0

i installed avg antivirus system, free edition, and now it is showing a message every 20 minutes or so, saying something like this : " found a trojan on this location C:\system volume information\_restore {76F99043 - 158F - 476E - 90DB - 09E418DFFDA3}\ RP31\A0008834.exe"
every time i see that i run system check, but it can't find anything....
i tried to open that folder,"system volume information", but i couldn't : access denied !?!?!?!

Please, help me, this is my hjt log:

Logfile of HijackThis v1.97.7
Scan saved at 14:54:22, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=632
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAB0DD8-868E-4446-B9A6-D21B20231CDA}: NameServer = 161.53.114.145 161.53.114.135

3
Contributors
11
Replies
12
Views
13 Years
Discussion Span
Last Post by marijana
0

Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

0

hi, again!
thnx,i did it:installed CWshredder (AND spybot :-))
and this is my log now:

Logfile of HijackThis v1.97.7
Scan saved at 16:13:40, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab

is it o.k?
i really hope so..
and, i have another problem, sometimes while on the internet i got message saying : "a runtime error happened. do you wish to debug?" - i hit "no" and everything seems ok, but is it?

0

Do the following first & see if the problem persists.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

Reboot.

Clear your restore points now like so..
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update AVG & rescan your system. Note that all previous restore points will be lost.

0

hi!
the "small problem" ->that little message-box saying: "a runtime error has occurred. do you wish to debug?" ->is growing rapidly..... now i can't even use my mailbox on the hotmail, cause everytime i open that page , those "runtime errors" keep showering on me.... situation with other websites is not so bad, here i got that message every ten minutes or so, amazon.com is ok for me (by now) , microsoft.com, where i tried to download updates , is horror.....errors all the time....
please, try to help me..

0

Did you follow instructions from my last post?

Open Internet Explorer - click Tools - Internet Options - Advanced. Make sure Disable script debugging is ticked and Display a notification about every script error is unticked then Apply and OK your way out

0

yes, i followed all your instructions, thanks!
now i dit that last thing: dissabled script debugging, the other one, "Display a notification about every script error " was unticked allready...
i'm gonna give it a try now :-)

0

:-)
disabling script debugging solved that problem all right! THANKS!!!!
but i still have some other stuff....
every time i run Spybot-S&D it finds this:
--------------------------------------------------------------------------
Spybot-S&D

Data source object exploit
HKEY_USERS\S-1-5-18\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Data source object exploit
HKEY_USERS\S-1-5-121-515967899-261903793=839522115-500\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Data source object exploit
HKEY_USERS\S-1-5-20\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Data source object exploit
HKEY_USERS\S-1-5-19\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Data source object exploit
HKEY_USERS\.Default\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
--------------------------------------------------------------------------

i hit "FIX" button, it said that it's fixed, but than i run Spybot again, and the same five problems appear.....
i did all that while i was disconnected from the internet.....
and it will go on as many times as i run Spybot....
what does it mean?
btw, Ad-aware finds no prob, nor does AVG-antivirus...
so, PLEASE HELP AGAIN :-)

0

The spybot forums would be the place to look for help regarding the DSO exploit. There seems to be a problem with spybot & there would be a fix at there forums, I am sure. You may be able to set spybot to ignore it on the scans.

0

I had several similar troubles this past week and got bit by Korgo, Sasser, Blaster ans Backdoor.Nibu! My AV program found some of them but not the newer ones (Korgo, latest Sasser version). I dowloaded a utility from Network Associates called stinger that identified and killed them. Its free and very effective for what it is written for, which is the latest 30 or so bugs. I also got some messages that were similar to what you have.

Here's the URL;
http://vil.nai.com/vil/stinger/

-nukechief

i installed avg antivirus system, free edition, and now it is showing a message every 20 minutes or so, saying something like this : " found a trojan on this location C:\system volume information\_restore {76F99043 - 158F - 476E - 90DB - 09E418DFFDA3}\ RP31\A0008834.exe"
every time i see that i run system check, but it can't find anything....
i tried to open that folder,"system volume information", but i couldn't : access denied !?!?!?!

Please, help me, this is my hjt log:

Logfile of HijackThis v1.97.7
Scan saved at 14:54:22, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=632
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAB0DD8-868E-4446-B9A6-D21B20231CDA}: NameServer = 161.53.114.145 161.53.114.135

0

me, again, just to tell you how i got rid of that DSO EXPLOIT !
i just changed those five values in the registry that Spybot reported NOT EQUAL to 3.
changed them to EQUAL TO 3.
Spybot reported the full path, so it was easy to find them. They weren't "DWORD" values, but "SZ" values, (as if i know what that means), so i first killed those "SZ"-s, and created new "DWORD"-s, set their values to 3,
and that was all!!!!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.