
size: 20480
MD5: d9358ff053dd32ab226d8c08199deb1d

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: HK_CU:Run, SpySweeper
command: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
file: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3070976
MD5: c807f4f5115a8c7d8f19b2096f8e4ad6

Located: HK_CU:Run, Start WingMan Profiler
command: "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
file: C:\Program Files\Logitech\Profiler\lwemon.exe
size: 77824
MD5: 60781e0948c6d464cf5265de42a25b2f

Located: Startup (common), InterVideo WinCinema Manager.lnk
command: C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
file: C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
size: 122880
MD5: e0aba04424938b9308f9be66a3510ef1

Located: Startup (common), Logitech Desktop Messenger.lnk
command: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
file: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
size: 450560
MD5: 98e68d53a00cdff1a31673b2b8ef2d88

--- Browser helper object list ---

--- ActiveX list ---
{2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
DPF name:
CLSID name: PPSDKActiveXScanner.MainScreen
Path: C:\WINDOWS\Downloaded Program Files\
Long name: PPSDKActiveXScanner.ocx
Short name: PPSDKA~1.OCX
Date (created): 09/11/2004 13:53:16
Date (last access): 26/11/2004 06:40:02
Date (last write): 09/11/2004 13:53:16
Filesize: 670320
Attributes: archive
MD5: D3F092C4C6E08A63807AF5770D2F4828
CRC32: 014698E1
Version: 0.1.0.5

{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class)
DPF name:
CLSID name: McAfee.com Operating System Class
Path: C:\WINDOWS\System32\
Long name: mcinsctl.dll
Short name:
Date (created): 09/06/2004 18:24:10
Date (last access): 26/11/2004 05:29:42
Date (last write): 09/06/2004 18:24:10
Filesize: 341088
Attributes: archive
MD5: 51C1F2F0034A18C9CB562F12CD392A30
CRC32: 904D5FFB
Version: 0.4.0.0

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan53.ocx
Short name:
Date (created): 24/03/2004 18:22:12
Date (last access): 26/11/2004 06:40:04
Date (last write): 24/03/2004 18:22:12
Filesize: 435712
Attributes: archive
MD5: 99A67AEE9A6E3EFD2126AFA0840ECBED
CRC32: 9198FA39
Version: 0.5.0.70

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_05
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_05\bin\
Long name: NPJPI142_05.dll
Short name: NPJPI1~1.DLL
Date (created): 03/06/2068 22:05:12
Date (last access): 26/11/2004 06:37:08
Date (last write): 03/06/2004 22:05:06
Filesize: 65650
Attributes: archive
MD5: 174488C8877FA852448D1937C322AABB
CRC32: 62C2460D
Version: 0.1.0.4

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 23/11/2004 15:50:24
Date (last access): 26/11/2004 06:40:02
Date (last write): 23/11/2004 15:50:24
Filesize: 110592
Attributes: archive
MD5: E75DAA2CCDD97DC288CEB2240813D465
CRC32: 6410E05D
Version: 0.55.0.8

{A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
DPF name:
CLSID name: CRAVOnline Object
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ravonline.dll
Short name: RAVONL~1.DLL
Date (created): 04/09/2003 15:00:22
Date (last access): 26/11/2004 06:27:24
Date (last write): 04/09/2003 15:00:22
Filesize: 200704
Attributes: archive
MD5: C8D24EB364FB71B810FAFB5222E55F1B
CRC32: 81A19FC7
Version: 0.1.0.1

{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
DPF name:
CLSID name: DwnldGroupMgr Class
Path: C:\WINDOWS\System32\
Long name: McGDMgr.dll
Short name:
Date (created): 14/06/2004 17:02:08
Date (last access): 26/11/2004 05:29:42
Date (last write): 14/06/2004 17:02:08
Filesize: 279640
Attributes: archive
MD5: E8074DB73A77854CD588B08398BE4FC2
CRC32: C5AFD416
Version: 0.1.0.0

{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_05
Path: C:\Program Files\Java\j2re1.4.2_05\bin\
Long name: NPJPI142_05.dll
Short name: NPJPI1~1.DLL
Date (created): 03/06/2068 22:05:12
Date (last access): 26/11/2004 06:37:08
Date (last write): 03/06/2004 22:05:06
Filesize: 65650
Attributes: archive
MD5: 174488C8877FA852448D1937C322AABB
CRC32: 62C2460D
Version: 0.1.0.4

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 09/06/2004 14:59:26
Date (last access): 26/11/2004 06:32:14
Date (last write): 09/06/2004 14:59:26
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0

--- Process list ---
Spybot - Search && Destroy process list report, 26/11/2004 07:00:02

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 132 (1560) C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
PID: 240 (1560) C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PID: 268 (1560) C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
PID: 280 (1560) C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PID: 304 (1560) C:\Program Files\Logitech\Profiler\lwemon.exe
PID: 400 (1560) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PID: 452 (1560) C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
PID: 516 (1560) C:\WINDOWS\System32\CTHELPER.EXE
PID: 524 (1560) C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
PID: 608 (1036) C:\WINDOWS\System32\CTsvcCDA.exe
PID: 636 ( 436) C:\Program Files\Logitech\MouseWare\system\em_exec.exe
PID: 664 (1036) c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
PID: 676 (1036) C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
PID: 688 (1036) C:\WINDOWS\System32\nvsvc32.exe
PID: 760 (1036) wdfmgr.exe
PID: 836 (1036) C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PID: 892 ( 4) \SystemRoot\System32\smss.exe
PID: 944 (1560) C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
PID: 960 (1036) C:\WINDOWS\System32\MsPMSPSv.exe
PID: 968 ( 892) csrss.exe
PID: 992 ( 892) \??\C:\WINDOWS\system32\winlogon.exe
PID: 1036 ( 992) C:\WINDOWS\system32\services.exe
PID: 1048 ( 992) C:\WINDOWS\system32\lsass.exe
PID: 1184 (1560) C:\Program Files\ASUS\Probe\AsusProb.exe
PID: 1236 (1036) C:\WINDOWS\system32\svchost.exe
PID: 1312 (1560) C:\PROGRA~1\mcafee.com\agent\mcagent.exe
PID: 1352 (1560) C:\Program Files\MSI\Live Update 3\LMonitor.exe
PID: 1488 (1036) C:\WINDOWS\System32\svchost.exe
PID: 1552 (1560) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 1560 (1436) C:\WINDOWS\Explorer.EXE
PID: 1632 ( 944) c:\progra~1\mcafee.com\vso\mcvsescn.exe
PID: 1640 (1560) C:\WINDOWS\System32\RUNDLL32.EXE
PID: 1676 (1036) svchost.exe
PID: 1716 (1036) svchost.exe
PID: 1784 (1036) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
PID: 1848 (1036) C:\WINDOWS\system32\spoolsv.exe
PID: 1984 (1560) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 2068 (1560) C:\Temp\hijackthis\HijackThis.exe
PID: 2180 (1560) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 2508 (2068) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 2924 ( 992) C:\WINDOWS\system32\rundll32.exe
PID: 3180 (1560) C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID: 3184 (1560) C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID: 4072 (1488) C:\WINDOWS\System32\wuauclt.exe

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 26/11/2004 07:00:02

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2FF1C7B6-D81E-49AF-9F6B-AC8621E063CB}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2FF1C7B6-D81E-49AF-9F6B-AC8621E063CB}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FE7C2936-6F0F-485A-910E-9102C0BB08A1}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FE7C2936-6F0F-485A-910E-9102C0BB08A1}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{85416437-D8CD-49A2-A68F-9F00F0A77D8E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{85416437-D8CD-49A2-A68F-9F00F0A77D8E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DA6FC6EF-32D8-418E-A635-68CA5DD2AB60}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DA6FC6EF-32D8-418E-A635-68CA5DD2AB60}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Two cases of common hijacker, a case of IGetNet and a handful of CWS fellas. The only consolation seems to be the common hijackers are the IGetNet and CWS things but its not much of one.

Instructing S+D to fix the problems will remove them but they will come back, usually on a reboot.

CWShredder just finds the CWS:bootconf and removes it....guess what? Comes right back.

I can't find the arch-villian of the piece, the puppet master pulling the strings, the thing that ensures all of the above persist and respawn themselves. Guessing it has to be a DLL or EXE thats run at start-up but I can vouch for every single running proccess as being ok(I think), so where the hell is it, can it be embedded into a valid DLL?

Something that might be nothing but could be something......On system start-up I've noticed something happening that I'm pretty sure never used to happen. I have my taskbar as a double layer in the standard XP blue theme(yeah with kiddie like green start button....sue me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />), as the OS starts-up this appears in blue as normal but then briefly changes to the colour of the classic NT/2000 taskbar(the kinda biege colour). Like I say, this seems to be a new thing but perhaps I just haven't noticed it before. Anyway, I figured this could be a trojan running as EXPLORER.EXE but the only instance of this is running from C:\Windows which I believe is normal

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Perhaps its a run once thing? If so then I don't see it in the registry.

Please help me, I seem to have exhausted all my arsenal....I don't know where to go next with this thing....its driving me insane

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Thanks in advance.

guestolo · « **Reply #1 on:** November 26, 2004, 11:31:34 AM »

Just on my way out, so I'll be able to check your log in more detail later on

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

In the meantime can you do a couple of things for me
Your way behind on Windows updates
You should visit Windows updates and Install All latest Critical updates (High Priority)
and Service Packs

DON'T install Service Pack 2 at this time or recommended updates
Just install SP1
This will help to keep your system secure

Could you also download and save to desktop VX2 Finder
Double click to run
"Click to Find VX2.betterinternet"
Click the "Make log" button

Post that log back here along with a fresh Hijackthis log
Don't post the Search result list or startup entries, just the basic log
We may need that info later though

Guest · « **Reply #2 on:** November 27, 2004, 09:20:50 AM »

Hi,

Thanks in advance for helping with the problem, its much appreciated.

On to business.....I've installed a load of critical updates so hopefully that all up to date now.

Heres the VX2 log you asked for

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
Applets
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{B95B0F84-74CB-49F0-BCB3-7E4E944AAD53}

And the new hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 14:29:38, on 27/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\VX2Finder(126).exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis.exe

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/...r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab

guestolo · « **Reply #3 on:** November 27, 2004, 02:15:32 PM »

Let's try this
Spybot's TeaTimer is great protection, but may be getting in the way of any fixes
Open Spybot----Ensure you check for updates
After that is done

Click on
Advanced mode at the top
Click on TOOLS>>>Resident>>Uncheck Resident "Tea Timer"
Allow the change
Close Spybot
Restart your computer to ensure it's disabled

You may want to disable Spysweepers protection too

Do another scan with Hijackthis and put a check next to these entries

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

After you ticked the above entries close all other open windows, including this one
Leave Hijackthis open and FIX CHECKED
YES and exit Hijackthis

Next open Spybot and check for problems and fix everything in RED

Restart your computer

Post back with a fresh hijackthis log
Could you also download this version of
VX2 finder
Run the scan and post the log too,
I don't think we'll find anything, but let's make sure
We will have to get rid of the reg. string later however

Could you also open Hijackthis>>Config>>Misc Tools>>Open Hosts File Manager
Click the "Open in Notepad"
Copy and paste back the Hosts Notepad file too, thanks

wtc · « **Reply #4 on:** November 27, 2004, 03:31:00 PM »

Ok, done everything you asked for, when running the scans I also disabled all network traffic with my firewall.....dunno if this could help but I figure it can't do any harm(this is after searching for updates btw

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />)

Anyway I ran the scans and the first thing to mention is about S+D. It finds a list of problems...namely the cws things, igotnet and common hijacker.....when I choose 'fix selected' it fixes the igotnet and hijacker ones but not the cws ones. So I click fix selected again and it fixes the first cws on the list but again not the rest, so I click again and same happens. Then I came to the last 4 and it it just couldnt fix them, even just selecting a single one at a time meant they couldnt be fixed. Those were:

msconfd
oslogo
tapicfg
xmlmimefilter

The second thing of note.....when I restarted I got a windows critical just after startup. The critical had the following info

Title - RUNDLL
Icon - Red 'X' fella
Message - An exception occured trying to run ""C:\Windows\system32\xcidcore.dll",UMonitor"

Never heard of this dll personally and have no idea where its from, did a quick google and no results although google came back with a "did you mean...." which was for a file called xvidcore.dll....I followed this and this appears to be a valid DivX dll which I have installed, I tried running it and it runs fine still.

Now that file looks highly dodgy to me, it has a creation date of 27/11/2004 at 20:14(I'm GMT btw). What also strikes me as odd, as you will see from the hijack this log I seem to have 3 rundll32 processes going and the critical error messages title was rundll32...do I need this many? Is that normal? Also notice one of the rundll32's is in uppercase and the other two aren't....suspect?

Anyway, on to the logs

VX2

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
Run-
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{B95B0F84-74CB-49F0-BCB3-7E4E944AAD53}

Hijack this

Logfile of HijackThis v1.98.2
Scan saved at 20:18:54, on 27/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Temp\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/...r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab

HOSTS

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

Looks like they are trying to muscle out any competition as well as hijack me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Sorry if I've rambled on too much and given too much useless information

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

wtc · « **Reply #5 on:** November 27, 2004, 03:33:35 PM »

Oh forgot to say...

Should I delete this xcidcore.dll or not?

guestolo · « **Reply #6 on:** November 27, 2004, 04:08:37 PM »

A couple of the rundll's are related too your Nvidia card

I'm curious if your getting a false alarm on a few items
What version of CWShredder are you running?

Open VX2 finder run another scan
On the right hand side click any of these buttons that are hightlighted
Click 'Guardian.reg'.
Click 'User Agent'.
Click 'Restore Policy'

Can you reboot into Safe mode and open Hijackthis
You can restart into safe mode by tapping the F8 key on system startup
Open Hijackthis>>>Config>>Misc Tools>>Open Hosts file Manager
Left click and highlight each of these lines seperately

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

use the Delete line(s) button to remove those entries

We may have to replace your hosts file
Stay in safe mode--Open Spybot
In advanced mode---click on Tools
Hosts File>>>At the top click the "Remove Spybots Hosts list"

Run a scan with Spybot in Safe mode
Open CWShredder and let if FIX all problems
Ensure you have version 1.59.1 or later

Restart back into normal mode
Can you Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button

Post back this log with a fresh hijackthis log
could you also post another Hosts file manager log

Guest · « **Reply #7 on:** November 27, 2004, 08:00:20 PM »

Ok, I ran the DX2 thing and ran all of the things you mentioned, no problems were encountered running any of this though I'm not 100% sure what its done.

When I came to "Remove spybots host list" the option was greyed out, so instead I manually opened the HOSTS file and deleted everything from it, I also deleted a file called HOSTS.new that looked either suspect of surplus to requirements.

Scan with Spybot that came up all clear

I have been running V2 of CWShredder so I ran this but also ran the 1.59 version after as well, both came up all clear.

Ran the DLL compare, I got quite a few files in the bottom pane, but rescanning removed all from the list. I made a log before I rescanned and after

DLL Compare log 1

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\aza00a~1.dll Thu 25 Nov 2004 17:15:16 ..S.R 226,105 220.80 K
C:\WINDOWS\SYSTEM32\c2000c~1.dll Sun 28 Nov 2004 0:29:20 ..S.R 223,076 217.85 K
C:\WINDOWS\SYSTEM32\dwtime.dll Thu 25 Nov 2004 22:23:16 ..S.R 222,851 217.63 K
C:\WINDOWS\SYSTEM32\e0200a~1.dll Thu 25 Nov 2004 15:07:54 ..S.R 226,125 220.82 K
C:\WINDOWS\SYSTEM32\f6l0lg~1.dll Thu 25 Nov 2004 4:54:18 ..S.R 223,481 218.24 K
C:\WINDOWS\SYSTEM32\gp0ql3~1.dll Fri 26 Nov 2004 8:07:36 ..S.R 225,530 220.24 K
C:\WINDOWS\SYSTEM32\insutil.dll Sat 27 Nov 2004 20:03:14 ..S.R 223,076 217.85 K
C:\WINDOWS\SYSTEM32\ir24l5~1.dll Fri 26 Nov 2004 1:33:22 ..S.R 222,920 217.70 K
C:\WINDOWS\SYSTEM32\jsmd400.dll Thu 25 Nov 2004 20:07:22 ..S.R 226,105 220.80 K
C:\WINDOWS\SYSTEM32\kt48l7~1.dll Sun 28 Nov 2004 0:53:30 ..S.R 223,131 217.90 K
C:\WINDOWS\SYSTEM32\l26o0c~1.dll Thu 25 Nov 2004 14:56:20 ..S.R 222,389 217.18 K
C:\WINDOWS\SYSTEM32\lv2809~1.dll Fri 26 Nov 2004 1:44:20 ..S.R 223,163 217.93 K
C:\WINDOWS\SYSTEM32\mjrd3x40.dll Sun 28 Nov 2004 0:53:30 ..S.R 225,283 220.00 K
C:\WINDOWS\SYSTEM32\mlvbvm60.dll Thu 25 Nov 2004 3:35:44 ..S.R 224,236 218.98 K
C:\WINDOWS\SYSTEM32\mrihnd.dll Thu 25 Nov 2004 3:16:58 ..S.R 223,481 218.24 K
C:\WINDOWS\SYSTEM32\mv6ql9~1.dll Sun 28 Nov 2004 0:33:06 ..S.R 225,283 220.00 K
C:\WINDOWS\SYSTEM32\mvvbvm60.dll Sat 27 Nov 2004 14:17:46 ..S.R 223,468 218.23 K
C:\WINDOWS\SYSTEM32\mwlogmgr.dll Sun 28 Nov 2004 0:30:06 ..S.R 225,283 220.00 K
C:\WINDOWS\SYSTEM32\owpdx32.dll Fri 26 Nov 2004 1:24:46 ..S.R 226,105 220.80 K
C:\WINDOWS\SYSTEM32\r48s0e~1.dll Fri 26 Nov 2004 16:46:36 ..S.R 223,985 218.73 K
C:\WINDOWS\SYSTEM32\r8p8li~1.dll Fri 26 Nov 2004 16:48:56 ..S.R 225,079 219.80 K
C:\WINDOWS\SYSTEM32\rgr20.dll Thu 25 Nov 2004 17:15:52 ..S.R 226,140 220.84 K
C:\WINDOWS\SYSTEM32\rigsvc.dll Thu 25 Nov 2004 3:54:08 ..S.R 224,236 218.98 K
C:\WINDOWS\SYSTEM32\t88uli~1.dll Fri 26 Nov 2004 1:24:46 ..S.R 223,202 217.97 K
C:\WINDOWS\SYSTEM32\ucrdtea.dll Thu 25 Nov 2004 0:55:40 ..S.R 224,034 218.78 K
________________________________________________

1,289 items found: 1,289 files (25 H/S), 0 directories.
Total of file sizes: 264,208,871 bytes 251.97 M

Administrator Account = True

--------------------End log---------------------

DLL Compare log 2

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />"
________________________________________________

1,289 items found: 1,289 files (25 H/S), 0 directories.
Total of file sizes: 264,208,871 bytes 251.97 M

Administrator Account = True

--------------------End log---------------------

Fresh hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 01:05:58, on 28/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/...r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab

Fresh Host files manager

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

Its all mighty confusing

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> I should tell you, before I came here for help I identified and removed a vbouncer and SD folder from my program files and all the related crap and registry entries these bought with them.

Is it possible I've ditched the virus but something, thinking its doing me a favour, is restoring my HOSTS file everytime I change it. Or perhaps the HOSTS file has just got screwed or something, it definately seems S+D's list of problems is down to whats in the HOSTS file.

Guest · « **Reply #8 on:** November 27, 2004, 08:12:58 PM »

Quick update.....I just did a bit of experimenting and it seems everytime a line is deleted from the HOSTS file, something immediatly creates a time stamped back-up of the HOSTS file and then replaces the removed lines back into the file.

The back-up file takes the format of:

hosts.20041128-011525.backup

Is there anyway I can trace what process is accessing and making the modifications to this file?

guestolo · « **Reply #9 on:** November 27, 2004, 08:41:41 PM »

Let's try something--Did you remove Spybot's Host file entries if you had them enabled?
Do so if you added the Spybot host file list from the instructions I gave before
Download The Hoster
Unzip it to a folder

Restart into safe mode

Navigate to this folder
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Open up the Host file with Notepad
See if you have any entries related to McAfee
If you do backup just the entries so you can add them later
If Not
Try and delete all instances of HOSTS file
Don't delete LMHosts or any other files
Just Hosts or hosts.20041128-011525.backup entries

Take the check out of READ ONLY in it's properties if you have trouble deleting it

Stay in safe mode and have hijackthis fix these entries

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Fix checked and Restart back in Normal Mode

Open Hoster and click the "Restore original Hosts"

Post back a fresh hijackthis log afterwards

What version of CWShredder do you have?

Guest · « **Reply #10 on:** November 27, 2004, 09:25:38 PM »

Great, that seems to have done the trick

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I couldn't remove or add spybots host file enties as the options for these were greyed out. I deleted all the files related to HOSTS in safe mode and then used Hoster to restore the default host file.

It seems to have stuck this time, the redirects haven't come back.....but as I opened up google to post this I got a popup from

http://adserver.sharewareonline.com/AdServ...dm/ad080504.htm

But this is the only one and the HOSTS file remains clean, for CWShredder I have v2.00 and v1.59.1

New hijack log, you may notice I got rid of all the unsigned activeX stuff as well, just to be on the safe side.

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

So thats looking good, just this one pop-up left. Thanks a bunch for all your help and patience, you are truly a legendary adware slayer

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #11 on:** November 27, 2004, 10:16:56 PM »

Still not out of the woods yet, I'd bet that VX2 finder would find some files, not what I thought however>>>This is a new one

A couple more tools if you wouldn't mind

Download SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html
Doesn't run in the background
Just run this once and check for updates every couple of weeks

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Allow to download updates
Don't run this yet
Instead, could you also download Ad-Aware's VX2 Cleaner
Save it to desktop and double click on it to install it
We'll run this later

Next: Download and Install this small download
Windows CleanUp!
This will help to remove files in your Temp folders and such

Try to print out these next set of instructions or save them to a notepad file for easy access
I want you to disconnect from the Internet, close out All browser windows

Open Windows CleanUp! and Click the Cleanup button
Let it scan for files
When it's complete it will notify you that a couple folders could not be deleted and you must restart your computer
DON'T restart yet

Open Ad-Aware
Go to “Add-ons”
Select the VX2 Cleaner add-on and click “Run Tool”
If your computer isn’t infected, click “Close”.
and proceed with the directions to run a scan with Ad-Aware

If your computer is infected

Select “Clean System”
Reboot your computer
====================================================
Scan your system with Ad-Aware

Open Ad-aware---Click the GEAR at the top
# Click on the General button on the left hand side.

1. Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Automatically save logfile
2. Automatically quarantine objects prior to removal
3. Safe Mode (always request confirmation)

# Next click on the Advanced button on the left hand side.

1. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Include additional object information
2. Include negligible objects information
3. Include environment information
4. Include Alternate data stream details in log file

# Next click on the Tweak button on the left hand side.

1. Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Include basic Ad-Aware settings in logfile
2. Include additional Ad-Aware settings in logfile

2. Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Unload recognized processes & modules during scan
2. Scan registry for all users instead of current user only

3.
Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Always try to unload modules before deletion
2. During removal, unload Explorer and IE if necessary
3. Let Windows remove files in use at next reboot

Once these settings have been completed, you should click on the Proceed button

Make sure you change the scan mode to Perform full system scan. Then uncheck the Search for negligible risk entries.

Step 5: Start the Actual Scan

Now click on the Next button to have Ad-Aware SE start scanning your system. Ad-Aware SE will start scanning your system for Spyware and Hijackers

When it's finished scanning
click on the Show Logfile button and copy and paste this log to a Notepad file
START>>>Run>>Type in notepad and hit enter
Don't close Ad-Aware, instead click on the NEXT button to clean the entries
====================================================
RESTART your computer to finish the cleaning process

If I'm not mistaken you don't have a popup blocker installed
I highly recommend the Google Toolbar for IE
http://toolbar.google.com/
If you situate it properly you can place it beside the IE address bar and it won't take up hardly any room

Post back with a fresh hijackthis log, could you also post the Ad-Aware log
Also open VX2 Finder
and click the Hosts log button
Post the hosts file back here, thanks
Let me know if Ad-Aware's VX2 Cleaner addon found anything

Guest · « **Reply #12 on:** November 27, 2004, 11:10:48 PM »

Ok, I did all of the above and you're right in saying we aren't out of the woods yet

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Since my last post I've received more pop-ups, like the one with the link I posted above and others advertising software to protect my computer(what a joke), including one for PrivacyDefender3. The other pop-ups have ceased though so at least thats something.

Heres the log you requested

Hijack this

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Temp\hijack this\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

OH NO!!!! Their back

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Damn, thought we had that one beat

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

HOSTS log

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

Ad-Aware

Ad-Aware SE Build 1.05
Logfile Created on:28 November 2004 03:46:00
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R20 25.11.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R20 25.11.2004
Internal build : 25
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 401144 Bytes
Total size : 1271832 Bytes
Signature data size : 1242561 Bytes
Reference data size : 28759 Bytes
Signatures total : 35327
Fingerprints total : 536
Fingerprints size : 20604 Bytes
Target categories : 15
Target families : 620

Memory + processor status:
==========================
Number of processors : 2
Processor architecture : Intel Pentium IV
Memory available:63 %
Total physical memory:1047276 kb
Available physical memory:656104 kb
Total page file size:2520952 kb
Available on page file:2289484 kb
Total virtual memory:2097024 kb
Available virtual memory:2048544 kb
OS:Microsoft Windows XP Professional (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

28-11-2004 03:46:00 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 892
ThreadCreationTime : 28-11-2004 02:20:48
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 992
ThreadCreationTime : 28-11-2004 02:20:51
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1036
ThreadCreationTime : 28-11-2004 02:20:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1048
ThreadCreationTime : 28-11-2004 02:20:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1240
ThreadCreationTime : 28-11-2004 02:20:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1504
ThreadCreationTime : 28-11-2004 02:20:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1944
ThreadCreationTime : 28-11-2004 02:20:54
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:8 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 744
ThreadCreationTime : 28-11-2004 02:21:07
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:9 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 724
ThreadCreationTime : 28-11-2004 02:21:07
BasePriority : Normal
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsrte.exe
Comments : McAfee VirusScan Real-time Engine

#:10 [nmsaccess.exe]
FilePath : C:\Program Files\CDBurnerXP Pro 3\Tools\
ProcessID : 812
ThreadCreationTime : 28-11-2004 02:21:07
BasePriority : Normal

#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 824
ThreadCreationTime : 28-11-2004 02:21:07
BasePriority : Normal
FileVersion : 6.14.10.6672
ProductVersion : 6.14.10.6672
ProductName : NVIDIA Driver Helper Service, Version 66.72
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 66.72
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:12 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 952
ThreadCreationTime : 28-11-2004 02:21:08
BasePriority : Normal
FileVersion : 5.5.062.000
ProductVersion : 5.5.062.000
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2004, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:13 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1340
ThreadCreationTime : 28-11-2004 02:21:12
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:14 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 1616
ThreadCreationTime : 28-11-2004 02:21:16
BasePriority : High

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 436
ThreadCreationTime : 28-11-2004 02:21:19
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:16 [ctsysvol.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\Surround Mixer\
ProcessID : 688
ThreadCreationTime : 28-11-2004 02:21:23
BasePriority : Normal
FileVersion : 1.1.3.0
ProductVersion : 1.0.0.0
ProductName : Creative Volume Control
CompanyName : Creative Technology Ltd
FileDescription : CTSysVol.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTSysVol.exe

#:17 [cthelper.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 572
ThreadCreationTime : 28-11-2004 02:21:23
BasePriority : Normal
FileVersion : 1, 0, 0, 16
ProductVersion : 1, 0, 0, 16
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002-03
OriginalFilename : CtHelper.EXE

#:18 [ctdvddet.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\DVDAudio\
ProcessID : 716
ThreadCreationTime : 28-11-2004 02:21:23
BasePriority : Normal
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
ProductName : CTDVDDET
CompanyName : Creative Technology Ltd
FileDescription : CTDVDDET
InternalName : CTDVDDET
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTDVDDET.EXE

#:19 [asusprob.exe]
FilePath : C:\Program Files\ASUS\Probe\
ProcessID : 840
ThreadCreationTime : 28-11-2004 02:21:23
BasePriority : Normal

#:20 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ProcessID : 1312
ThreadCreationTime : 28-11-2004 02:21:24
BasePriority : Normal
FileVersion : 9.80.019
ProductVersion : 9.80.019
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : © 1987-2004 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:21 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ProcessID : 1464
ThreadCreationTime : 28-11-2004 02:21:24
BasePriority : Normal
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsshld.exe
Comments : McAfee VirusScan ActiveShield Resource

#:22 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 1728
ThreadCreationTime : 28-11-2004 02:21:25
BasePriority : Normal
FileVersion : 8, 0, 0, 30
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:23 [lmonitor.exe]
FilePath : C:\Program Files\MSI\Live Update 3\
ProcessID : 384
ThreadCreationTime : 28-11-2004 02:21:25
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : UpdateMonitor Application
FileDescription : UpdateMonitor MFC Application
InternalName : UpdateMonitor
LegalCopyright : Copyright © 2001
OriginalFilename : UpdateMonitor.EXE

#:24 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 672
ThreadCreationTime : 28-11-2004 02:21:27
BasePriority : Normal
FileVersion : 5.5.062.000
ProductVersion : 5.5.062.000
ProductName : Zone Labs Client
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2004, Zone Labs Inc.
OriginalFilename : zlclient.exe

#:25 [winpatrol.exe]
FilePath : C:\PROGRA~1\BILLPS~1\WINPAT~1\
ProcessID : 884
ThreadCreationTime : 28-11-2004 02:21:28
BasePriority : Normal
FileVersion : 8, 1, 1, 0
ProductVersion : 8.1.1.0
ProductName : WinPatrol Monitor
CompanyName : BillP Studios
FileDescription : WinPatrol System Monitor
InternalName : WinPatrol Monitor
LegalCopyright : Copyright © 1997- 2004 BillP Studios
OriginalFilename : Scotty
Comments : Let Scotty the Windows Watchdog patrol your system.

#:26 [ctcmsgo.exe]
FilePath : C:\Program Files\Creative\MediaSource\GO\
ProcessID : 920
ThreadCreationTime : 28-11-2004 02:21:28
BasePriority : Normal
FileVersion : 1.0.27.0
ProductVersion : 1.0.27.0
ProductName : Creative MediaSource Go!
CompanyName : Creative Technology Ltd
FileDescription : Creative MediaSource Go!
InternalName : Creative MediaSource Go!
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTCMSGo.exe

#:27 [logitechdesktopmessenger.exe]
FilePath : C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
ProcessID : 1136
ThreadCreationTime : 28-11-2004 02:21:28
BasePriority : Normal
FileVersion : 2.0.12.0
ProductVersion : 2.0.12.0
ProductName : Logitech Desktop Messenger
CompanyName : Logitech
FileDescription : Logitech Desktop Messenger
InternalName : Logitech BackWeb Runner
LegalCopyright : Copyright © Logitech 2000-2004. All rights reserved
OriginalFilename : backweb-8876480.exe
Comments : www.logitech.com/ldm

#:28 [lwemon.exe]
FilePath : C:\Program Files\Logitech\Profiler\
ProcessID : 396
ThreadCreationTime : 28-11-2004 02:21:28
BasePriority : Normal
FileVersion : 4.40.143
ProductVersion : 4.40.143
ProductName : Logitech WingMan Software
CompanyName : Logitech Inc.
FileDescription : Logitech WingMan Event Monitor
InternalName : LWEMon
LegalCopyright : © 2000 Logitech. All rights reserved.
LegalTrademarks : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered. All other trademarks are the property of their respective owners.
OriginalFilename : LWEMon.exe
Comments : Created by the WingMan Team.

#:29 [wincinemamgr.exe]
FilePath : C:\Program Files\InterVideo\Common\Bin\
ProcessID : 1672
ThreadCreationTime : 28-11-2004 02:21:32
BasePriority : Normal
FileVersion : 1.0
ProductVersion : 1, 0, 0, 1
ProductName : WinCinema Manager for InterVideo WinCinema products
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
LegalCopyright : Copyright © 2000 InterVideo Inc.
OriginalFilename : WinCinemaMgr.EXE

#:30 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3200
ThreadCreationTime : 28-11-2004 03:16:55
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:31 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2836
ThreadCreationTime : 28-11-2004 03:39:42
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

#:32 [cleanup.exe]
FilePath : C:\Program Files\CleanUp!\
ProcessID : 3008
ThreadCreationTime : 28-11-2004 03:40:41
BasePriority : Normal
FileVersion : 3.1.2
ProductVersion : 3.1.2
ProductName : Windows CleanUp!
CompanyName : Steven R. Gould
FileDescription : Removes temporary files. Frees disk space and helps protect privacy! :-)
InternalName : CleanUp!
LegalCopyright : Copyright 1998-2003 Steven R. Gould
OriginalFilename : cleanup.exe
Comments : For updates visit http://cleanup.stevengould.org/

#:33 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3732
ThreadCreationTime : 28-11-2004 03:45:10
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0

03:51:43 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:43.500
Objects scanned:100874
Objects identified:0
Objects ignored:0
New critical objects:0

While I was waiting for you to post I ran a few experiments as well. Still suspicious of the rundll32's, I opened up zonealarm and went to the programs section. From here I unchecked the rundll32 entry so it didn't have access to the network.....guess what happened? I started going to random websites to try and intiate a pop-up and before long one appeared but no advertisement....instead a "Page not found" with the following URL in the address bar http://69.20.62.53/dns.php?url=www.efc.ca

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

I repeated the test using other sites and the same thing happened again, I then restored the rundll32 process to have access to the net as a trusted program and ran the test again.....bingo....pop-up which took me to the following site

http://www.redzip.com/index.php?tpid=10208...77f5eb848607cf1

What do you make of this?

Guest · « **Reply #13 on:** November 27, 2004, 11:24:39 PM »

Also, since the tests where we managed to remove those entries from the HOSTS file, zonealarm has detected two attacks on my machine. Heres a log....

FWIN,2004/11/28,02:23:12 +0:00 GMT,68.44.48.242:1219,xx.xx.xx.xx:xx,TCP (flags:S)
<entries removed>
FWOUT,2004/11/28,03:57:46 +0:00 GMT,xx.xx.xx.xx:xx,224.0.0.22:0,IGMP (type:34)
LOCK,2004/11/28,03:57:46 +0:00 GMT,Generic Host Process for Win32 Services,239.255.255.250,N/A
LOCK,2004/11/28,03:57:48 +0:00 GMT,Run a DLL as an App,212.23.3.11,N/A
LOCK,2004/11/28,03:57:48 +0:00 GMT,Generic Host Process for Win32 Services,255.255.255.255,N/A
LOCK,2004/11/28,03:57:48 +0:00 GMT,Run a DLL as an App,212.23.6.35,N/A
LOCK,2004/11/28,03:57:50 +0:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2004/11/28,03:57:50 +0:00 GMT,Run a DLL as an App,,N/A
LOCK,2004/11/28,03:57:52 +0:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2004/11/28,03:57:56 +0:00 GMT,Generic Host Process for Win32 Services,127.0.0.1,N/A
LOCK,2004/11/28,03:57:56 +0:00 GMT,Run a DLL as an App,212.23.3.11,N/A
ACCESS,2004/11/28,04:03:14 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.6.35:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:14 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.3.11:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:16 +0:00 GMT,Run a DLL as an App was blocked from sending data to the Internet (212.23.6.35:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:30 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.6.35:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:30 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.3.11:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:32 +0:00 GMT,Run a DLL as an App was blocked from sending data to the Internet (212.23.6.35:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:48 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.6.35:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:48 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.3.11:DNS).,N/A,N/A
ACCESS,2004/11/28,04:03:50 +0:00 GMT,Run a DLL as an App was blocked from sending data to the Internet (212.23.6.35:DNS).,N/A,N/A
ACCESS,2004/11/28,04:04:02 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet.,N/A,N/A
ACCESS,2004/11/28,04:04:02 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.6.35:DNS).,N/A,N/A
ACCESS,2004/11/28,04:04:02 +0:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (212.23.3.11:DNS).,N/A,N/A
ACCESS,2004/11/28,04:04:04 +0:00 GMT,Run a DLL as an App was blocked from sending data to the Internet (212.23.6.35:DNS).,N/A,N/A
<entries removed>
LOCK,2004/11/28,03:54:14 +0:00 GMT,Run a DLL as an App,,N/A
LOCK,2004/11/28,03:54:14 +0:00 GMT,Run a DLL as an App,212.23.3.11,N/A
LOCK,2004/11/28,03:54:16 +0:00 GMT,Run a DLL as an App,,N/A
LOCK,2004/11/28,03:54:18 +0:00 GMT,Run a DLL as an App,212.23.3.11,N/A
LOCK,2004/11/28,03:54:18 +0:00 GMT,Run a DLL as an App,212.23.6.35,N/A
LOCK,2004/11/28,03:54:18 +0:00 GMT,McAfee SecurityCenter Update Engine,216.49.88.118,N/A
LOCK,2004/11/28,03:54:28 +0:00 GMT,Run a DLL as an App,,N/A
LOCK,2004/11/28,03:55:12 +0:00 GMT,Windows NT Logon Application,212.23.3.11,N/A
LOCK,2004/11/28,03:55:12 +0:00 GMT,Windows NT Logon Application,212.23.3.11,N/A
LOCK,2004/11/28,03:55:12 +0:00 GMT,Windows NT Logon Application,212.23.6.35,N/A
LOCK,2004/11/28,03:55:14 +0:00 GMT,Windows NT Logon Application,,N/A
LOCK,2004/11/28,03:55:26 +0:00 GMT,Windows NT Logon Application,,N/A
LOCK,2004/11/28,03:55:28 +0:00 GMT,Run a DLL as an App,212.23.3.11,N/A
LOCK,2004/11/28,03:55:28 +0:00 GMT,Run a DLL as an App,212.23.3.11,N/A
LOCK,2004/11/28,03:55:30 +0:00 GMT,Run a DLL as an App,212.23.6.35,N/A
LOCK,2004/11/28,03:55:30 +0:00 GMT,Run a DLL as an App,,N/A

I've removed some entries because the log is huge so didnt want to post the lot, the above is the relevant parts. The two at the top(FWIN and FWOUT) are the two attacks, I've replaced my own IP from the entries with xx.xx.xx.xx:xx cause I don't really want to post it.

Guest · « **Reply #14 on:** November 27, 2004, 11:27:34 PM »

Ohhh, something else I tried. I typed one of the redirect things from the HOSTS file into IE (I used http://ieautosearch/)

I got a page stating the following

Unsubscribe to the redirect service by running the Look2Me UnInstaller

I didn't follow the link for obvious reasons

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #15 on:** November 28, 2004, 12:09:03 AM »

Did you run the Ad-Aware Add-on?

I've heard of the uninstaller working for some
This issue should of been taken care of with VX2 Finder
Try running the uninstaller from their site
http://www.look2me.com/cgi-bin/UnInstaller

Could you also try this
With Windows set to show Hidden Files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

How many instances of rundll32.exe do you see?
Try running them through this malware online scan
Give the page time to load
http://virusscan.jotti.dhs.org/

Use the Browse button and navigate to all instances of this file
C:\WINDOWS\system32\rundll32.exe <--file, should be legit, but let's make sure

Right click and select it and use the Submit button

Wait for the scan to complete and post back the findings

I'm curious why VX2 finder isn't finding anything
Look2Me is related too VX2.BetterInternet

Use The Hoster to Restore Original Hosts file
Then use the button at the top right to make it Read Only

Have Hijackthis fix these entries
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Restart your computer
Post back a fresh log and info on the rundll32 files if nasty

Guest · « **Reply #16 on:** November 28, 2004, 12:55:31 AM »

Thanks for all the help so far dude, its much appreciated. Its nearly 6am here and I really need some sleep so I'll run those checks tommorow now.

I must say I'm in two minds on running the uninstaller from the look2me site, I really don't trust them, guess I'll sleep on that one. I did try a program called kill2me which is supposed to kill the look2me parasite but it said it couldn't detect it on my system.

I did a little research and found this thread of messages

http://www.2-spyware.com/remove-look2me.html

Theres several ppl who seem to be displaying the same symptoms as me, reporting rundll32 connecting to the i-net as well as winlogin(I have this as well, its always asking zonealarm for permission to connect). Theres also reports of explorer.exe having been messed with and this fits with my first post where I said when windows loadsup it briefly shows the classic windows taskbar rather than the blue one.

I'm convinced something running as rundll32(I ran that through the checker you linked and it checked out ok), explorer.exe and winlogin process and the cause of all my problems.

I also think the CWS thing was a red herring. It messes with your HOSTS file and puts in some 127.0.0.1 entries that will flag the spyware checkers(S+D, CWShredder etc.) and cause them to report these hijackers back to you. You then go off and try and fix these problems but its all a con, they are just there to make you go round and round in circles and the real villans are rundll32, explorer.exe and winlogin but I just don't know how these processes are being compromised :/ Or perhaps I'm just going insane, this thing is seriously driving me mad.

Anyway, enough of my ramblings, thanks again dude and I shall report back to you tommorow with the results of those tests.

guestolo · « **Reply #17 on:** November 28, 2004, 01:11:45 AM »

Don't run the spyware removal software from that site, SpyHunter is on the Rogue Spyware Removal list

Your right about entries being flagged wrong in your hosts file
I've seen this happen even with a custom host file being flagged wrong for Common Hijacker

But those 3 host file entries keep returning
Good call on running Kill2me, it's recommended
I just pointed out that the Look2me uninstaller has been reported to work for many

Albeit== VX2 finder should of showed files if you are infected
Get yourself a popup blocker

We can try this if you would like
Download this custom Host file
http://www.mvps.org/winhelp2002/hosts.htm
It's a zip file
Delete any other Host files from this directory again

C:\WINDOWS\SYSTEM32\DRIVERS\ETC

Have hoster create a new host file and restore original hosts
Unzip that custom hosts file to the ETC folder
Allow to overwrite if prompted
Make the Hosts file Read Only
You can use Hoster to do this or set it in it's properties

Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/

After installation you will have to manually update the Latest Ruleset
Go to this link
http://www.trojanhunter.com/trojanhunter/updating/
Download the Latest Ruleset to desktop
Unzip it to your Trojan Hunter folder
Allow to overwrite if prompted
The default location should be C:\Program Files\TrojanHunter

Run a full system scan

Let me know how you make out

P.S. Go get some sleep, run a new hijackthis log tomorrow and VX2 finder log
You should of tried the Ad-Aware VX2 add-on to be safe

Guest · « **Reply #18 on:** November 28, 2004, 11:46:09 AM »

A new day dawns and its time to return to the virus hunting

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Lots to cover so I'll try and do this as orderly as possible.

The look2me uninstaller....I've read ppl have had some success with this as well so its not that I doubt your word, more atm I'm not even sure if it is look2me that I have, all of the checks show up clean and I don't want to add fuel to the fire if this isn't the problem I have.

Thats the thing thats driving me crazy, not knowing what virus/parasite I've contracted. The only checks that turn anything up point to IGetNet and CWS but as said before, I think this is a red herring, but none of the scans highlight a look2me but reading on the i-net seems to indicate this is what it is :/

Ok, rundll32. I have three instances of this running. Now two of those I can confidently clear as ok and are related to my Nvidia software and acting as normal. The third however.....I do not know what this is. Only one of these instances tries to gain access to the i-net, the rouge one I suspect, I highly doubt the Nvidia ones would attempt to connect to the i-net.

I scanned the system32/rundll32.dll at that site you linked to me and with mcafee and it came up clean. From my understanding though, doesn't rundll32 just provide a way for other programs to execute? Meaning the rundll32 could be fine and its some trojan launcing itself as a rundll32.

I installed that HOSTS file you linked and this went ok but guess what, those rouge redirects tagged themselves onto the end when I rebooted

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I then ran the TrojanHunter but was unable to complete the scan because it kept crashing. Before it did though, it reported a suspicious port open and that it had been opened by rundll32.....suprise suprise, our old friend.

I rebooted into safe mode and ran the TrojanHunter again, this time it completed but obviously didn't pick up the suspect port this time because no networking in safe mode. It did however claim I had two trojans.....mirc.exe and moneyspj.exe(in system32)...I fixed both and then uninstalled mirc as well, I then searched for any more instances of moneyspj.exe but found none. Sorry I didn't take a log of this.

VX2....ran the VX2 finder and it didn't find anything, I've ran the Vx2 add-on for adaware before with no success but I tried it again anyway..claims vX2 is not on my system.

Ok, before I post the logs I think we need to establish a baseline of where we are now and what we have definately proven to be true.

In my opinion, for what its worth, the rouge instance of rundll32 is definately a trojan. Theres no doubt in my mind, TrojanHunter claims it has suspiciously opened a port, zonealarm continually reports it asking for i-net access and the most recent posts from that link I gave all claim a rundll32 process being the cause of problems. I think we can safely say this is Public Enemy No. 1.....I have locked it from all network access in ZoneAlarm.

Winlogon....ok its a valid process but it seems to have been hijacked in some way. Zonealarm continually alarms me its asking for access to the i-net....why would winlogon need to access the i-net? Not a strong case but enough to warrant me locking it from network access in zonealarm

explorer.exe....the only evidence I have against this, except the reports from that site saying it was acting suspiciously, is the fact my taskbar briefly changes during boot-up when it never used to. A weak case but I'm in full Spanish inquisition mode here so it makes the list for being locked from all network access as well

Right, DLL's, you remember be reporting that Windows critical error ages ago? From what I've read, if I have the same virus then it continually spawns itself as several dll's with random names. Now how it respawns I don't know, perhaps it has something to do with the run32dll, explorer.exe or winlogon or perhaps deleting one just causes the other to respawn itself as a different dll next time you reboot. This fits, when I got that error I rebooted and it reported a critical error for a different dll, I repeated the process and rebooted and same thing...I stopped at this point. But I just checked the system32 and this last dll that I got an error for but never deleted no longer exists. This suggests this thing is constantly renaming itself but I don't know how. The fact that every dll thats reported a windows critical returns no results in google.....proof of a random naming to me. Christ only knows what these dll's are doing to my registry but I suspect to fix this thing is gonna require deleting both dll's while none all network access for the virus is cut off and deleting all of the associated keys from the registry.

As soon as I get another windows critical at startup pointing to a dll I shall look for any other dll or file that exists that is exactly the same size as the dll that flags the error. I will then purge all of these files and then for every filename I will search in the registry for any key mentioning this file and purge all of those keys.

Ok, now the logs(finally

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />)

Hijack this

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\notepad.exe
C:\Temp\hijack this\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

VX2 Finder

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
MediaContentIndex
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{B95B0F84-74CB-49F0-BCB3-7E4E944AAD53}

Not much to go on I'm afraid

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Once again, thanks for your patience and listening to all my conspiricy theories. Sometimes I think this is all in my head because no scan can detect it but the pop-ups are still there so it can't be

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Guest · « **Reply #19 on:** November 28, 2004, 12:09:00 PM »

I downloaded and ran a program called SpySubtract. I did a little research on the i-net before I dl'ed it and it seemed to check out ok, was mentioned a few times on sites I trust.

Anyway it found and removed some problems....heres a log

--------------------------------- SpySubtract session started ---------------------------------
Machine=UNIMATIRX-001
Time=Sun Nov 28 17:10:52 2004
Product Version=1, 0, 1, 49

      Started Scanning
      Programs in Memory
      Finished Scanning
      Started Scanning
      Internet Cookies
      Programs in Memory
      Windows Registry
         Found '' in 'Software\Kazaa'
         Found '' in 'Software\Kazaa\Settings'
         Found '' in 'Software\Kazaa\Transfer'
         Found '' in 'Software\KaZaA\CloudLoad'
         Found '' in 'Software\KaZaA\ConnectionInfo'
         Found '' in 'Software\KaZaA\LocalContent'
         Found '' in 'SOFTWARE\Classes\ed2k'
         Found '' in 'SOFTWARE\Classes\ed2k\DefaultIcon'
         Found '' in 'SOFTWARE\Classes\ed2k\shell\open\command'
         Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000'
         Found '' in 'Software\Kazaa'
         Found '' in 'Software\Kazaa\Advanced'
         Found '' in 'Software\Kazaa\LocalContent'
         Found '' in 'Software\Kazaa\Promotions\Broadband'
         Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
         Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com'
         Found 'Tmp' in 'Software\Kazaa'
         Found 'Status' in 'Software\Kazaa\Advanced'
         Found 'BBDbLoc' in 'Software\Kazaa\Promotions\Broadband'
         Found 'NullImageLoc' in 'Software\Kazaa\Promotions\Broadband'
         Found 'NullImageLoc2' in 'Software\Kazaa\Promotions\Broadband'
         Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
         Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent'
         Found 'Date' in 'Software\Kazaa\Settings'
         Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
         Found 'UseCount' in 'Software\Kazaa\Settings'
         Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer'
         Found 'ListenPort' in 'SOFTWARE\Kazaa'
         Found 'network_config' in 'SOFTWARE\Kazaa'
         Found 'Tmp' in 'SOFTWARE\Kazaa'
         Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
         Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
         Found 'ShareDir' in 'SOFTWARE\Kazaa\CloudLoad'
         Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
         Found '' in 'Software\AppConf'
         Found 'confset' in 'Software\AppConf'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\InprocServer32'
         Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\InprocServer32'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\MiscStatus'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\MiscStatus\1'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\ProgID'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\ToolboxBitmap32'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\TypeLib'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\Version'
         Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\VersionIndependentProgID'
         Found '' in 'SOFTWARE\Classes\TopSearch.TSLink'
         Found '' in 'SOFTWARE\Classes\TopSearch.TSLink.1'
         Found '' in 'SOFTWARE\Classes\TopSearch.TSLink.1\CLSID'
         Found '' in 'SOFTWARE\Classes\TopSearch.TSLink\CLSID'
         Found '' in 'SOFTWARE\Classes\TopSearch.TSLink\CurVer'
         Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0'
         Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\0\win32'
         Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\FLAGS'
         Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\HELPDIR'
         Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com'
         Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com'
         Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com'
         Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com'
         Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com'
         Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com'
         Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com'
         Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
      Internet URL Shortcuts
      Files and Directories
         Found 'edonkey2000.exe' in 'C:\Program Files\eDonkey2000'
      Finished Scanning
      Started Backup
      Finished Backup
      Started Cleaning
         Checking for 'C:\Program Files\eDonkey2000\edonkey2000.exe' in shortcut areas.
         Found 'eDonkey2000.lnk' in 'C:\Documents and Settings\All Users\Start Menu\Programs\File Share\eDonkey2000\'
         Found 'eDonkey2000.lnk' in 'C:\Documents and Settings\WitchFinder\Desktop\'
         Checking for 'C:\Program Files\eDonkey2000\edonkey2000.exe' in startup areas.
         Cleaning 'C:\Program Files\eDonkey2000\edonkey2000.exe'
      Finished Cleaning

News:

Author Topic: CWS problem :( (Read 5456 times)

wtc

Guest

wtc

wtc

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest