CoolWWW keeps trying

Vic1967 · Mar 29, 2005

I read the prior posts about Cool WebSearch Victim and
relate thoroughly. However, I have now run aboutbuster and
several other spykillers and the thing still lives. The new
MS antispyware is helpful in that it does block the
recurrance from setting up but the processes still crowd my
memory or other functions and create file opening issues.
(thus i have to run buster from my desktop ... other
spyware too. Meanwhile, I have colleted the latest
hijackThis log for you and hope you can identify what it is
I need to kill. I also have a buster log that is
interesting should you need it. I run it two, three times
.... wait a few minutes and the stuff re-sets itself and it
shows up after a run with a clean slate.
And even now, the MS antispyware alerts are telling me they
are blocking this devil: Here is the hijackthis log: (this
one is a dirty one with all the stuff in it. I have been
through it many times and cleaned out the obvious bad guys,
but this log is just after buster efforts and reboots.
::::::::::::::::::::::::::::::::
Logfile of HijackThis v1.99.1
Scan saved at 5:25:36 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mfczm32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\NORTON IS\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\NORTON IS\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
E:\Program Files\Picasa\Hello\Hello.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\FIREFOX\firefox.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class -
{BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program
Files\NORTON IS\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program
Files\NORTON IS\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PinnacleDriverCheck]
C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI
Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoProp]
E:\PROGRA~1\MICROS~1\Office10\bots\fp_wmp\regprop.exe
E:\PROGRA~1\MICROS~1\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QD FastAndSafe]
C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common
Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
-Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program
Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program
Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program
Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program
Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program
Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LifeScape Media Detector] E:\Program
Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "E:\Program
Files\Picasa\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program
Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber
Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program
Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search -
res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - D:\Program
Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - D:\Program
Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: RoboForm -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program
Files\netscape\aim\aim.exe
O9 - Extra button: Share in Hello -
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program
Files\Picasa\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello -
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program
Files\Picasa\Hello\PicasaCapture.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug -
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.expedia.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Network Security Service (NSS) (
11Fßä#·ºÄÖ`I) - Unknown owner -
C:\WINDOWS\system32\mfczm32.exe
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer,
Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation -
E:\Program Files\NORTON IS\ISSVC.exe
O23 - Service: lxbt_device - Lexmark International, Inc. -
C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner
- C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service
(navapsvc) - Symantec Corporation - E:\Program Files\NORTON
IS\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService)
- Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program
Files\NORTON IS\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) -
Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: System Commander 7 MBR check (WinMBR) -
Unknown owner - C:\SC\WINMBR.EXE (file missing)

::::::::

Steve Wechsler [MVP] · Mar 30, 2005

Vic,

You have to Disable this service from loading :

O23 - Service: Network Security Service (NSS) (
11Fßä#·ºÄÖ`I) - Unknown owner -
C:\WINDOWS\system32\mfczm32.exe

Open the Services console and locate the phantom Service, Stop it, and
then set the Startup type to Disabled.
Then locate mfczm32.exe and delete it.

There may also be a hidden .dll file that reinfests the system. It may
still not be showing, but at least MSAS may be able clean up the
infestation. Suggest you enable show hidden files, folders, and system
files prior to any scanning of the system :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

................. In memory of our dear friend, Alex Nichol ..........
........................ 1935-2005 ........................

I read the prior posts about Cool WebSearch Victim and
relate thoroughly. However, I have now run aboutbuster and
several other spykillers and the thing still lives. The new
MS antispyware is helpful in that it does block the
recurrance from setting up but the processes still crowd my
memory or other functions and create file opening issues.
(thus i have to run buster from my desktop ... other
spyware too. Meanwhile, I have colleted the latest
hijackThis log for you and hope you can identify what it is
I need to kill. I also have a buster log that is
interesting should you need it. I run it two, three times
... wait a few minutes and the stuff re-sets itself and it
shows up after a run with a clean slate.
And even now, the MS antispyware alerts are telling me they
are blocking this devil: Here is the hijackthis log: (this
one is a dirty one with all the stuff in it. I have been
through it many times and cleaned out the obvious bad guys,
but this log is just after buster efforts and reboots.
::::::::::::::::::::::::::::::::
Logfile of HijackThis v1.99.1
Scan saved at 5:25:36 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mfczm32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\NORTON IS\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\NORTON IS\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
E:\Program Files\Picasa\Hello\Hello.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\FIREFOX\firefox.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class -
{BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program
Files\NORTON IS\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program
Files\NORTON IS\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PinnacleDriverCheck]
C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI
Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoProp]
E:\PROGRA~1\MICROS~1\Office10\bots\fp_wmp\regprop.exe
E:\PROGRA~1\MICROS~1\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QD FastAndSafe]
C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common
Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
-Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program
Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program
Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program
Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program
Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program
Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LifeScape Media Detector] E:\Program
Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "E:\Program
Files\Picasa\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program
Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber
Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program
Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search -
res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - D:\Program
Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - D:\Program
Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: RoboForm -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program
Files\netscape\aim\aim.exe
O9 - Extra button: Share in Hello -
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program
Files\Picasa\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello -
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program
Files\Picasa\Hello\PicasaCapture.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug -
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.expedia.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Network Security Service (NSS) (
11Fßä#·ºÄÖ`I) - Unknown owner -
C:\WINDOWS\system32\mfczm32.exe
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer,
Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation -
E:\Program Files\NORTON IS\ISSVC.exe
O23 - Service: lxbt_device - Lexmark International, Inc. -
C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner
- C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service
(navapsvc) - Symantec Corporation - E:\Program Files\NORTON
IS\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService)
- Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program
Files\NORTON IS\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) -
Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: System Commander 7 MBR check (WinMBR) -
Unknown owner - C:\SC\WINMBR.EXE (file missing)

::::::::

hewy · Mar 30, 2005

-----Original Message-----
I read the prior posts about Cool WebSearch Victim and
relate thoroughly. However, I have now run aboutbuster and
several other spykillers and the thing still lives. The new
MS antispyware is helpful in that it does block the
recurrance from setting up but the processes still crowd my
memory or other functions and create file opening issues.
(thus i have to run buster from my desktop ... other
spyware too. Meanwhile, I have colleted the latest
hijackThis log for you and hope you can identify what it is
I need to kill. I also have a buster log that is
interesting should you need it. I run it two, three times
.... wait a few minutes and the stuff re-sets itself and it
shows up after a run with a clean slate.
And even now, the MS antispyware alerts are telling me they
are blocking this devil: Here is the hijackthis log: (this
one is a dirty one with all the stuff in it. I have been
through it many times and cleaned out the obvious bad guys,
but this log is just after buster efforts and reboots.
::::::::::::::::::::::::::::::::
Logfile of HijackThis v1.99.1
Scan saved at 5:25:36 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mfczm32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\NORTON IS\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\NORTON IS\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
E:\Program Files\Picasa\Hello\Hello.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\FIREFOX\firefox.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class -
{BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program
Files\NORTON IS\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program
Files\NORTON IS\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PinnacleDriverCheck]
C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI
Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoProp]
E:\PROGRA~1\MICROS~1\Office10\bots\fp_wmp\regprop.exe
E:\PROGRA~1\MICROS~1\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QD FastAndSafe]
C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common
Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
-Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program
Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program
Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program
Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program
Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3 \LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program
Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LifeScape Media Detector] E:\Program
Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "E:\Program
Files\Picasa\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program
Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber
Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program
Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search -
res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - D:\Program
Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - D:\Program
Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: RoboForm -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program
Files\netscape\aim\aim.exe
O9 - Extra button: Share in Hello -
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program
Files\Picasa\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello -
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program
Files\Picasa\Hello\PicasaCapture.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug -
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.expedia.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Network Security Service (NSS) (
11Fßä#·ºÄÖ`I) - Unknown owner -
C:\WINDOWS\system32\mfczm32.exe
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer,
Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation -
E:\Program Files\NORTON IS\ISSVC.exe
O23 - Service: lxbt_device - Lexmark International, Inc. -
C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner
- C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service
(navapsvc) - Symantec Corporation - E:\Program Files\NORTON
IS\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService)
- Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program
Files\NORTON IS\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) -
Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: System Commander 7 MBR check (WinMBR) -
Unknown owner - C:\SC\WINMBR.EXE (file missing)

::::::::

.
try cw shredder. coolwebsearch specific. free at

intermute

Vic1967 · Mar 30, 2005

Thanks and also to HWEY for the effort here. Here is the
latest:
Running HijackTHIS I ran a fix on the 023 intruder below
and double checked to be sure mfczm32.exe was deleted...
I run HJT several times and invariably after a few scans,
the intruders return to the list. "Fix" again. same thing.
I took HWEy's advice too. I got CWWShredder and ran it. It
found a CWW-Home. So, I ran it to fix that. This crashed
the computer. I tried again in safe mode with same result.
Obviously there is a hidden file somewhere that keeps
pulling these bad actors back into the process. One thing:
You mentioned that to remove the 023 intruder, i should oen
the SErvices console...etc. I am assuming that it the
'console' of the HJT program? If it is aservices console in
the windows menus... I missed it. Could not locate in the
usual places like the control panel or admin files.
Any more suggestions?

Ron Kinner · Mar 30, 2005

Steve meant the Microsoft services control:

Start, then right click on My Computer and select Manage
then Services and Applications then Services or
click on Start, then on Run and type this in the box :

services.msc

and hit "Enter". Scroll down the list in the right pane
until you find this Service :

Network Security Service (NSS) ( 11Fßä #·ºÄÖ`I)

When you find it, double-click on it. In the next window
that opens, click the Stop button, then click
on "Properties" and under the "General" Tab, change the
Startup Type to Disabled. Now hit Apply and then Ok and
close any open windows. This assumes it shows up in the
list which I doubt.

You might benefit from following the procedure in:

http://forums.spywareinfo.com/lofiversion/index.php/t43636.
html

Ron

Vic1967 · Mar 31, 2005

AHA! Thank you Ron!. I did finally discover some options
under the control panel (security services) but none of the
programs listed were suggestive of the bad guy.
Your directions were great. I found the bad guy and put him
to sleep as you suggested (disabled). Otherwise, I have
removed the *.exe file from the windows folder and run MS
spyware again .. and hijackthis again and abuotbuster
again. running CWshredder again and looking for the report
to file online, showed the bad actor stil there before
doing your routine. I tried to find the string by searching
for text inside files but none of my searches found the bad
guy, just my old logs that had found the bad guy. It is
YOUR clarification of Steve's instructions that hit the
jackpot. MAYBE??? this is the end of the little bugger.
Thanks! IF it comes back, I'll let you know ... here.

Guest · Apr 2, 2005

I had the same problems you were having..I tried
everything to get rid of it..I also had programs that
would install without warning..Virtual Bouncer,ezula,and
a few more they were part of the coolwebsearch site..I
had to end up wipping my pc out and redoing it..I tried
everything and nothing worked..After I redone my pc my
husband had the same problems i was having..He also had a
problem with a browser hijacker it keep changing his
homepage,settings and stuff..he downloaded a program
called..Spyware Doctor..Ran it..and it removed
everything..he hasnt had anymore problems..I now use it
and its a really good program..

More vrtumondo help	1	Oct 4, 2005
Ads served by Adsite	2	Feb 7, 2008
Howzit!!! :)	2	Jul 15, 2011
Windows 7 "Windows cannot find svchost.exe?"	1	May 23, 2013
Windows XP Invisible IE windows stealing focus in xp	1	Sep 23, 2011
Error loading C:\windows\system32\gzmrotate.dll- specified module not found	3	Jun 10, 2010
Windows Vista Applications and Processes shut down unexpectedly	1	Oct 27, 2010
Virtumondo.C & Trojan.Startup.NameShifter.HN	2	Nov 11, 2005

CoolWWW keeps trying

Vic1967

Steve Wechsler [MVP]

hewy

Vic1967

Ron Kinner

Vic1967

Guest

Ask a Question

Similar Threads