Well, it appears I have a CWS trojan on my system (like I even know what that means...). I've run AdAware and Spybot, and then when I run CWShredder it autocloses when it gets to a certain point. I restart it, and it tells me that the trojan is automatically closing it, but it still can't get rid of it.

Now, I don't know if this is related, but I hope so: my Windows Media Player quickstart icon has been replaced by what looks like a "setup"-style icon (a little PC with a box next to it, you know the one) and when I try to run an mp3 or an mpeg, I get all sorts of pop-ups and Media Player doesn't start.

Here's my HiJackThis log...HELP! Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 2:18:37 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\eginir.exe
C:\WINDOWS\System32\eflkjfd.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

You've got a variant of the CoolWebSearch trojan that disables CWShredder. Before running CWShredder, try this link:

CWS.SmartKiller mini removal tool

Additionally, make sure you're running the latest version of CWShredder. The latest as of today, June 5 is 1.59. You can always find the latest version here:
http://www.majorgeeks.com/download4086.html

IIRC, the latest version of CWShredder can detect when a process is trying to kill it, and it might be able to enact countermeasures to combat that effect.

Well, I downloaded it from all four sites listed on MajorGeeks.com, and in every case when I tried to extract it, it came up as corrupted or invalid!

Now what?

The mini removal tool came up corrupted or invalid? That's odd, especially from all of the sites.

Try this site:
http://www.safer-networking.org/files/delcwssk.zip

If need be, I can download the file, extract it, and place an extracted version on a server somewhere. PM me if you need that.

Okay,

I got the mini removal tool to work, and it reported that I didn't have CWS.SmartKiller on my system. Then I ran CWShredder again, and it closed itself at the same spot, just like before.

Hm. So...now what?

Also, is this bug related to the problem I'm having with my Windows Media Player?

I should have posted this earlier, but CWShredder identified the variant of the virus as "CWS.Smartsearch.2", but still wasn't able to destroy it. Hope that helps.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe
O4 - HKLM\..\Run: [gvthilnflxw] C:\WINDOWS\System32\eflkjfd.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\eginir.exe< file
C:\WINDOWS\System32\eflkjfd.exe< file
C:\WINDOWS\System32\msmc.exe< file

Run CWShredder whilst in safe mode, close ALL windows & hit FIX.

Reboot normally after doing the above then post a fresh log plz.

Hi Crunchie,

Actually, since I posted that first log I've run all kind of spyware removal tools and the log's changed quite a bit. I still have the same problem with Windows Media Player, however, and suspect that I'm going to have to remove it and reinstall it, in the long run. As mentioned, it's not working, all associations with music and video files have been severed, and when I run it's quickstart icon I just get popups and no media player.

Anyway, here's my most recent log. Please advise, and thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 11:07:35 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\System32\avemspw.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O4 - HKLM\..\Run: [avemspw] C:\WINDOWS\System32\avemspw.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\avemspw.exe<<<<

Reboot normally. Which version of CWShredder have you got? The latest is 1.59. If you don't have that, update it & run it again.

Hi Crunchie,

I followed your instructions, but instead of avemspw.exe coming up in the HiJackThis scan, the file seemed to have renamed itself to aaamona.exe? Is that possible? Anyway, I got rid of it, rebooted, ran CWShredder...and nothing.

I *do* have the latest version of CWShredder, just downloaded it a few days ago. And it's still closing itself about 2/3 of the way through its list.

And can you please advise me on the Windows Media Player issue as well?

Thanks, Crunchie. Here's my most recent log:

Logfile of HijackThis v1.97.7
Scan saved at 11:31:55 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Lapeyre\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab