Possible CWS problem

Thread Solved
1 2

Join Date: Feb 2004
Posts: 10,085
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 765
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Possible CWS problem

 
0
  #11
Jun 18th, 2004
Yes, it is CWS & the most complicated hijack thus far.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {E0A5232E-6808-4327-8902-04317D8B1445} - C:\WINDOWS\System32\pnpcpd.dll

Reboot after doing the above then post a fresh log plz.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Jun 2004
Posts: 14
Reputation: visonare is an unknown quantity at this point 
Solved Threads: 0
visonare visonare is offline Offline
Newbie Poster

Re: Possible CWS problem

 
0
  #12
Jun 18th, 2004
Heres the log.

Logfile of HijackThis v1.97.7
Scan saved at 12:51:32 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andrew Henkel\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C47CBCF-8999-4D00-8751-40FE750ADAC8} - C:\WINDOWS\System32\pnpcpd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
Reply With Quote Quick reply to this message  
Join Date: Jun 2004
Posts: 14
Reputation: visonare is an unknown quantity at this point 
Solved Threads: 0
visonare visonare is offline Offline
Newbie Poster

Re: Possible CWS problem

 
0
  #13
Jun 18th, 2004
Didnt know if this would help or not, but Ad-Aware just came out with an update that caught some things I hadnt seen before. Heres the log.

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan within archives


6-18-2004 12:59:35 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-18-2004 5:50:33 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:42 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:43 PM
Last modified : 8/29/2002 10:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:43 PM
Last modified : 8/29/2002 10:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:47 PM
Last modified : 8/29/2002 10:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:47 PM
Last modified : 8/29/2002 10:00:00 AM

#:7 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-18-2004 5:50:44 PM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 1/7/2004 8:35:10 PM
Last accessed : 6/18/2004 5:50:56 PM
Last modified : 1/7/2004 8:35:10 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-18-2004 5:50:44 PM
BasePriority : Normal
FileSize : 249 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 1/7/2004 8:35:10 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 1/7/2004 8:35:10 PM

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:45 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 8/29/2002 10:00:00 AM

#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 6-18-2004 5:50:45 PM
BasePriority : Normal
FileSize : 155 KB
FileVersion : 10.00.2
ProductVersion : 10.00.2
Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 5/23/2004 9:02:35 PM
Last accessed : 6/18/2004 5:49:41 PM
Last modified : 4/23/2004 4:04:18 PM

#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:45 PM
BasePriority : Normal
FileSize : 72 KB
FileVersion : 6.14.10.4502
ProductVersion : 6.14.10.4502
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 45.02
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 45.02
Created on : 1/1/1980 5:00:00 AM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 11/3/2003 6:46:00 PM

#:12 [savscan.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 189 KB
FileVersion : 9.2.1.14
ProductVersion : 9.2
Copyright : Copyright (c) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus Scanner
InternalName : SAVSCAN
OriginalFilename : SAVSCAN.EXE
ProductName : Symantec AntiVirus AutoProtect
Created on : 1/7/2004 8:34:52 PM
Last accessed : 6/18/2004 5:11:07 PM
Last modified : 1/7/2004 8:34:52 PM

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:47 PM
Last modified : 8/29/2002 10:00:00 AM

#:14 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 572 KB
FileVersion : 1, 8, 48, 79
ProductVersion : 1, 8, 48, 79
Copyright : Copyright (C) 2003
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
OriginalFilename : symlcsvc.exe
ProductName : Symantec Core Component
Created on : 4/29/2004 11:31:28 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 4/29/2004 11:31:28 PM

#:15 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM32\ZoneLabs\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 6/8/2004 9:30:28 PM
Last accessed : 6/18/2004 5:50:46 PM
Last modified : 5/17/2004 9:55:26 AM

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-18-2004 5:50:52 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:56 PM
Last modified : 8/29/2002 10:00:00 AM

#:17 [intelmem.exe]
FilePath : C:\Program Files\Intel\Modem Event Monitor\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 216 KB
FileVersion : 0, 1, 0, 10
ProductVersion : 0, 1, 0, 10
Copyright : Copyright (C) 2003
CompanyName : Intel Corporation
FileDescription : Modem Event Monitor Application
InternalName : Modem Event Monitor
OriginalFilename : IntelMEM.exe
ProductName : Intel Modem Event Monitor Application
Created on : 4/29/2004 11:21:40 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 9/4/2003 1:12:44 AM

#:18 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 5, 0
ProductVersion : 1, 0, 5, 0
Copyright : Copyright
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
OriginalFilename : DSentry.exe
ProductName : Dell - DVDSentry
Created on : 8/13/2003 3:27:40 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 8/13/2003 3:27:40 PM

#:19 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 200 KB
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
Copyright : Copyright c 2003 CyberLink Corp.
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
OriginalFilename : PCM2Launcher.EXE
ProductName : PCM2Launcher Application
Created on : 4/29/2004 11:23:18 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 8/27/2003 12:47:34 AM

#:20 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 69 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 1/7/2004 8:35:08 PM
Last accessed : 6/18/2004 5:50:58 PM
Last modified : 1/7/2004 8:35:08 PM

#:21 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 9:21:10 PM
Last accessed : 6/18/2004 5:50:53 PM
Last modified : 10/7/2003 9:21:10 PM

#:22 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 6/8/2004 9:30:32 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 5/17/2004 9:56:14 AM

#:23 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 280 KB
FileVersion : 4.6.0.15
ProductVersion : 4.6.0.15
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
OriginalFilename : iTunesHelper.exe
ProductName : iTunes
Created on : 6/4/2004 5:38:12 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 6/4/2004 5:38:12 PM

#:24 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 392 KB
FileVersion : 4.6.0.15
ProductVersion : 4.6.0.15
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
OriginalFilename : iPodService.exe
ProductName : iTunes
Created on : 6/4/2004 5:37:56 PM
Last accessed : 6/18/2004 5:49:43 PM
Last modified : 6/4/2004 5:37:56 PM

#:25 [msbntray.exe]
FilePath : C:\Program Files\Microsoft Broadband Networking\
ThreadCreationTime : 6-18-2004 5:50:54 PM
BasePriority : Normal
FileSize : 428 KB
FileVersion : 2.0.654
ProductVersion : 2.0.654
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Broadband Networking Tray Application
InternalName : MSBNTray.exe
OriginalFilename : MSBNTray.exe
ProductName : Microsoft Broadband Networking Software
Created on : 1/19/2004 11:58:52 PM
Last accessed : 6/18/2004 5:50:54 PM
Last modified : 1/19/2004 11:58:52 PM

#:26 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 6-18-2004 5:53:28 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/24/2004 9:24:04 AM
Last accessed : 6/18/2004 5:53:29 PM
Last modified : 7/13/2003 2:00:20 AM

#:27 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ThreadCreationTime : 6-18-2004 5:56:12 PM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
Created on : 10/7/2003 9:20:18 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 10/7/2003 9:20:18 PM

#:28 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 6-18-2004 5:58:09 PM
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 4/15/2003 12:30:14 AM
Last accessed : 6/18/2004 5:58:10 PM
Last modified : 4/15/2003 12:30:14 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{03CD9511-D37D-4F67-9D17-5E7206086133}


CoolWebSearch Object recognized!
Type : File
Data : pnpcpd.dll
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 6/16/2004 7:33:39 PM
Last accessed : 6/18/2004 5:25:36 PM
Last modified : 6/16/2004 7:33:39 PM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4C47CBCF-8999-4D00-8751-40FE750ADAC8}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{523C5C0E-CAD6-494A-BC66-3EDC17349325}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{DBE3AD1F-9CB4-46F4-8947-804DC7D5E0ED}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{E650C053-5CAB-42FB-8679-D6146180E61C}


WinFavorites Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : WMPPublsihCntr.WMPPublsihCntr


WinFavorites Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : WMPPublsihCntr.WMPPublsihCntr.1


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C47CBCF-8999-4D00-8751-40FE750ADAC8}


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 14
Objects found so far: 16


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : File
Data : sp.html
Object : c:\docume~1\andrew~1\locals~1\temp\
FileSize : 7 KB
Created on : 6/15/2004 4:03:27 AM
Last accessed : 6/18/2004 5:56:01 PM
Last modified : 6/18/2004 5:56:01 PM



Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 17


1:00:51 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:15:828
Objects scanned :51479
Objects identified :17
Objects ignored :0
New objects :17
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,085
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 765
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Possible CWS problem

 
0
  #14
Jun 19th, 2004
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Jun 2004
Posts: 14
Reputation: visonare is an unknown quantity at this point 
Solved Threads: 0
visonare visonare is offline Offline
Newbie Poster

Re: Possible CWS problem

 
0
  #15
Jun 24th, 2004
I ran Ad-Aware after installing a new update for it. It killed off the cool web search files and this time they didn't pop back up. Sorry about the delay in responding, for some reason or another I was beginning to get java errors when attempting to load any webpage. I reinstalled java on my machine and now its working fine. Thanks for your help.
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,085
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 765
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Possible CWS problem

 
0
  #16
Jun 25th, 2004
You're welcome .
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability warning windows worm zero-day
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC