I have an impossible to remove bho it loads cewmd.dll and a registry key (BHO: (no name) - {66ED74EE-638F-499C-BF7F-7B03D4D34D6B} - C:\WIN\system32\cewmd.dll neither of which can be removed by hijack this or killbox or regedit or deleting in safe mode. I have downloaded every tool I can think of some find it but none will delete it I have tried booting in knoppix and that too fails. Process explorer does not show any obvious tjhings to kill.
Please tell me how to remove this bleeping piece of crap



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54, on 2007-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\Ati2evxx.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\WIN\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WIN\system32\wuauclt.exe
C:\WIN\system32\Ati2evxx.exe
C:\WIN\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WIN\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\arrowhead alpines.FAMILYROOM\My Documents\crusty.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {616ED74EE-638F-499C-BF7F-7B03D4D34D6B} - (no file)
O2 - BHO: (no name) - {66ED74EE-638F-499C-BF7F-7B03D4D34D6B} - C:\WIN\system32\cewmd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WIN\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC67E8EB-8EDA-44F7-A5B8-43381764A2FB}: NameServer = 66.82.4.8,66.82.4.12
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WIN\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 4864 bytes

Hi Arrowheadalpines

Let's check first what that is.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please click this link-->Jotti (http://virusscan.jotti.org/)

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WIN\system32\cewmd.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

please tell me how to get rid of this thing

File cewmd.dll received on 12.09.2007 02:37:21 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 20/32 (62.5%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.12.8.0 2007.12.07 -
AntiVir 7.6.0.40 2007.12.07 TR/BHO.abo.5
Authentium 4.93.8 2007.12.08 -
Avast 4.7.1098.0 2007.12.08 -
AVG 7.5.0.503 2007.12.08 Generic9.AAUM
BitDefender 7.2 2007.12.09 Trojan.Spy.Bzub.NGP
CAT-QuickHeal 9.00 2007.12.08 Trojan.BHO.abo
ClamAV 0.91.2 2007.12.09 -
DrWeb 4.44.0.09170 2007.12.08 Trojan.DownLoader.37561
eSafe 7.0.15.0 2007.12.06 -
eTrust-Vet 31.3.5361 2007.12.08 Win32/Kvol.I
Ewido 4.0 2007.12.08 -
FileAdvisor 1 2007.12.09 -
Fortinet 3.14.0.0 2007.12.08 -
F-Prot 4.4.2.54 2007.12.08 -
F-Secure 6.70.13030.0 2007.12.08 Trojan.Win32.BHO.abo
Ikarus T3.1.1.12 2007.12.09 Trojan-PWS.Win32.Lmir
Kaspersky 7.0.0.125 2007.12.09 Trojan.Win32.BHO.abo
McAfee 5181 2007.12.08 -
Microsoft 1.3007 2007.12.09 TrojanSpy:Win32/Bzub.GB.dll
NOD32v2 2711 2007.12.07 Win32/BHO.ABO
Norman 5.80.02 2007.12.07 W32/BHO.ATF
Panda 9.0.0.4 2007.12.09 Adware/AVSystemCare
Prevx1 V2 2007.12.09 Trojan.DoS.Win32.Opdos
Rising 20.21.42.00 2007.12.07 -
Sophos 4.24.0 2007.12.09 Troj/BHO-EE
Sunbelt 2.2.907.0 2007.12.07 -
Symantec 10 2007.12.09 Trojan Horse
TheHacker 6.2.9.153 2007.12.07 Trojan/BHO.abo
VBA32 3.12.2.5 2007.12.07 Trojan.Win32.BHO.abo
VirusBuster 4.3.26:9 2007.12.08 Trojan.BHO.OU
Webwasher-Gateway 6.6.2 2007.12.08 Trojan.BHO.abo.5
Additional information
File size: 91392 bytes
MD5: 00c3f13eaaa6fe766b4897f8e110eed0
SHA1: 29837de44b93fd847fd2e174b3faf391ea72bd0a
PEiD: -
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=CADEE0140037865165C0016D91AC7E00B9007180

Hi

We attempt to remove it with Combofix:

1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://subs.geekstogo.com/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.