Results 1 to 10 of 10

Thread: Trying to get rid of CoolWWWSearch.WCADW (Hijackthis log)

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default Trying to get rid of CoolWWWSearch.WCADW (Hijackthis log)

    Ok - can someone _please_ help me here....

    Thanks
    Will

    Here is the Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:19:36 AM, on 11/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\WINDOWS\system32\paytime.exe
    C:\WINDOWS\tool2.exe
    C:\windows\adtech2005.exe
    C:\WINDOWS\system32\vidmon\vidmon.exe
    C:\WINDOWS\system32\paytime.exe
    C:\WINDOWS\tool2.exe
    C:\PROGRA~1\COMMON~1\wfoo\wfoom.exe
    C:\PROGRA~1\COMMON~1\wfoo\wfooa.exe
    C:\WINDOWS\d2lsbA\command.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\SYSTEM32\GEARSEC.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\will\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\taskmgr.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
    O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
    O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [wfoo] C:\PROGRA~1\COMMON~1\wfoo\wfoom.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121906418046
    O16 - DPF: {8B7D2210-CC81-4F59-A486-4409FB485D4A} (RegConfig Class) - http://www2.verizon.net/help/fios_se...zTCPConfig.cab
    O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ksdsp.dll (file missing)
    O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\oehjadlc.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2lsbA\command.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

  2. #2
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default One more problem....

    Oh and I have Desktop.ActiveDesktop too (that I can't get rid of...)

  3. #3
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi Will
    Welcome to the forum
    lest check first with a log from blacklite
    Download and run blacklite
    F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
    leave [X]scan through windows explorer checked,
    click > scan then > next, next again then exit
    there will be a new txt near blacklite. post it please.

  4. #4
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    I am running ewido too (FYI)

    Ran blacklite, but the log is about 30x the character limit... here is the very beginning - if there is something I can search for.... (or if you have other ideas how to get this log to you...)


    11/20/05 09:58:24 [Info]: BlackLight Engine 1.0.25 initialized
    11/20/05 09:58:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    11/20/05 09:58:25 [Note]: 4019 4
    11/20/05 09:58:25 [Note]: 4005 0
    11/20/05 09:58:29 [Note]: 4006 0
    11/20/05 09:58:29 [Note]: 4011 1968
    11/20/05 09:58:30 [Note]: 4018 156
    11/20/05 09:58:30 [Info]: Hidden process: C:\WINDOWS\SYSTEM32\ASYQDVD.EXE
    11/20/05 09:58:30 [Note]: 4018 204
    11/20/05 09:58:30 [Info]: Hidden process: C:\PROGRAM FILES\QUIINTEL\OCCSENS.EXE
    11/20/05 09:58:30 [Note]: FSRAW library version 1.7.1013
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\ace.dll
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\AI_19-11-2005.log
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\AI_20-11-2005.log
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000029_43800f53_0001312d
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000029_43801f74_0007a120
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000007b_438004d2_00007a12
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000008c_438004c2_000c28cb
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000008e_438004be_0001ab3f
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000094_4380065f_00040d99
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000099_43800f92_00094c5f
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000099_4380219e_000f0537
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000c1_438004a3_00053ec6
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000e5_43800f20_000e1113
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000eb_438004c1_000af79e
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000f8_43800690_000a037a
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000120_4380040a_000d59f8
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000120_438021c4_000e1113
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000124_43800f93_000c28cb
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000124_4380219f_00031975
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000012c_43800519_0002625a
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000412f_438004a1_000ca2dd
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00004101_43800519_000e4e1c
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000041da_43800660_000cdfe6
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000421d_43800f20_00090f56
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000422d_4380042a_000501bd
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00004230_4380041c_000d59f8
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00004242_438004ea_0003567e
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000424c_438004eb_00076417
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000428b_43800401_000d59f8
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000428b_438021a7_000d1cef
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000042be_438004cc_000f0537
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000042d6_43800672_000632ea
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000042e4_43800688_00066ff3
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00005f32_43800410_000dd40a
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00005f49_43800413_00022551
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00005fa8_438004a4_000f0537
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006014_438004d2_0007de29
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006032_4380041d_0002dc6c
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006032_438023ad_000b34a7
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006048_4380047a_00081b32
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006092_43800692_000aba95
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000060be_43800652_0007270e
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000060bf_43800428_000d59f8
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000060bf_438023c6_0000b71b
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006117_4380051a_0006ea05
    11/20/05 09:58:31 [Note]: 4002 0
    11/20/05 09:58:31 [Note]: 4003 1
    11/20/05 09:58:31 [Note]: 10002 3
    ]: Hidden file: C:\Program Files\Quiintel\Cache\

  5. #5
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    More interesting excerpts from blacklite:
    11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00003ea4_43800659_00090f56
    11/20/05 09:58:40 [Note]: 4002 0
    11/20/05 09:58:40 [Note]: 4003 1
    11/20/05 09:58:40 [Note]: 10002 3
    11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00003ed5_43800670_00094c5f
    11/20/05 09:58:40 [Note]: 4002 0
    11/20/05 09:58:40 [Note]: 4003 1
    11/20/05 09:58:40 [Note]: 10002 3
    11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00003ee9_438004a4_000b34a7
    11/20/05 09:58:40 [Note]: 4002 0
    11/20/05 09:58:40 [Note]: 4003 1
    11/20/05 09:58:40 [Note]: 10002 3
    11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\data.bin
    11/20/05 09:58:40 [Note]: 4002 0
    11/20/05 09:58:40 [Note]: 4003 1
    11/20/05 09:58:40 [Note]: 10002 3
    11/20/05 09:58:40 [Info]: Hidden file: C:\PROGRAM FILES\QUIINTEL\OCCSENS.EXE
    11/20/05 09:58:40 [Note]: 4002 0
    11/20/05 09:58:40 [Note]: 4003 1
    11/20/05 09:58:40 [Note]: 10002 3
    11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\qoses.exe
    11/20/05 09:58:40 [Note]: 4002 0
    11/20/05 09:58:40 [Note]: 4003 1
    11/20/05 09:58:40 [Note]: 10002 3
    11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\WinGenerics.dll
    11/20/05 09:58:40 [Note]: 4002 0
    11/20/05 09:58:40 [Note]: 4003 1

    and

    11/20/05 09:58:50 [Note]: 10002 3
    11/20/05 09:58:51 [Info]: Hidden file: C:\WINDOWS\system32\drivers\mskbport.sys
    11/20/05 09:58:51 [Note]: 4002 0
    11/20/05 09:58:51 [Note]: 4003 1
    11/20/05 09:58:51 [Note]: 10002 1
    11/20/05 09:58:54 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\ASYQDVD.EXE
    11/20/05 09:58:54 [Note]: 4002 0
    11/20/05 09:58:54 [Note]: 4003 1
    11/20/05 09:58:54 [Note]: 10002 1

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Make a folder at this location C:\antispware and place hijackthis.exe there!!


    Set windows to show hidden extensions file's and folder's.
    click for> instructions<.
    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
    Please download AproposFix from here:
    http://swandog46.geekstogo.com/aproposfix.exe
    Save it to your desktop but do NOT run it yet.

    Start Hijackthis and place a check next to these items If there.
    Close all browser windows and shut down all other programs that show in the taskbar. (even Folders)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
    O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
    O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [wfoo] C:\PROGRA~1\COMMON~1\wfoo\wfoom.exe
    O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
    O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ksdsp.dll (file missing)
    ====================================
    Hit fix checked and close Hijackthis.

    Then please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.
    If you miss safe mode try again

    Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

    When the tool is finished, Do a full scan with Ewido, SpyBot, your antivirus program one at a time.

    Find and delete (ONLY THESE EXACT) files and folder's (If present)
    C:\WINDOWS\system32\mspostsp.exe
    C:\WINDOWS\system32\msupdate32.dll
    c:\windows\system32\mdms.exe
    C:\WINDOWS\system32\child.dll
    C:\WINDOWS\system32\floop32.dll
    C:\WINDOWS\system32\latest.exe
    C:\WINDOWS\system32\paytime.exe
    C:\WINDOWS\system32\sysvcs.exe
    C:\WINDOWS\system32\temploader.exe
    C:\WINDOWS\system32\winacpi.dll
    C:\WINDOWS\system32\winuc386.exe
    C:\WINDOWS\system32\zlbw.dll
    C:\WINDOWS\system32\~update.exe
    C:\WINDOWS\B.tmp
    C:\WINDOWS\desktop.html
    C:\WINDOWS\hammer.exe
    C:\WINDOWS\kl.exe
    C:\WINDOWS\ms1.exe
    C:\WINDOWS\secure32.html
    C:\WINDOWS\sstray.exe
    C:\WINDOWS\tool2.exe
    C:\WINDOWS\tool3.exe
    C:\WINDOWS\tool4.exe
    C:\WINDOWS\tool5.exe
    C:\WINDOWS\uniq
    C:\WINDOWS\toolbar.exe
    C:\WINDOWS\winext.exe
    C:\windows\timessquare.exe
    C:\windows\adtech2005.exe
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    c:\secure32.html
    these folders >
    C:\WINDOWS\d2lsbA\command.exe
    C:\WINDOWS\system32\vidmon\vidmon.exe
    C:\Program Files\Common Files\wfoo\wfoom.exe


    Open a command prompt , as in start run type cmd, type in
    sc delete cmdService
    hit enter type exit hit enter

    In the windows Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security"
    if present. Now back on the first tab of display you can change your wallpaper.

    Reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

  7. #7
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    Ok - here are the notes:
    Approposfix generated an IP error (I did not boot into safe mode with networking)
    Ewido found and corrected 26 items
    Spybot found: Desktop.ActiveDesktop and Smitfraud-C
    Symantic AV found no viruses
    From the list of files to delete I found:
    Desktop.html (x2)
    Secure32.html (x2)
    uniq

    Here is the Hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 5:52:07 PM, on 11/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\SYSTEM32\GEARSEC.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\imapi.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Antispyware\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121906418046
    O16 - DPF: {8B7D2210-CC81-4F59-A486-4409FB485D4A} (RegConfig Class) - http://www2.verizon.net/help/fios_se...zTCPConfig.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\oehjadlc.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    Here is the log for approposfix:
    Log of AproposFix v1

    ************

    Running from directory:
    C:\Documents and Settings\will\Desktop\aproposfix

    ************

    Registry entries found:

    [HKEY_LOCAL_MACHINE\Software\CrTTEAB9gN79]
    @=".qpO0OKZaaZaabaHMHV.QUZaaZpca5v q\\51aRXRSDLgfaCQHUDQRaLRJAONQSbRXR"
    "Device"="\\\\.\\iniwPrv"
    "DriverPath"="C:\\WINDOWS\\system32\\drivers\\mskbport.sys"
    "DriverName"="PDCpRpl"
    "HideUninstallerName"="C:\\Program Files\\Quiintel\\qoses.exe"
    "HDll"="C:\\WINDOWS\\system32\\odeights.dll"
    "ServerAddress"="adchannel.contextplus.net"
    "LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
    "PartnerId"="CP.LAV"
    "InstallationId"="{Xa56007f-fede-163b-9e3a-0a3a70f1b977}"
    "PageFiltering"=dword:00000001
    "CrMnTmt"=dword:0036ee80
    "ClientName"="C:\\Program Files\\Quiintel\\occsens.exe"
    "AutoUpdater"="C:\\WINDOWS\\system32\\asyqdvd.exe"
    "Version"="2.0.128"

    ************

    Removing hidden service:
    Service PDCpRpl removed.

    Removing hidden folder:
    Deletion of folder Quiintel succeeded!

    Deleting files:

    Deletion of file C:\WINDOWS\system32\drivers\mskbport.sys succeeded!
    Deletion of file C:\WINDOWS\system32\asyqdvd.exe succeeded!
    Deletion of file C:\WINDOWS\system32\odeights.dll succeeded!

    Backing up files:
    Done!

    Removing registry entries:

    REGEDIT4

    [-HKEY_CURRENT_USER\Software\CrTTEAB9gN79]
    [-HKEY_LOCAL_MACHINE\Software\CrTTEAB9gN79]

    Done!

    Finished!

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Looks good

    Have HJT fix this item
    O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\oehjadlc.dll (file missing)


    Hows is your desktop behaving ? any other problems ?

  9. #9
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    Thanks Lonny!!!!

    Right now I am not experiencing the flood of IE windows that were opening.

    Is there anything else I should be on the lookout for (or use to make sure?)

    Thank you very much,
    Will

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Are you using mcaffe antivirus and Norton ?

    Next: Take some preventative measures
    Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm
    How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm
    How did that go ?
    To help avoid reinfection see "So how did I get infected in the first place?"
    http://forums.spybot.info/showthread.php?t=279

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •