cws.searchx

[Guest]

First off all I Spyware Doctor find this Trojan but can not remove it, not in
boot even.

So I was searching for other ways to remove it. Found this thread:
First off all I didn't need to rename the folder. The string wasn't coming
up again on F5.
But I don't know if this is it. Maybe I need the string (Applnit_DLLs) using
the DATA: wbsys.dll?



http://forums.spywareinfo.com/index.php?showtopic=10482

The following posted information worked for removing CWS.SearchX on some
infected computers, but I needed to also do the step in the final paragraph:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. The value of this key may look blank for you,
but it is not. They hide the value so you can't see it. This registry key
tells Windows to load the Trojan DLL every time ANY application is run giving
it complete control to do whatever it wants. So you need to remove it so that
the Trojan DLL cannot load and keep re-infecting your PC.
The way to remove the registry key is not obvious. If you just delete it
from RegEdit, since the Trojan DLL is loaded, it will re-add it right back.
(Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's
added right back by the Trojan). So what you have to do is the following
which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan
for good. Reboot your machine. Check the registry and make sure AppInit_DLLs
is still gone. Your computer should be free of this for good now."

 

[David H. Lipman]

From: "Nicoliani ™" <[email protected]>

| First off all I Spyware Doctor find this Trojan but can not remove it, not in
| boot even.
|
| So I was searching for other ways to remove it. Found this thread:
| First off all I didn't need to rename the folder. The string wasn't coming
| up again on F5.
| But I don't know if this is it. Maybe I need the string (Applnit_DLLs) using
| the DATA: wbsys.dll?
|
| http://forums.spywareinfo.com/index.php?showtopic=10482
|
| The following posted information worked for removing CWS.SearchX on some
| infected computers, but I needed to also do the step in the final paragraph:
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
| NT\CurrentVersion\Windows\AppInit_DLLs
| You have to remove this key. The value of this key may look blank for you,
| but it is not. They hide the value so you can't see it. This registry key
| tells Windows to load the Trojan DLL every time ANY application is run giving
| it complete control to do whatever it wants. So you need to remove it so that
| the Trojan DLL cannot load and keep re-infecting your PC.
| The way to remove the registry key is not obvious. If you just delete it
| from RegEdit, since the Trojan DLL is loaded, it will re-add it right back.
| (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's
| added right back by the Trojan). So what you have to do is the following
| which worked for me.
| 1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
| folder to Windows2.
| 2. Now delete the AppInit_DLLs key under the Windows2 folder.
| 3. Hit F5 and notice that AppInit_DLLs doesn't come back.
| 4. Rename the Windows2 folder back to Windows.
| Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan
| for good. Reboot your machine. Check the registry and make sure AppInit_DLLs
| is still gone. Your computer should be free of this for good now."
|

You could have also tried v2.19 of Trend Micro's CWShreddder software.

CWShredder:
http://www.trendmicro.com/cwshredder/

 

[Guest]

I noticed the wbsys.dll was a WindowsBlinds file, so I reged it back. The
cwsshredder found one file and removed it, when scanning with Spyware Doctor
after that the trojan was still there.

 

[Guest]

This is annoying, the trojan installs OkayHearts.exe witch pops-up with ads
using IE6
Even though I remove the OkayHearts.exe it's still coming back

 

[Frank S Sohtye]

Download and run Hijackthis, save a copy of the log, post your log to the
following news group for expert analysis. No registration required.
just click on the link.

 

[Guest]

Thanks, I don't get it how to get to the link you provided for the news
group. Here is my log by the way.

I also booted in safe mode and was able to delete files and folders that had
to do with the trojan, like OkayHearts.exe and files synonymous with the
*.exe file that were hiding in the folder Application Data

Logfile of HijackThis v1.99.1
Scan saved at 13:16:18, on 2005-12-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Stardock\SDMCP.exe
C:\Program\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Stardock\Object Desktop\IconX\IconX.exe
C:\Program\Microsoft IntelliType Pro\type32.exe
C:\Program\Alwil Software\Avast4\ashdisp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\Winamp\winampa.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\CursorXP\CursorXP.exe
C:\Program\CDSPEE~1\cdspeed.exe
C:\Program\FREEDO~1\fdm.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program\Webshots\webshots.scr
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Raxco\PerfectDisk\PDSched.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRAM\WINZIP\winzip32.exe
C:\Documents and Settings\Nico\Lokala inställningar\Temp\wz4025\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Länkar
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} -
C:\Program\ICOO Loader\addons\icooue.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} -
C:\Program\ICOO Loader\addons\icoou.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
C:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -
C:\Program\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ashdisp] C:\Program\Alwil Software\Avast4\ashdisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [CD_Speed] C:\Program\CDSPEE~1\cdspeed.exe /boot
O4 - HKCU\..\Run: [Free Download Manager] C:\Program\FREEDO~1\fdm.exe -autorun
O4 - Startup: Webshots.lnk = C:\Program\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &ieSpell Options -
res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling -
res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all by Free Download Manager -
file://C:\Program\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager -
file://C:\Program\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager -
file://C:\Program\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager -
file://C:\Program\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -
C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell -
{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} -
C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options -
{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} -
C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack -
{36ECAF82-3300-8F84-092E-AFF36D6C7040} -
C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {410C30C7-098A-4090-928E-F1D356D34C7F} - (no
file) (HKCU)
O9 - Extra 'Tools' menuitem: &IESnap -
{410C30C7-098A-4090-928E-F1D356D34C7F} - (no file) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload
ActiveX Control) - http://82.99.38.123/SAXFile/saxfile.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
http://www.cult3d.com/download/cult.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) -
http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) -
http://www.easports.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) -
http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134918739242
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} -
http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab)
- http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment
1.4.1_02) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service
Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments
Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O20 - Winlogon Notify: MCPClient - C:\Program\Delade
filer\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - C:\Program\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: LF Connection Keeper Service (LFCK) - Unknown owner -
C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe" --startAsService (file
missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. -
C:\Program\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. -
C:\Program\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) -
Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f
"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools -
C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies,
Inc. - C:\Program\Sygate\SPF\smc.exe

 

[David H. Lipman]

From: "Nicoliani ™" <[email protected]>

| Thanks, I don't get it how to get to the link you provided for the news
| group. Here is my log by the way.
|
| I also booted in safe mode and was able to delete files and folders that had
| to do with the trojan, like OkayHearts.exe and files synonymous with the
| *.exe file that were hiding in the folder Application Data
|
| Logfile of HijackThis v1.99.1
| Scan saved at 13:16:18, on 2005-12-23
| Platform: Windows XP SP1 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
|


< HJT log snipped >

Nicoliani:

As soon as you get any adware/spyware removed, it is suggested that you update to WinXP SP2
as soon as possible !

This is NOT the correct place to post HJT logs.

The following are the "proper" forums where you can get expert advice for HiJack This! (HJT)
logs.

Please post your log in one of these locations where you will get expert advice based upon
peer review.

NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }

 

[Frank S Sohtye]

Have HJT fix the following lines by placing a check in the box next to each
line and then clicking on the fix checked button on the bottom. When done
then you need to upgrade to SP2.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Länkar
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} -
C:\Program\ICOO Loader\addons\icooue.dll (file missing)

O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} -
C:\Program\ICOO Loader\addons\icoou.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {410C30C7-098A-4090-928E-F1D356D34C7F} - (no
file) (HKCU)
O9 - Extra 'Tools' menuitem: &IESnap -
{410C30C7-098A-4090-928E-F1D356D34C7F} - (no file) (HKCU)
O23 - Service: LF Connection Keeper Service (LFCK) - Unknown owner -
C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe" --startAsService
(file
missing)

Thanks, I don't get it how to get to the link you provided for the news
group. Here is my log by the way.

I also booted in safe mode and was able to delete files and folders that
had
to do with the trojan, like OkayHearts.exe and files synonymous with the
*.exe file that were hiding in the folder Application Data

Logfile of HijackThis v1.99.1
Scan saved at 13:16:18, on 2005-12-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Stardock\SDMCP.exe
C:\Program\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Stardock\Object Desktop\IconX\IconX.exe
C:\Program\Microsoft IntelliType Pro\type32.exe
C:\Program\Alwil Software\Avast4\ashdisp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\Winamp\winampa.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\CursorXP\CursorXP.exe
C:\Program\CDSPEE~1\cdspeed.exe
C:\Program\FREEDO~1\fdm.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program\Webshots\webshots.scr
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Raxco\PerfectDisk\PDSched.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRAM\WINZIP\winzip32.exe
C:\Documents and Settings\Nico\Lokala
inställningar\Temp\wz4025\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Länkar
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} -
C:\Program\ICOO Loader\addons\icooue.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} -
C:\Program\ICOO Loader\addons\icoou.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
C:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor -
{B56A7D7D-6927-48C8-A975-17DF180C71AC} -
C:\Program\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType
Pro\type32.exe"
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ashdisp] C:\Program\Alwil Software\Avast4\ashdisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [CD_Speed] C:\Program\CDSPEE~1\cdspeed.exe /boot
O4 - HKCU\..\Run: [Free Download Manager]
C:\Program\FREEDO~1\fdm.exe -autorun
O4 - Startup: Webshots.lnk = C:\Program\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &ieSpell Options -
res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling -
res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all by Free Download Manager -
file://C:\Program\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager -
file://C:\Program\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager -
file://C:\Program\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager -
file://C:\Program\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -
C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell -
{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} -
C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options -
{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run WinHTTrack -
{36ECAF82-3300-8F84-092E-AFF36D6C7040} -
C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack -
{36ECAF82-3300-8F84-092E-AFF36D6C7040} -
C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {410C30C7-098A-4090-928E-F1D356D34C7F} -
(no
file) (HKCU)
O9 - Extra 'Tools' menuitem: &IESnap -
{410C30C7-098A-4090-928E-F1D356D34C7F} - (no file) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload
ActiveX Control) - http://82.99.38.123/SAXFile/saxfile.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX
Player) -
http://www.cult3d.com/download/cult.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) -
http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl
Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) -
http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) -
http://www.easports.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) -
http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134918739242
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} -
http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements
Lab)
- http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime
Environment
1.4.1_02) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service
Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments
Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
AutoUpdate Support Package) -
http://www.creative.com/su/ocx/15014/CTPID.cab
O20 - Winlogon Notify: MCPClient - C:\Program\Delade
filer\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB -
C:\Program\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: LF Connection Keeper Service (LFCK) - Unknown owner -
C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe" --startAsService
(file
missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. -
C:\Program\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. -
C:\Program\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental)
(rpcapd) -
Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f
"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools -
C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate
Technologies,
Inc. - C:\Program\Sygate\SPF\smc.exe

 

[Guest]

Is it safe now to update to SP2?

 

[David H. Lipman]

From: "Nicoliani ™" <[email protected]>

| Is it safe now to update to SP2?

If your PC is clean of malware it is highly suggested !

 

[Leythos]

Have HJT fix the following lines by placing a check in the box next to each
line and then clicking on the fix checked button on the bottom. When done
then you need to upgrade to SP2.

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

Butts, when are you going to learn to SNIP posts that contain
information that's not needed. You don't need to quote the OP's HJ log.