0

A week or two ago I began to notice a problem with my computer. I began to get a large amount of pop ups and everytime I restarted my computer my homepage was reset to about:blank. I have tried CWS Shredder, No-Adware, Spy-Bot, and Ad-Aware. I have deleted all cookies, temp internet files, and turned off system restore. Can anyone offer any ideas on what I should try next? My HijackThis log is below.


Logfile of HijackThis v1.97.7
Scan saved at 11:39:36 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\simplemu\SimpleMU.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew Henkel\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BA5546A4-D6FA-402F-AB8E-4A48C28097DA} - C:\WINDOWS\System32\eaajiaa.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

3
Contributors
15
Replies
16
Views
13 Years
Discussion Span
Last Post by crunchie
0

Check the boxes on the left and remove these by clicking on [fix checked]

R1 - HKCU\Software\Micros oft\Internet Explorer\Main,HomeOl dSP = about:blank
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\C sRemnd.exe"

Afterwards close all (browser) windows, except for hijackthis. And post another scan here.

0

Download dllfix from the following link.
http://tools.zerosrealm.com/dllfix.exe

Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of the log here.

0

Yzk, I deleted the two registry values but the first registry value came back. All browser windows were closed. Heres the log.

Logfile of HijackThis v1.97.7
Scan saved at 12:46:42 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew Henkel\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BA5546A4-D6FA-402F-AB8E-4A48C28097DA} - C:\WINDOWS\System32\eaajiaa.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

0

Crunchie, heres the output from Dll Fix.

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST           @@@***==--


Tue 06/15/2004
12:48 PM


System Info:


Microsoft Windows XP [Version 5.1.2600]
C: "" (048A:AD82) - FS:NTFS clusters:4k
Total: 119 957 479 424 [112G] - Free: 101 923 192 832 [95G]



*IE version and Service packs:
6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0  C:\WINDOWS\system32\notepad.exe
5.1.2600.0  C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490  C:\Program Files\Windows Media Player\wmplayer.exe


! REG.EXE VERSION 2.0


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion    REG_SZ  ;SP1;Q837009;Q832894;Q831167;


Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.
\\?\C:\WINDOWS\System32\CTLM.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLM.DLL +++ File read error



Scanning for main Hijacker:



Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA5546A4-D6FA-402F-AB8E-4A48C28097DA}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"


REGEDIT4


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{5A555DBD-F51B-40EE-9F42-39CED6526970}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{5A555DBD-F51B-40EE-9F42-39CED6526970}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



! REG.EXE VERSION 2.0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls    REG_SZ


*Security settings for 'Windows' key:


If error than registry may need to be restored from option 4.


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read         BUILTIN\Users
(IO)    ALLOW  Read         BUILTIN\Users
(NI)    ALLOW  Read         BUILTIN\Power Users
(IO)    ALLOW  Read         BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER


Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read            BUILTIN\Users
Read            BUILTIN\Power Users
Full access     BUILTIN\Administrators
Full access     NT AUTHORITY\SYSTEM

Edited by Nick Evan: Fixed formatting

0

Please download & install
Regalyzer.

Copy and Paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

into the address bar and press enter

double click on the AppInit_DLLs sub key and the value box will open.

check the contents -- should be the path to the dll.

Post your result Back here.

0

Name of Value: AppInit_DLLs

Value Data: C:\WINDOWS\System32\ctlm.dll

0

Run start.bat again & select option 2. Then select 1 & enter C:\WINDOWS\System32\ctlm.dll & reboot. There will be another scan, when done, reboot again.
Update & run CWShredder. Reboot & post another HJT log plz with a dllfix log also.

0

Heres the HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 12:18:35 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Documents and Settings\Andrew Henkel\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andrew Henkel\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E0A5232E-6808-4327-8902-04317D8B1445} - C:\WINDOWS\System32\pnpcpd.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab



And then here is the new DllFix log.


Thu 06/17/2004
12:21 PM


System Info:


Microsoft Windows XP [Version 5.1.2600]
C: "" (048A:AD82) - FS:NTFS clusters:4k
Total: 119 957 479 424 [112G] - Free: 99 765 133 312 [93G]



*IE version and Service packs:
6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0  C:\WINDOWS\system32\notepad.exe
5.1.2600.0  C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490  C:\Program Files\Windows Media Player\wmplayer.exe


! REG.EXE VERSION 2.0


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion    REG_SZ  ;SP1;Q837009;Q832894;Q831167;


Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.



Scanning for main Hijacker:



Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0A5232E-6808-4327-8902-04317D8B1445}]


REGEDIT4


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{E650C053-5CAB-42FB-8679-D6146180E61C}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{E650C053-5CAB-42FB-8679-D6146180E61C}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



! REG.EXE VERSION 2.0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls    REG_SZ


*Security settings for 'Windows' key:


If error than registry may need to be restored from option 4.


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read         BUILTIN\Users
(IO)    ALLOW  Read         BUILTIN\Users
(NI)    ALLOW  Read         BUILTIN\Power Users
(IO)    ALLOW  Read         BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER


Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read            BUILTIN\Users
Read            BUILTIN\Power Users
Full access     BUILTIN\Administrators
Full access     NT AUTHORITY\SYSTEM

Edited by Nick Evan: Fixed formatting

0

By the way, is this a variant of cool web search or is this something different? I'm a little curious as to what I've got and why Norton Anti-Virus won't detect it and Ad-Aware and other spyware programs won't get rid of it. Any information you could give me would be appreciated and thank you for your efforts thus far to help me out.

Vis

0

Yes, it is CWS & the most complicated hijack thus far.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {E0A5232E-6808-4327-8902-04317D8B1445} - C:\WINDOWS\System32\pnpcpd.dll

Reboot after doing the above then post a fresh log plz.

0

Heres the log.

Logfile of HijackThis v1.97.7
Scan saved at 12:51:32 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andrew Henkel\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C47CBCF-8999-4D00-8751-40FE750ADAC8} - C:\WINDOWS\System32\pnpcpd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

0

Didnt know if this would help or not, but Ad-Aware just came out with an update that caught some things I hadnt seen before. Heres the log.

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan within archives


6-18-2004 12:59:35 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-18-2004 5:50:33 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:42 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:43 PM
Last modified : 8/29/2002 10:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:43 PM
Last modified : 8/29/2002 10:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:47 PM
Last modified : 8/29/2002 10:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:43 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:47 PM
Last modified : 8/29/2002 10:00:00 AM

#:7 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-18-2004 5:50:44 PM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 1/7/2004 8:35:10 PM
Last accessed : 6/18/2004 5:50:56 PM
Last modified : 1/7/2004 8:35:10 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-18-2004 5:50:44 PM
BasePriority : Normal
FileSize : 249 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 1/7/2004 8:35:10 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 1/7/2004 8:35:10 PM

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-18-2004 5:50:45 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 8/29/2002 10:00:00 AM

#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 6-18-2004 5:50:45 PM
BasePriority : Normal
FileSize : 155 KB
FileVersion : 10.00.2
ProductVersion : 10.00.2
Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 5/23/2004 9:02:35 PM
Last accessed : 6/18/2004 5:49:41 PM
Last modified : 4/23/2004 4:04:18 PM

#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:45 PM
BasePriority : Normal
FileSize : 72 KB
FileVersion : 6.14.10.4502
ProductVersion : 6.14.10.4502
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 45.02
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 45.02
Created on : 1/1/1980 5:00:00 AM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 11/3/2003 6:46:00 PM

#:12 [savscan.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 189 KB
FileVersion : 9.2.1.14
ProductVersion : 9.2
Copyright : Copyright (c) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus Scanner
InternalName : SAVSCAN
OriginalFilename : SAVSCAN.EXE
ProductName : Symantec AntiVirus AutoProtect
Created on : 1/7/2004 8:34:52 PM
Last accessed : 6/18/2004 5:11:07 PM
Last modified : 1/7/2004 8:34:52 PM

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:47 PM
Last modified : 8/29/2002 10:00:00 AM

#:14 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 572 KB
FileVersion : 1, 8, 48, 79
ProductVersion : 1, 8, 48, 79
Copyright : Copyright (C) 2003
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
OriginalFilename : symlcsvc.exe
ProductName : Symantec Core Component
Created on : 4/29/2004 11:31:28 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 4/29/2004 11:31:28 PM

#:15 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM32\ZoneLabs\
ThreadCreationTime : 6-18-2004 5:50:46 PM
BasePriority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 6/8/2004 9:30:28 PM
Last accessed : 6/18/2004 5:50:46 PM
Last modified : 5/17/2004 9:55:26 AM

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-18-2004 5:50:52 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 6/18/2004 5:50:56 PM
Last modified : 8/29/2002 10:00:00 AM

#:17 [intelmem.exe]
FilePath : C:\Program Files\Intel\Modem Event Monitor\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 216 KB
FileVersion : 0, 1, 0, 10
ProductVersion : 0, 1, 0, 10
Copyright : Copyright (C) 2003
CompanyName : Intel Corporation
FileDescription : Modem Event Monitor Application
InternalName : Modem Event Monitor
OriginalFilename : IntelMEM.exe
ProductName : Intel Modem Event Monitor Application
Created on : 4/29/2004 11:21:40 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 9/4/2003 1:12:44 AM

#:18 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 5, 0
ProductVersion : 1, 0, 5, 0
Copyright : Copyright
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
OriginalFilename : DSentry.exe
ProductName : Dell - DVDSentry
Created on : 8/13/2003 3:27:40 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 8/13/2003 3:27:40 PM

#:19 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 200 KB
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
Copyright : Copyright c 2003 CyberLink Corp.
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
OriginalFilename : PCM2Launcher.EXE
ProductName : PCM2Launcher Application
Created on : 4/29/2004 11:23:18 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 8/27/2003 12:47:34 AM

#:20 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 69 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 1/7/2004 8:35:08 PM
Last accessed : 6/18/2004 5:50:58 PM
Last modified : 1/7/2004 8:35:08 PM

#:21 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 9:21:10 PM
Last accessed : 6/18/2004 5:50:53 PM
Last modified : 10/7/2003 9:21:10 PM

#:22 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 6/8/2004 9:30:32 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 5/17/2004 9:56:14 AM

#:23 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 280 KB
FileVersion : 4.6.0.15
ProductVersion : 4.6.0.15
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
OriginalFilename : iTunesHelper.exe
ProductName : iTunes
Created on : 6/4/2004 5:38:12 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 6/4/2004 5:38:12 PM

#:24 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ThreadCreationTime : 6-18-2004 5:50:53 PM
BasePriority : Normal
FileSize : 392 KB
FileVersion : 4.6.0.15
ProductVersion : 4.6.0.15
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
OriginalFilename : iPodService.exe
ProductName : iTunes
Created on : 6/4/2004 5:37:56 PM
Last accessed : 6/18/2004 5:49:43 PM
Last modified : 6/4/2004 5:37:56 PM

#:25 [msbntray.exe]
FilePath : C:\Program Files\Microsoft Broadband Networking\
ThreadCreationTime : 6-18-2004 5:50:54 PM
BasePriority : Normal
FileSize : 428 KB
FileVersion : 2.0.654
ProductVersion : 2.0.654
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Broadband Networking Tray Application
InternalName : MSBNTray.exe
OriginalFilename : MSBNTray.exe
ProductName : Microsoft Broadband Networking Software
Created on : 1/19/2004 11:58:52 PM
Last accessed : 6/18/2004 5:50:54 PM
Last modified : 1/19/2004 11:58:52 PM

#:26 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 6-18-2004 5:53:28 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/24/2004 9:24:04 AM
Last accessed : 6/18/2004 5:53:29 PM
Last modified : 7/13/2003 2:00:20 AM

#:27 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ThreadCreationTime : 6-18-2004 5:56:12 PM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
Created on : 10/7/2003 9:20:18 PM
Last accessed : 6/18/2004 5:50:33 PM
Last modified : 10/7/2003 9:20:18 PM

#:28 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 6-18-2004 5:58:09 PM
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 4/15/2003 12:30:14 AM
Last accessed : 6/18/2004 5:58:10 PM
Last modified : 4/15/2003 12:30:14 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html"


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{03CD9511-D37D-4F67-9D17-5E7206086133}


CoolWebSearch Object recognized!
Type : File
Data : pnpcpd.dll
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 6/16/2004 7:33:39 PM
Last accessed : 6/18/2004 5:25:36 PM
Last modified : 6/16/2004 7:33:39 PM

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4C47CBCF-8999-4D00-8751-40FE750ADAC8}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{523C5C0E-CAD6-494A-BC66-3EDC17349325}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{DBE3AD1F-9CB4-46F4-8947-804DC7D5E0ED}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{E650C053-5CAB-42FB-8679-D6146180E61C}


WinFavorites Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : WMPPublsihCntr.WMPPublsihCntr


WinFavorites Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : WMPPublsihCntr.WMPPublsihCntr.1


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C47CBCF-8999-4D00-8751-40FE750ADAC8}


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 14
Objects found so far: 16


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : File
Data : sp.html
Object : c:\docume~1\andrew~1\locals~1\temp\
FileSize : 7 KB
Created on : 6/15/2004 4:03:27 AM
Last accessed : 6/18/2004 5:56:01 PM
Last modified : 6/18/2004 5:56:01 PM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 17


1:00:51 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:15:828
Objects scanned :51479
Objects identified :17
Objects ignored :0
New objects :17

0

Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

0

I ran Ad-Aware after installing a new update for it. It killed off the cool web search files and this time they didn't pop back up. Sorry about the delay in responding, for some reason or another I was beginning to get java errors when attempting to load any webpage. I reinstalled java on my machine and now its working fine. Thanks for your help.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.