Had a glance at it. The file peofjdd.dll (executed by Rundll32.exe process) is one of the suspicious entry. Unregistering and deleting this DLL might help. Also, please post your HijackThis log in Spywareinfo.com or aumha.org forums for expert advice.
--
Ramesh - Microsoft MVP
Windows XP Shell
http://www.mvps.org/sramesh2k
thanks for your reply,
I got the latest cwshredder and it still is there,
I tried hijackthis as well, here is the log.
Logfile of HijackThis v1.97.7
Scan saved at 12:17:47 p.m., on 27/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\GigaByte\EasyTune\EasyTune.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton SystemWorks\CKA.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\Messenger\msmsgs.exe
D:\software\infection fix\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINDOWS\System32
\peofjdd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINDOWS\System32
\peofjdd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\peofjdd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINDOWS\System32
\peofjdd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINDOWS\System32
\peofjdd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\peofjdd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6998BDAE-FBEC-4A05-9961-
6D821B10589B} - C:\WINDOWS\System32\peofjdd.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RecSche] "C:\Program
Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common
Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1
\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program
Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EasyTuneIII] C:\Program
Files\GigaByte\EasyTune\EasyTune.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Norton
SystemWorks\CKA.exe
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program
Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma
Loader.exe
O8 - Extra context menu item: &Google Search -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
http://download.macromedia.com/pub/shockwave/cabs/director
/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo!
Audio Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yac
scom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/Av
Sniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.inf
o.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}
(GSDACtl Class) -
http://launch.gamespyarcade.com/software/launch/alaunch.ca
b
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37876.0049652778
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
(Symantec RuFSI Registry Information Class) -
http://security.symantec.com/SSC/SharedContent/common/bin/
cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) -
http://chat.msn.com/bin/msnchat45.cab
-----Original Message-----
CWShredder should have fixed it. Which version of cwshredder did you use?
Try from here! Merijn.org:
http://www.spywareinfo.com/~merijn/downloads.html
(Close all browser/explorer windows before using this tool)
--
Ramesh - Microsoft MVP
Windows XP Shell
http://www.mvps.org/sramesh2k
"mark" <
[email protected]> wrote in
message news:
[email protected]...
