Unable to (un)/install spyware detectors
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Unable to (un)/install spyware detectors

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    8

    Unable to (un)/install spyware detectors

    hello all,

    im havin the same problem as "I can't download Ad-Aware on a Win2K Box" except i just get an error sound,not the message..I belive that "there is spyware on the machine already, .one of the pieces of spyware my be hijacking the browser when u try to open a new window..." So...basically the problem is that i can't install or uninstall spyware removal/detectors or whatever. Iwas fortunate to be able to dload Adaware,but i cant open it,that error sound comes up... annoying as hell..some spyware websites cant be opened,mostly all spyware removal/detectors cant be opened or installed or uninstalled...i did the PestControl scan on my computer,79 pests detected..also have the HiJackThis log so hopefully you guys/gals can help with that.. buddy of mine told me to partition my hard drive,format c: and then re-install windows..dunno if that or you guys' help would work best,ill first go with ur help and then go from there,maybe partioning would help all you with the same problem as me?..wish i could reformat my comp,but my computer didnt come with a reformatting disk ...well...help on this on my log and all this would be very much appreciated..take care all.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:11:22 PM, on 6/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Winamp\winampa.exe
    C:\program files\steam\steam.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Documents and Settings\xslim\Application Data\laru.exe
    C:\WINDOWS\System32\wtstr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=134272
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=134272
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pacsun.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=134272
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://shop.pacsun.com/webapp/wcs/st...0001&langId=-1
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O1 - Hosts: 127.0.0.0 localhost
    O1 - Hosts: 127.0.0.2 auditmypc.com
    O1 - Hosts: 127.0.0.3 boards.cexx.org
    O1 - Hosts: 127.0.0.4 bulletproofsoft.net
    O1 - Hosts: 127.0.0.5 camtech2000.net
    O1 - Hosts: 127.0.0.6 cexx.org
    O1 - Hosts: 127.0.0.7 computercops.us
    O1 - Hosts: 127.0.0.8 ct7support.com
    O1 - Hosts: 127.0.0.9 doxdesk.com
    O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
    O1 - Hosts: 127.0.0.21 kephyr.com
    O1 - Hosts: 127.0.0.22 lavasoft.de
    O1 - Hosts: 127.0.0.23 lavasoftusa.com
    O1 - Hosts: 127.0.0.24 lurkhere.com
    O1 - Hosts: 127.0.0.25 majorgeeks.com
    O1 - Hosts: 127.0.0.26 merijn.org
    O1 - Hosts: 127.0.0.27 mjc1.com
    O1 - Hosts: 127.0.0.28 moosoft.com
    O1 - Hosts: 127.0.0.29 mvps.org
    O1 - Hosts: 127.0.0.30 net-integration.net
    O1 - Hosts: 127.0.0.31 noadware.net
    O1 - Hosts: 127.0.0.32 no-spybot.com
    O1 - Hosts: 127.0.0.33 onlinepcfix.com
    O1 - Hosts: 127.0.0.34 pchell.com
    O1 - Hosts: 127.0.0.35 pestpatrol.com
    O1 - Hosts: 127.0.0.36 safer-networking.org
    O1 - Hosts: 127.0.0.37 secure.spykiller.com
    O1 - Hosts: 127.0.0.38 secureie.com
    O1 - Hosts: 127.0.0.39 security.kolla.de
    O1 - Hosts: 127.0.0.40 spybot.info
    O1 - Hosts: 127.0.0.41 spychecker.com
    O1 - Hosts: 127.0.0.42 spychecker.com
    O1 - Hosts: 127.0.0.43 spycop.com
    O1 - Hosts: 127.0.0.44 spyguard.com
    O1 - Hosts: 127.0.0.45 spykiller.com
    O1 - Hosts: 127.0.0.46 spyware.co.uk
    O1 - Hosts: 127.0.0.47 spyware-cop.com
    O1 - Hosts: 127.0.0.48 spywareinfo.com
    O1 - Hosts: 127.0.0.49 spywarenuker.com
    O1 - Hosts: 127.0.0.50 spywareremove.com
    O1 - Hosts: 127.0.0.51 spywareremove.com
    O1 - Hosts: 127.0.0.52 stopzillapro.com
    O1 - Hosts: 127.0.0.53 sunbelt-software.com
    O1 - Hosts: 127.0.0.54 thiefware.com
    O1 - Hosts: 127.0.0.55 tomcoyote.org
    O1 - Hosts: 127.0.0.56 unwantedlinks.com
    O1 - Hosts: 127.0.0.57 webattack.com
    O1 - Hosts: 127.0.0.58 wilders.org
    O1 - Hosts: 127.0.0.59 www.auditmypc.com
    O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
    O1 - Hosts: 127.0.0.61 www.cexx.org
    O1 - Hosts: 127.0.0.62 www.computercops.us
    O1 - Hosts: 127.0.0.63 www.ct7support.com
    O1 - Hosts: 127.0.0.64 www.doxdesk.com
    O1 - Hosts: 127.0.0.65 www.eblocs.com
    O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
    O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
    O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
    O1 - Hosts: 127.0.0.69 www.grc.com
    O1 - Hosts: 127.0.0.70 www.grisoft.com
    O1 - Hosts: 127.0.0.71 www.hackfaq.org
    O1 - Hosts: 127.0.0.72 www.hazeleger.net
    O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
    O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
    O1 - Hosts: 127.0.0.75 www.kephyr.com
    O1 - Hosts: 127.0.0.76 www.lavasoft.de
    O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
    O1 - Hosts: 127.0.0.78 www.lurkhere.com
    O1 - Hosts: 127.0.0.79 www.majorgeeks.com
    O1 - Hosts: 127.0.0.80 www.merijn.org
    O1 - Hosts: 127.0.0.81 www.mjc1.com
    O1 - Hosts: 127.0.0.82 www.moosoft.com
    O1 - Hosts: 127.0.0.83 www.mvps.org
    O1 - Hosts: 127.0.0.84 www.net-integration.net
    O1 - Hosts: 127.0.0.85 www.noadware.net
    O1 - Hosts: 127.0.0.86 www.no-spybot.com
    O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
    O1 - Hosts: 127.0.0.88 www.pchell.com
    O1 - Hosts: 127.0.0.89 www.pestpatrol.com
    O1 - Hosts: 127.0.0.90 www.safer-networking.org
    O1 - Hosts: 127.0.0.91 www.secureie.com
    O1 - Hosts: 127.0.0.92 www.security.kolla.de
    O1 - Hosts: 127.0.0.93 www.spybot.info
    O1 - Hosts: 127.0.0.94 www.spychecker.com
    O1 - Hosts: 127.0.0.95 www.spychecker.com
    O1 - Hosts: 127.0.0.96 www.spycop.com
    O1 - Hosts: 127.0.0.97 www.spyguard.com
    O1 - Hosts: 127.0.0.98 www.spykiller.com
    O1 - Hosts: 127.0.0.99 www.spyware.co.uk
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp.dll
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
    O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Rtho] C:\Documents and Settings\xslim\Application Data\laru.exe
    O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: VTAgentReboot.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/de.../GSManager.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23669507...p/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...560.5896064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.7.20.20/tukati.cab

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    You have a CWS infection.
    Please download the CWShredder. Run that and fix everything it finds.

    **********************************************************************

    FIX THE FOLLOWING

    Fix the following with HijackThis. Make sure all other windows and browsers are closed before clicking on “Fix Checked”

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=134272
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=134272
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=134272
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://shop.pacsun.com/webapp/wcs/s...1&langId=-1
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O1 - Hosts: 127.0.0.0 localhost
    O1 - Hosts: 127.0.0.2 auditmypc.com
    O1 - Hosts: 127.0.0.3 boards.cexx.org
    O1 - Hosts: 127.0.0.4 bulletproofsoft.net
    O1 - Hosts: 127.0.0.5 camtech2000.net
    O1 - Hosts: 127.0.0.6 cexx.org
    O1 - Hosts: 127.0.0.7 computercops.us
    O1 - Hosts: 127.0.0.8 ct7support.com
    O1 - Hosts: 127.0.0.9 doxdesk.com
    O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
    O1 - Hosts: 127.0.0.21 kephyr.com
    O1 - Hosts: 127.0.0.22 lavasoft.de
    O1 - Hosts: 127.0.0.23 lavasoftusa.com
    O1 - Hosts: 127.0.0.24 lurkhere.com
    O1 - Hosts: 127.0.0.25 majorgeeks.com
    O1 - Hosts: 127.0.0.26 merijn.org
    O1 - Hosts: 127.0.0.27 mjc1.com
    O1 - Hosts: 127.0.0.28 moosoft.com
    O1 - Hosts: 127.0.0.29 mvps.org
    O1 - Hosts: 127.0.0.30 net-integration.net
    O1 - Hosts: 127.0.0.31 noadware.net
    O1 - Hosts: 127.0.0.32 no-spybot.com
    O1 - Hosts: 127.0.0.33 onlinepcfix.com
    O1 - Hosts: 127.0.0.34 pchell.com
    O1 - Hosts: 127.0.0.35 pestpatrol.com
    O1 - Hosts: 127.0.0.36 safer-networking.org
    O1 - Hosts: 127.0.0.37 secure.spykiller.com
    O1 - Hosts: 127.0.0.38 secureie.com
    O1 - Hosts: 127.0.0.39 security.kolla.de
    O1 - Hosts: 127.0.0.40 spybot.info
    O1 - Hosts: 127.0.0.41 spychecker.com
    O1 - Hosts: 127.0.0.42 spychecker.com
    O1 - Hosts: 127.0.0.43 spycop.com
    O1 - Hosts: 127.0.0.44 spyguard.com
    O1 - Hosts: 127.0.0.45 spykiller.com
    O1 - Hosts: 127.0.0.46 spyware.co.uk
    O1 - Hosts: 127.0.0.47 spyware-cop.com
    O1 - Hosts: 127.0.0.48 spywareinfo.com
    O1 - Hosts: 127.0.0.49 spywarenuker.com
    O1 - Hosts: 127.0.0.50 spywareremove.com
    O1 - Hosts: 127.0.0.51 spywareremove.com
    O1 - Hosts: 127.0.0.52 stopzillapro.com
    O1 - Hosts: 127.0.0.53 sunbelt-software.com
    O1 - Hosts: 127.0.0.54 thiefware.com
    O1 - Hosts: 127.0.0.55 tomcoyote.org
    O1 - Hosts: 127.0.0.56 unwantedlinks.com
    O1 - Hosts: 127.0.0.57 webattack.com
    O1 - Hosts: 127.0.0.58 wilders.org
    O1 - Hosts: 127.0.0.59 www.auditmypc.com
    O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
    O1 - Hosts: 127.0.0.61 www.cexx.org
    O1 - Hosts: 127.0.0.62 www.computercops.us
    O1 - Hosts: 127.0.0.63 www.ct7support.com
    O1 - Hosts: 127.0.0.64 www.doxdesk.com
    O1 - Hosts: 127.0.0.65 www.eblocs.com
    O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
    O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
    O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
    O1 - Hosts: 127.0.0.69 www.grc.com
    O1 - Hosts: 127.0.0.70 www.grisoft.com
    O1 - Hosts: 127.0.0.71 www.hackfaq.org
    O1 - Hosts: 127.0.0.72 www.hazeleger.net
    O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
    O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
    O1 - Hosts: 127.0.0.75 www.kephyr.com
    O1 - Hosts: 127.0.0.76 www.lavasoft.de
    O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
    O1 - Hosts: 127.0.0.78 www.lurkhere.com
    O1 - Hosts: 127.0.0.79 www.majorgeeks.com
    O1 - Hosts: 127.0.0.80 www.merijn.org
    O1 - Hosts: 127.0.0.81 www.mjc1.com
    O1 - Hosts: 127.0.0.82 www.moosoft.com
    O1 - Hosts: 127.0.0.83 www.mvps.org
    O1 - Hosts: 127.0.0.84 www.net-integration.net
    O1 - Hosts: 127.0.0.85 www.noadware.net
    O1 - Hosts: 127.0.0.86 www.no-spybot.com
    O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
    O1 - Hosts: 127.0.0.88 www.pchell.com
    O1 - Hosts: 127.0.0.89 www.pestpatrol.com
    O1 - Hosts: 127.0.0.90 www.safer-networking.org
    O1 - Hosts: 127.0.0.91 www.secureie.com
    O1 - Hosts: 127.0.0.92 www.security.kolla.de
    O1 - Hosts: 127.0.0.93 www.spybot.info
    O1 - Hosts: 127.0.0.94 www.spychecker.com
    O1 - Hosts: 127.0.0.95 www.spychecker.com
    O1 - Hosts: 127.0.0.96 www.spycop.com
    O1 - Hosts: 127.0.0.97 www.spyguard.com
    O1 - Hosts: 127.0.0.98 www.spykiller.com
    O1 - Hosts: 127.0.0.99 www.spyware.co.uk
    O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp.dll
    O4 - HKCU\..\Run: [Rtho] C:\Documents and Settings\xslim\Application Data\laru.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2366950...ip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    ***********************************************************************

    Reboot and post a new log

    EDIT: Disable your AV auto-update also..on many systems it hogs all available resources.

  3. #3
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    i rebooted and i tried running AdAware,still does same thing ..thanks for the help,i really appreciate it.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:41:39 PM, on 6/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Winamp\winampa.exe
    C:\program files\steam\steam.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Documents and Settings\xslim\Application Data\laru.exe
    C:\WINDOWS\System32\wtstr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pacsun.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://shop.pacsun.com/webapp/wcs/st...0001&langId=-1
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp.dll
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
    O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Rtho] C:\Documents and Settings\xslim\Application Data\laru.exe
    O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: VTAgentReboot.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/de.../GSManager.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23669507...p/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...560.5896064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.7.20.20/tukati.cab

  4. #4
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    which do i "fix checked" now?

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Boot into SAFE MODE by tapping the f8 key during boot up.

    Try running Adaware in safe mode, otherwise try * Spybot

    Make sure to disable system restore, then re-enable it.
    Working with system restore

    ****************************************************************************

    Just to make sure we got all of the CWS infection, please do the following:
    1. Download DLLFix from one of the following links. Save it to a folder on your root drive, which is C:\ for most people:

    http://downloads.subratam.org/dllfix.exe

    or

    http://tools.zerosrealm.com/dllfix.exe

    Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

    Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

    Step 4. Navigate to c:\dllfix, open the folder and double-click on start.bat

    Step 5. Run Option 1 by pressing 1 on the keyboard. The program will now start searching.

    Step 6. Once the search is complete a text file should open with the name Output.txt. Copy and Paste the contents of this text file to your next reply to this post.
    There are a few variants of CWS that are a ba***rd to remove.

  6. #6
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    i didnt do any "fixed checked" after i ran CWS shredder... is it too late,or is there somethin else i can do "fixed checked" on,because now its different..thanks for help.

  7. #7
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    output.exe =

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sun 06/13/2004
    02:58 PM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (08E8:EC3B) - FS:NTFS clusters:4k
    Total: 61 483 933 696 [57G] - Free: 34 592 038 912 [32G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q837009;Q831167;



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.


    Scanning for main Hijacker:


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0007-5041-4354-0020e48020af}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98DE779A-2364-4293-AB71-2B97C61C4640}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    

  8. #8
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    to xslim
    Just for the sake of those of us who are wanting / willing to help.
    Please ATTACH the HiJack This log, so we can D/L as req, this means that the ones who are after info can skim over the thread a LOT quicker.
    And, as I said before, the ones who want to have a look can D/L as they like.

    I know this is your first time, so don't take this the wrong way. ( Ooh Errr )

    If you have a friend who is local; use their machine to D/L the security tools suggested.
    Load them and run them in SAFE mode.

    Some further details req:-
    OS patched to ?
    Firewall details ?
    IDS ?
    Anti V ?
    Any other security tools used ?
    your level of experience ?

    This is an ongoing 'attack', so keep posting, just remember to ATTACH via the 'browse' button when composing your reply.

    Also remember' This is the FUN side of IT. So don't kick the puter too hard.............

    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    You're doing fine...you got rid of the CWS infection. Do as foxy suggested, and see if you can download a 'fresh' version of adware, if not, your hosts file may be comprimised.

    Here is a link that will show you how to check your hosts file. Sometimes CWS adds entries to it that have to manually be removed also.

    Keep it up!!! It's looking good so far.

    Some further details req:-
    OS patched to ?
    Firewall details ?
    IDS ?
    Anti V ?
    Any other security tools used
    Most of that is in the log

    EDIT:

    Just noticed that these need to be fixed yet;
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://shop.pacsun.com/webapp/wcs/s...1&langId=-1
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp.dll
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
    O4 - HKCU\..\Run: [Rtho] C:\Documents and Settings\xslim\Application Data\laru.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2366950...ip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.7.20.20/tukati.cab

  10. #10
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Links to some security items that I / we think you might be interested in............

    http://www.lavasoftusa.com/software/adaware/
    AdAware, new version out NOW.

    http://www.safer-networking.org/
    Version 1.3 out now, if you have 1.2, it will not see the new version.

    http://www.winguides.com/regmech/
    registry mechanic: awesome tool............ sweeps as it cleans as it......... you get the picture.

    Downloads : http://www.swatit.org
    Swat it: trojan and bot wiper, does exactly what it says on the pack.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •