CWS Homesearch

[Needhelpplease]

Hello,

I'm new here and I would like to see if anyone could assist me w/ the removing of Spyware. It took over my IE and takes be to different websites. It gives me only the best pop ups etc etc....

Here is my HJT log:

Logfile of HijackThis v1.99.0

Scan saved at 12:53:36 AM, on 12/13/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\TBPanel.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Icons\SetIcon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\Logi_MwX.Exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\DOCUME~1\Wallace\LOCALS~1\Temp\1739.tmp.exe

C:\WINDOWS\system32\addse.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe

C:\WINDOWS\ieje32.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Trend Micro\Tmas\Tmas.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Ventrilo\Ventrilo.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Wallace\Desktop\New Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xksgs.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xksgs.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xksgs.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xksgs.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xksgs.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xksgs.dll/sp.html#77035

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xksgs.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Class - {6FA6A490-F265-4818-EA0B-DD4B4061A5FD} - C:\WINDOWS\system32\sysct.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [setIcon] C:\Program Files\Icons\SetIcon.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O4 - HKLM\..\Run: [1739.tmp] C:\DOCUME~1\Wallace\LOCALS~1\Temp\1739.tmp.exe

O4 - HKLM\..\Run: [1738.tmp] C:\DOCUME~1\Wallace\LOCALS~1\Temp\1738.tmp.exe

O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe

O4 - HKLM\..\Run: [1739.tmp.exe] C:\DOCUME~1\Wallace\LOCALS~1\Temp\1739.tmp.exe

O4 - HKLM\..\Run: [1738.tmp.exe] C:\DOCUME~1\Wallace\LOCALS~1\Temp\1738.tmp.exe

O4 - HKLM\..\Run: [atlgx32.exe] C:\WINDOWS\atlgx32.exe

O4 - HKLM\..\Run: [crqr.exe] C:\WINDOWS\crqr.exe

O4 - HKLM\..\Run: [mstm32.exe] C:\WINDOWS\mstm32.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [addse.exe] C:\WINDOWS\system32\addse.exe

O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe

O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.babydepot.com

O15 - Trusted Zone: http://www.bellsouth.com

O15 - Trusted Zone: http://www.blackopmercs.net

O15 - Trusted Zone: WWW.BLACKOPSMERC.ORG

O15 - Trusted Zone: http://www.comcast.com

O15 - Trusted Zone: http://www.comcast.net

O15 - Trusted Zone: http://www.excite.com

O15 - Trusted Zone: http://www.pandasoftware.com

O15 - Trusted Zone: www.pogo.com

O15 - Trusted Zone: http://www.samsclub.com

O15 - Trusted Zone: http://www.usaa.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130170049968

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) - https://port1.dcmsnet.org/dcmsvc/redist/sun/jinstall-win.cab

O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ieje32.exe

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: CWShredder Service - InterMute, Inc. - c:\program files\InterMute\SpySubtract\CWShredder.exe

O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: IPSEC Services - HP - (no file)

O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[therock247uk]

Download smitRem.exe and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Please read Ewido Setup Instructions

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:

Ad-Aware SE Setup

Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
   
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
   
3. Instead of Windows loading as normal, a menu should appear
   
4. Select the first option, to run Windows in Safe Mode.
   

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:

===================================================

O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe

===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
  
• NOTE: During some scans with ewido it is finding cases of false positives.
  
• You will need to step through the process of cleaning files one-by-one.
  
• If ewido detects a file you KNOW to be legitimate, select none as the action.
  
• DO NOT select "Perform action on all infections"
  
• If you are unsure of any entry found select none for now.
  
• When the scan is finished, click the Save report button at the bottom of the screen.
  
• Save the report to your desktop
  

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

- Once you are on the Panda site click the Scan your PC button

- A new window will open...click the Check Now button

- Enter your Country

- Enter your State/Province

- Enter your e-mail address and click send

- Select either Home User or Company

- Click the big Scan Now button

- If it wants to install an ActiveX component allow it

- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

- When download is complete, click on Local Disks to start the scan

- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

Let us know if any problems persist.

[Needhelpplease]

Download smitRem.exe and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Please read Ewido Setup Instructions

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:

Ad-Aware SE Setup

Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:

===================================================

O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe

===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

• Click on scanner

• Click on Complete System Scan and the scan will begin.

• NOTE: During some scans with ewido it is finding cases of false positives.

• You will need to step through the process of cleaning files one-by-one.

• If ewido detects a file you KNOW to be legitimate, select none as the action.

• DO NOT select "Perform action on all infections"

• If you are unsure of any entry found select none for now.

• When the scan is finished, click the Save report button at the bottom of the screen.

• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

- Once you are on the Panda site click the Scan your PC button

- A new window will open...click the Check Now button

- Enter your Country

- Enter your State/Province

- Enter your e-mail address and click send

- Select either Home User or Company

- Click the big Scan Now button

- If it wants to install an ActiveX component allow it

- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

- When download is complete, click on Local Disks to start the scan

- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

Let us know if any problems persist.

I would love to try to download all those different programs to try to clean my system....but it appears not that what ever took control of my computer is not controlling my network and I cannot get connected to the internet w/ that cpu anymore. My Network keeps saying that I am having a network connection error and I can't do anything. I know the connection is still good because i'm using my laptop on the same router.

Any suggestions?

[therock247uk]

Can you somehow download the files on another computer then transfer them over?

[RubbeR DuckY]

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team

an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.