Win32.trojan.agent.bi and Coolwebsearch :(

Question

RaineX 0 Newbie Poster

18 Years Ago

Hey guys, sorry to bother you but i, like so many others, have been infected with this crap that won't go away. I have the about:blank Coolwebsearch malware, as well as the Win32 trojan. I ran ad-aware and thats what it told me anyway...a lot of CWS and Win32. I've tried figuring this out for myself by getting into the registry after reading what was said ot others with similar problems, but it doesn't work. Any help would be greatly appreciated. Here's my HJT log. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 9:53:37 AM, on 07/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javaqa32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\msya32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ncogg.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ncogg.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ncogg.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ncogg.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ncogg.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ncogg.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ncogg.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds.dll
O2 - BHO: Class - {F4625626-5DCB-AEB7-598A-486B27B92A72} - C:\WINDOWS\system32\systn32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msya32.exe] C:\WINDOWS\msya32.exe
O4 - HKLM\..\RunOnce: [javaqa32.exe] C:\WINDOWS\system32\javaqa32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06f89839c68b5326f406/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099631719984
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntfe.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

windows-virus

2 Contributors
9 Replies
452 Views
1 Week Discussion Span
Latest Post 18 Years Ago Latest Post by dlh6213

All 9 Replies

dlh6213 27 Posting Maven

18 Years Ago

Hi RaineX, welcome to DaniWeb :D

Start with this --

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Update your anitvirus program and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Download Ewido Security Suite -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.
From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/
Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with hijackthis, and post a new log along with the Ewido log.

dlh6213 27 Posting Maven

18 Years Ago

Well that helped some; on to part two...

You should clean up your browser by clicking on Tools, and then select Options.
Click the Privacy icon on the Option menu bar to open the Privacy Properties.
Click the Clear All button at the bottom of the window.
Click OK to return to the browser main page.
Exit the browser.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds.dll (file missing)
O2 - BHO: Class - {F4625626-5DCB-AEB7-598A-486B27B92A72} - C:\WINDOWS\system32\systn32.dll
O4 - HKLM\..\Run: [d3vv.exe] C:\WINDOWS\d3vv.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
Note: you can leave any of those O15 entries if you put them in your Trusted Zone yourself.
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/aware...cab/awswaxf.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06f8983...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1099631719984
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download...ller/dwnldr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winln.exe

Be sure all windows are closed, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files (if present):

C:\WINDOWS\d3vv.exe
C:\WINDOWS\gds.dll
C:\WINDOWS\system32\systn32.dll
C:\WINDOWS\system32\cydja.dll
C:\WINDOWS\system32\winln.exe

Go to C:\WINDOWS\cryp32.exe, right-click on cryp32.exe, go to Properties, and give us whatever info you can on it (Company, version, etc.).

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with hijackthis, and post a new log please.

dlh6213 27 Posting Maven

18 Years Ago

Looks like it's going to be stubborn :(

Try this... (Do not to reboot until instructed to do so).

Download CWShredder 2.14 from here:
http://www.intermute.com/products/cwshredder.html
Run it and press the Fix, not scan, and allow it to clean the infection

Physically disconnect your Internet/network cable from your computer.

Run HSRemove, and about:Buster consecutively; have them fix whatever they find.

Run CWShredder and press Fix (not scan).

Reboot into Safe Mode.

Run HSRemove, CWShredder, and about:Buster (yes, again).

Run HijackThis again and have it fix the following entries (don't worry if the actual filenames in the entries have changed):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winln.exe (file missing)

Be sure your system is set to Show hidden files and folders.

Go to the following locations and delete the highlighted files (if the filenames have changed, delete whatever filename(s) now appear in the R1 & R0 entries of your log):

C:\WINDOWS\system32\bdulc.dll

Go to each of these files, right-click, go to Properties, and give us whatever info you can:

C:\WINDOWS\cryp32.exe
C:\WINDOWS\system32\d3dh.exe
C:\WINDOWS\syscn.exe

For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Cookies
Local Settings\Temp
Local Settings\History
Local Settings\Temporary Internet Files

C:\Windows\Temp
C:\Temp (if you have one)
C:\Windows\Prefetch
Do a search for *.tmp and delete all entries found

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HijackThis, and post a new log please.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

RaineX 0 Newbie Poster · Answer 1 · 2005-06-07T22:54:49+00:00

Alright, i did all of this, except i coudln't get the on-line virus scans to work properly, i'm currently using Mozilla while IE is down, so i kept getting errors whenever i tried to scan. I completed the rest however.

Here is my Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           12:47:59 PM, 07/06/2005
+ Report-Checksum:      85119A7B


+ Scan result:


HKLM\SOFTWARE\Classes\CLSID\{2FB10B1F-E342-08A1-CBAA-D4A2CD2ABAC6} -> Spyware.CoolWebSearch
HKLM\SOFTWARE\Classes\CLSID\{43F226F3-3EDD-1F6E-B1F9-426F80DAB07E} -> Spyware.CoolWebSearch
HKLM\SOFTWARE\Classes\CLSID\{447160CD-ECF5-4EA2-8A8A-1F70CA363F85} -> Spyware.ClientMan
HKLM\SOFTWARE\Classes\CLSID\{5AF0B5AF-80E5-5F00-7457-4FF9847707D9} -> Spyware.CoolWebSearch
HKLM\SOFTWARE\Classes\CLSID\{6257B617-2809-056A-FCEC-83AB849FBF72} -> Spyware.CoolWebSearch
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy
[428] C:\WINDOWS\System32\winlspak.dll -> TrojanDownloader.Agent.br
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet1.zip -> Heuristic.Suspicious-Zip
:mozilla.11:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\klsklhoy.default\cookies.txt -> Spyware.Cookie.Atdmt
:mozilla.8:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Myaffiliateprogram
:mozilla.11:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Atdmt
:mozilla.15:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Netshelter
:mozilla.18:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Netshelter
:mozilla.19:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Adtech
:mozilla.20:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Adtech
:mozilla.21:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Smarttargetting
:mozilla.22:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Tribalfusion
:mozilla.24:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Trendmicro
:mozilla.29:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Webtrendslive
:mozilla.32:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Doubleclick
:mozilla.35:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Addynamix
:mozilla.38:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Realmedia
:mozilla.39:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Realmedia
:mozilla.40:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Targetnet
:mozilla.45:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Falkag
:mozilla.60:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\default.hrc\cookies.txt -> Spyware.Cookie.Mediaplex
:mozilla.6:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Atdmt
:mozilla.15:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Advertising
:mozilla.16:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Advertising
:mozilla.23:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Mediaplex
:mozilla.24:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Questionmarket
:mozilla.25:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Doubleclick
:mozilla.27:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Hitbox
:mozilla.30:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Hitbox
:mozilla.31:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Hitbox
:mozilla.36:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Boldchat
:mozilla.38:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Ticketmaster
:mozilla.39:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\217vd1lz.default\cookies.txt -> Spyware.Cookie.Ticketmaster
:mozilla.18:C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\ghzd2ebk.default\cookies.txt -> Spyware.Cookie.Atdmt
:mozilla.19:C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\ghzd2ebk.default\cookies.txt -> Spyware.Cookie.Mediaplex
:mozilla.23:C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\ghzd2ebk.default\cookies.txt -> Spyware.Cookie.Doubleclick
:mozilla.27:C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\ghzd2ebk.default\cookies.txt -> Spyware.Cookie.Casalemedia
:mozilla.28:C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\ghzd2ebk.default\cookies.txt -> Spyware.Cookie.Fastclick
:mozilla.29:C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\ghzd2ebk.default\cookies.txt -> Spyware.Cookie.Webmd
:mozilla.32:C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\ghzd2ebk.default\cookies.txt -> Spyware.Cookie.Tribalfusion
C:\Program Files\Logitech\Desktop Messenger\8876480\6.1.4.36-8876480L\Program\runner.exe -> Spyware.BackWeb
C:\Program Files\Microsoft Office\Office\MSOHTMED.EXE -> Heuristic.Win32.Downloader
C:\RECYCLER\NPROTECT\00001004.exe -> TrojanDownloader.Agent.bq
C:\RECYCLER\NPROTECT\00001005.exe -> Trojan.Agent.bi
C:\RECYCLER\NPROTECT\00001006.dll -> Spyware.SearchPage
C:\RECYCLER\NPROTECT\00001007.dll -> Spyware.SearchPage
C:\RECYCLER\NPROTECT\00001008.dll -> Spyware.SearchPage
C:\RECYCLER\NPROTECT\00001009.dll -> Spyware.SearchPage
C:\RECYCLER\NPROTECT\00001010.dll -> Spyware.SearchPage
C:\RECYCLER\NPROTECT\00001056.dll -> Spyware.SearchPage
C:\RECYCLER\NPROTECT\00001079.exe -> TrojanDownloader.Agent.oq
C:\RECYCLER\NPROTECT\00001087.exe -> TrojanDownloader.Agent.oq
C:\RECYCLER\NPROTECT\00001089.exe -> TrojanDownloader.Agent.oq
C:\RECYCLER\NPROTECT\00001090.exe -> TrojanDownloader.Agent.oq
C:\RECYCLER\NPROTECT\00001095.dll -> Spyware.SearchPage
C:\RECYCLER\NPROTECT\00001098.exe -> TrojanDownloader.Agent.oq
C:\RECYCLER\NPROTECT\00001099.exe -> TrojanDownloader.Agent.oq
C:\RECYCLER\NPROTECT\00001100.exe -> TrojanDownloader.Agent.oq
C:\RECYCLER\NPROTECT\00001103.exe -> TrojanDownloader.Agent.oq
C:\WINDOWS\addcr.exe -> TrojanDownloader.Agent.ap
C:\WINDOWS\apind.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\apphn.exe -> TrojanDownloader.Agent.bq
C:\WINDOWS\applp.exe -> Trojan.Agent.bi
C:\WINDOWS\apprh32.exe -> TrojanDownloader.Agent.ap
C:\WINDOWS\cdplayer.ini:jphzzi -> Trojan.Agent.bi
C:\WINDOWS\cdplayer.ini:uqzir -> TrojanDownloader.Agent.bq
C:\WINDOWS\cryp32.exe -> TrojanDownloader.Agent.ap
C:\WINDOWS\desktop.ini:tlkzmt -> Trojan.Agent.bi
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WinCtlAdX.dll -> Spyware.WinAD
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar.gp
C:\WINDOWS\EDow_AS2.exe -> TrojanDownloader.QDown.m
C:\WINDOWS\eqlsUIConfig.ini:wjupl -> TrojanDownloader.Agent.bc
C:\WINDOWS\eula.htm:mldegw -> Trojan.Agent.bi
C:\WINDOWS\gds.dll -> Heuristic.Win32.Downloader
C:\WINDOWS\gpl.dll -> Spyware.Gpl
C:\WINDOWS\ipix32.exe -> Trojan.Agent.bi
C:\WINDOWS\mfchd32.exe -> Trojan.Agent.bi
C:\WINDOWS\mfcyy32.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\mxtarget.ini:sopykm -> Trojan.Agent.bi
C:\WINDOWS\netac32.exe -> TrojanDownloader.Agent.ap
C:\WINDOWS\NTIWVEDT.INI:kpilew -> Trojan.Agent.bi
C:\WINDOWS\NTIWVEDT.INI:kscsuc -> Trojan.Agent.bi
C:\WINDOWS\n_gkburp.txt -> TrojanDownloader.Agent.ap
C:\WINDOWS\n_jpmtdg.txt:vpbrgy -> TrojanDownloader.Agent.bq
C:\WINDOWS\n_jpmtdg.txt -> TrojanDownloader.Agent.ap
C:\WINDOWS\n_pflczd.txt -> TrojanDownloader.Agent.oq
C:\WINDOWS\n_vafkcj.txt -> TrojanDownloader.Agent.ap
C:\WINDOWS\ODBC.INI:xvmnh -> TrojanDropper.Small.tn
C:\WINDOWS\SchedLgU.Txt:fiipwp -> Trojan.Agent.bi
C:\WINDOWS\SchedLgU.Txt:mlhmnw -> Trojan.Agent.bi
C:\WINDOWS\sdkll32.exe -> TrojanDownloader.Agent.ap
C:\WINDOWS\setdebug.exe:kuqse -> TrojanDownloader.Agent.bq
C:\WINDOWS\SIGVERIF.TXT:kjbpnt -> Trojan.Agent.bi
C:\WINDOWS\smscfg.ini:yllguf -> Trojan.Agent.bi
C:\WINDOWS\sysms32.exe -> Trojan.Agent.bi
C:\WINDOWS\system32:pjaa.dll -> Heuristic.Win32.Downloader
C:\WINDOWS\system32\addbd.exe -> TrojanDownloader.Agent.ap
C:\WINDOWS\system32\atldz.exe -> TrojanDownloader.Agent.oq
C:\WINDOWS\system32\calsp.dll -> TrojanDownloader.Agent.br
C:\WINDOWS\system32\carules.dll -> Spyware.Coupon
C:\WINDOWS\system32\cryp.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\cydja.dll -> Spyware.SearchPage
C:\WINDOWS\system32\ielx32.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\iesj32.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\mfcqp32.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\mscjjn.dll -> Spyware.180Solutions
C:\WINDOWS\system32\mshw32.exe -> TrojanDownloader.Agent.ap
C:\WINDOWS\system32\netdc.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\system32\netes.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\netip.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\netun32.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\ntfe.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\system32\sdkok32.exe -> Trojan.Agent.bi
C:\WINDOWS\system32\sysiq32.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\system32\__delete_on_reboot__calsp.dll -> TrojanDownloader.Agent.br
C:\WINDOWS\system32\__delete_on_reboot__winlspak.dll -> TrojanDownloader.Agent.br
C:\WINDOWS\sysux.exe -> Trojan.Agent.bi
C:\WINDOWS\trace.txt:mxxiqy -> Trojan.Agent.bi
C:\WINDOWS\twain.dll:qqpar -> TrojanDownloader.Agent.ap
C:\WINDOWS\vb.ini:pkmadp -> Trojan.Agent.bi
C:\WINDOWS\vbaddin.ini:hcjhpn -> Trojan.Agent.bi
C:\WINDOWS\VSWizard.ini:fpmkow -> Trojan.Agent.bi
C:\WINDOWS\VSWizard.ini:njknoz -> Trojan.Agent.bi
C:\WINDOWS\WAR2R.INI:ljgqru -> Trojan.Agent.bi
C:\WINDOWS\wininit.ini:hvnzxn -> Trojan.Agent.bi
C:\WINDOWS\_delis32.ini:ucwqp -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:atcwql -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:bixkpd -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:bjelmt -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:bwuwjd -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:bymjmh -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:crmdqs -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:crvtyk -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:cvvyy -> TrojanDropper.Small.tn
C:\WINDOWS\_MSRSTRT.EXE:dlwdn -> TrojanDownloader.Agent.bc
C:\WINDOWS\_MSRSTRT.EXE:eckeru -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:fhomwd -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:fxyju -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:idbjpb -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:ieoltk -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:ijugki -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:jchnpt -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:jfaiqv -> TrojanDownloader.Agent.bc
C:\WINDOWS\_MSRSTRT.EXE:jjiaa -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:jxcerw -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:jxwlyu -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:kirrzf -> Spyware.SearchPage
C:\WINDOWS\_MSRSTRT.EXE:kqtjgc -> TrojanDownloader.Agent.ap
C:\WINDOWS\_MSRSTRT.EXE:ljdsju -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:lufhmg -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:mhuofe -> Spyware.SearchPage
C:\WINDOWS\_MSRSTRT.EXE:ngehct -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:nhbaxe -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:onzoj -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:qnesb -> TrojanDropper.Small.tn
C:\WINDOWS\_MSRSTRT.EXE:rbxynb -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:rddlfm -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:rpsbcx -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:sfxmgo -> Spyware.SearchPage
C:\WINDOWS\_MSRSTRT.EXE:titepk -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:tuvbkw -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:tzfpor -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:ureqtc -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:vgiuvb -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:vvgpqj -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:xfdgat -> Spyware.SearchPage
C:\WINDOWS\_MSRSTRT.EXE:xobfe -> TrojanDownloader.Agent.bc
C:\WINDOWS\_MSRSTRT.EXE:ybmkly -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:yclflc -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:ydienr -> Trojan.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:ypfhd -> TrojanDropper.Small.tn
C:\WINDOWS\_MSRSTRT.EXE:yxrimv -> TrojanDownloader.Agent.bq
C:\WINDOWS\_MSRSTRT.EXE:zwmgek -> Trojan.Agent.bi



::Report End


And here is my Hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 12:50:38 PM, on 07/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winln.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\d3vv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cydja.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds.dll (file missing)
O2 - BHO: Class - {F4625626-5DCB-AEB7-598A-486B27B92A72} - C:\WINDOWS\system32\systn32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [cryp32.exe] C:\WINDOWS\cryp32.exe
O4 - HKLM\..\Run: [d3vv.exe] C:\WINDOWS\d3vv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06f89839c68b5326f406/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099631719984
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winln.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks :)

RaineX 0 Newbie Poster · Answer 2 · 2005-06-09T04:14:10+00:00

RaineX 0 Newbie Poster

18 Years Ago

*bump* lol, don't mean to be a nuisance

RaineX 0 Newbie Poster · Answer 3 · 2005-06-11T06:05:52+00:00

Hi! I performed those steps, however i could not find the file cryp32.exe...i used HJT before i looked for it so i may have deleted it instead, sorry about that. Also, i had to go into safe mode in order to delete systn32.dll and winln.exe, but i got them. Here is my latest HJT log. Thanks again for your help in this!

Logfile of HijackThis v1.99.1
Scan saved at 8:01:27 PM, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\d3dh.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\syscn.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlfkm.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlfkm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nlfkm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlfkm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlfkm.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlfkm.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlfkm.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6CF569A6-DE3A-4E2F-3C47-72CBC1BE0CB4} - C:\WINDOWS\system32\d3dh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cryp32.exe] C:\WINDOWS\cryp32.exe
O4 - HKLM\..\Run: [d3dh.exe] C:\WINDOWS\system32\d3dh.exe
O4 - HKLM\..\RunOnce: [syscn.exe] C:\WINDOWS\syscn.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winln.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

RaineX 0 Newbie Poster · Answer 4 · 2005-06-13T08:36:57+00:00

Its been a couple days since my last HJT log, so i thought i'd update to make sure nothings changed. I still have the Coolwebsearch problem :( There are days when i hate computers, lol.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:58 PM, on 12/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\syscn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\d3dh.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6CF569A6-DE3A-4E2F-3C47-72CBC1BE0CB4} - C:\WINDOWS\system32\d3dh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cryp32.exe] C:\WINDOWS\cryp32.exe
O4 - HKLM\..\Run: [d3dh.exe] C:\WINDOWS\system32\d3dh.exe
O4 - HKLM\..\RunOnce: [syscn.exe] C:\WINDOWS\syscn.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winln.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks

RaineX 0 Newbie Poster · Answer 5 · 2005-06-15T09:53:14+00:00

Alright, i performed all of these steps. When i went to fix the listed items in my HJT log after booting up in safe mode, none of the files under R1 and R0 were listed, the only file that i could fix was R3: URL SearchHook Missing. I could not find the bdulc.dll to delete, nor was Cryp32 present. I did manage to get a bit of info on the following:

d3dh.exe
size: 66.0kb
Size on Disk: 68.0kb
Created May 22, 2005

syscn.exe
size: 16.0kb
Size on Disk: 16.0kb
Created may 20, 2005

Its not a lot, but it was all that i saw worth noting in the properties menu. When i reran HJT after rebooting, it looks like everything is still there. I don't know why in the hell this is being so difficult. Thanks for your ongoing support in this, there is no way i could do this on my own :)

Logfile of HijackThis v1.99.1
Scan saved at 11:47:16 PM, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\msxb.exe
C:\WINDOWS\msvr.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fkbdv.dll

/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkbdv.

dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:

\WINDOWS\fkbdv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fkbdv.dll

/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkbdv.

dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:

\WINDOWS\fkbdv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:

\WINDOWS\fkbdv.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2152B3D9-716E-3F25-A6C7-040FEF05F22B} - C:\WINDOWS\system32\apiat32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.

ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft

Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [d3dh.exe] C:\WINDOWS\system32\d3dh.exe
O4 - HKLM\..\Run: [msvr.exe] C:\WINDOWS\msvr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder

Messenger\FriendFinder Messenger.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.

EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:

\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.

exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1

\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program

Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1

\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:

\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C

:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:

\WINDOWS\system32\msxb.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:

\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:

\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.

exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1

\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:

\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe

dlh6213 27 Posting Maven Team Colleague · Answer 6 · 2005-06-15T11:58:03+00:00

Go here and try the recommendations and removal instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sowsat.c@mm.html

Then post a new HJT log and let us know if it helped any.

Win32.trojan.agent.bi and Coolwebsearch :(

Recommended Answers Collapse Answers

All 9 Replies

Recommended Answers