Reply

Join Date: Jun 2004
Posts: 4
Reputation: nahor is an unknown quantity at this point 
Solved Threads: 0
nahor's Avatar
nahor nahor is offline Offline
Newbie Poster

CWS. help needed

 
0
  #1
Jun 10th, 2004
Hi.

I had problems with my IE. There was that CWS malware. So after 2 days I finally get rid of it - no more search ads and pop-ups. But my program SpyFerret shows that there is something left in registry..
It says that i have:

1. Common Extension hijack (default registry file handler (Registry exchange)) = Trojan

2. CWS (Registry key (Registry key)) = Malware

I have a demo of SpyFerret, so i cant fix anything with it. I have also the latest version of CWShredder and it cant find anything (cause "everything is fixed already"). I scanned with HijackThis, maybe someone can help me and tell what to fix there? Anyway thanks. Here is log file:

Logfile of HijackThis v1.97.7
Scan saved at 10:16:35, on 10.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSMPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\INTEL\INTEL(R) ACTIVE MONITOR\IMON98.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKSLAPI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
E:\JURIS\PROGRAMS\DC++\DCPLUSPLUS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
E:\JURIS\PROGRAMS\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yandex.ru
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yandex.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\JURIS\PROGRAMS\FRESHDOWNLOAD\FDCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT READER 5\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\JURIS\PROGRAMS\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IMON] C:\Program Files\Intel\Intel(R) Active Monitor\imon98.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with &FD - E:\JURIS\PROGRAMS\FRESHDOWNLOAD\fdiectx.htm
O8 - Extra context menu item: Download &All by FD - E:\JURIS\PROGRAMS\FRESHDOWNLOAD\fdiectx2.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O9 - Extra 'Tools' menuitem: Internet &Cache Explorer (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...19/mcgdmgr.cab
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,689
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 507
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: CWS. help needed

 
0
  #2
Jun 10th, 2004
SpyFerret makes the list of bad spyware removers.It will report bad stuff to fix trying to get you to pay for the program .Why pay when there are free one that are much better .
http://www.spywarewarrior.com/viewtopic.php?t=68

Might I suggest Ad-Aware and Spybot ,I see you allready use spy-bot ,trust what it want to fix as its one of the best , so give ad-aware a whirl.

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Wubi is an officially supported Ubuntu Linux installer for Windows .
http://wubi-installer.org/
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,689
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 507
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: CWS. help needed

 
0
  #3
Jun 10th, 2004
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\JURIS\PROGRAMS\FRESHDOWNLOAD\FDCATCH.DLL (file missing)


These 2 are not spyware but are rescource hog's and not needed in startup suggested fixes
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE


Unless you had Spy-Bot set these ,fix them
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present



reboot computer and post a new log
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Wubi is an officially supported Ubuntu Linux installer for Windows .
http://wubi-installer.org/
Reply With Quote Quick reply to this message  
Join Date: Jun 2004
Posts: 4
Reputation: nahor is an unknown quantity at this point 
Solved Threads: 0
nahor's Avatar
nahor nahor is offline Offline
Newbie Poster

Re: CWS. help needed

 
0
  #4
Jun 10th, 2004
Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 13:27:48, on 10.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSMPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\INTEL\INTEL(R) ACTIVE MONITOR\IMON98.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKSLAPI.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
E:\JURIS\PROGRAMS\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yandex.ru
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yandex.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT READER 5\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\JURIS\PROGRAMS\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IMON] C:\Program Files\Intel\Intel(R) Active Monitor\imon98.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with &FD - E:\JURIS\PROGRAMS\FRESHDOWNLOAD\fdiectx.htm
O8 - Extra context menu item: Download &All by FD - E:\JURIS\PROGRAMS\FRESHDOWNLOAD\fdiectx2.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O9 - Extra 'Tools' menuitem: Internet &Cache Explorer (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...19/mcgdmgr.cab
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC