coolweb search and about blank

J

janice

I have ran the cws shrdder and hijack this. I run adware
and delete it but i just get it back. With hijack this I'm
not sure what to do so hLogfile of HijackThis v1.97.7
Scan saved at 3:25:15 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Local
Settings\Temp\Temporary Directory 1 for hijackthis1977
[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = yahoo.com
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:1032
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-
0B5F309A0E64} - C:\Program Files\Microsoft
Money\System\mnyside.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-
FADC6B084872} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz]
nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common
Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run:
[Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe
nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1
\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: AdSubtract.lnk = C:\Program
Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: spamsubtract.lnk = C:\Program
Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program
Files\Compaq Connections\1940576\Program\BackWeb-
1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: AdSubtract: Bypass Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Broken Internet access because of LSP
provider 'spsublsp.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/directo
r/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/SSC/SharedContent/vc/bin/AvSni
ff.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln
Object) -
http://www.microsoft.com/security/controls/Sasser/20/SassCl
n.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
(Symantec RuFSI Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin
/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
StartupList report, 6/4/2004, 3:41:00 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Local
Settings\Temp\Temporary Directory 1 for hijackthis1977
[1].zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Owner\Local
Settings\Temp\Temporary Directory 1 for hijackthis1977
[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start
Menu\Programs\Startup]
AdSubtract.lnk = C:\Program
Files\interMute\AdSubtract\AdSub.exe
spamsubtract.lnk = C:\Program
Files\interMute\SpamSubtract\SpamSub.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start
Menu\Programs\Startup]
Compaq Connections.lnk = C:\Program Files\Compaq
Connections\1940576\Program\BackWeb-1940576.exe
Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken\bagent.exe
SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\spysub.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
KBD = C:\HP\KBD\KBD.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
nwiz = nwiz.exe /installquiet /keeploaded /nodetect
ccApp = "c:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
ccRegVfy = "c:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
Reminder = "C:\Windows\Creator\Remind_XP.exe"
PS2 = C:\WINDOWS\system32\ps2.exe
mmtask = C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
UpdateManager = "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
TkBellExe = "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
AlcxMonitor = ALCXMNTR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook
Symantec NetDriver Monitor = C:\PROGRA~1\Symantec\LIVEUP~1
\SNDMon.EXE

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-
B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft
Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-
0B5F309A0E64}
(no name) - c:\Program Files\Norton
AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-
FADC6B084872}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32
\Macromed\Director\SwDir.dll
CODEBASE =
http://fpdownload.macromedia.com/pub/shockwave/cabs/directo
r/swdir.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\avsniff.dll
CODEBASE =
http://security.symantec.com/SSC/SharedContent/vc/bin/AvSni
ff.cab

[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\SassCln.dll
CODEBASE =
http://www.microsoft.com/security/controls/Sasser/20/SassCl
n.CAB

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\rufsi.dll
CODEBASE =
http://security.symantec.com/sscv6/SharedContent/common/bin
/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32
\macromed\flash\Flash.ocx
CODEBASE =
https://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: SpSubLSP.dll (file MISSING)
Protocol #2: SpSubLSP.dll (file MISSING)
Protocol #3: SpSubLSP.dll (file MISSING)
Protocol #4: SpSubLSP.dll (file MISSING)
Protocol #5: SpSubLSP.dll (file MISSING)
Protocol #11: SpSubLSP.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,907 bytes
Report generated in 0.187 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious
data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if
running on WinNT
/forcent - to include WinNT-only startups even if
running on Win9x
/forceall - to include all Win9x and WinNT startups,
regardless of platform
/history - to list version history only

ere it is if anyone can help me
 
M

Malke

janice said:
I have ran the cws shrdder and hijack this. I run adware
and delete it but i just get it back. With hijack this I'm
not sure what to do so hLogfile of HijackThis v1.97.7
Click to expand...

(snip unwanted HT log)

This newsgroup isn't the place to post your HijackThis log. Go to the
forums at www.spywareinfo.com, and be sure to read all the FAQs first.
To remove spyware, you need to run multiple programs and you need to
make sure you have the latest versions of those programs and update the
reference files before you run them. Remove spyware with Spybot Search
& Destroy from www.safer-networking.org and Ad-aware from
www.lavasoftusa.com. Be sure to update these programs before running
them. These programs are free, so run them both since they complement
each other. It is best to run antivirus and spyware removal tools in
Safe Mode. Make sure your version of CWShredder is the latest one from
http://www.spywareinfo.com/~merijn/index.html . Please read the
instructions carefully. Also, make sure you've visited Windows Update
and applied all security patches. Make sure you are running a firewall.

Malke
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problems with pops ups 6
WinVir 5
IE 8 won't start 2
IE redirection problem 2
Nt Authority System Please Help!! 0
Desktop Icons Missing at startup 7
Trojan and popup infection 1
mouse moving and closing out programs 5

Top