Coolwebsearch - Cannot Remove

cromwell_4 · July 20, 2005

I have discovered CoolWebSearch on a users computer when running AdAware. I have tried to remove it but IE will launch a search site. McAfee Virus Guard detects se.dll but this keeps reappearing.

I found a post with instructions on manually removing this but cannot update AboutBuster, and get an error after it has run - runtime error 339 - component 'comtl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.

Here is the hijack log

Logfile of HijackThis v1.99.1

Scan saved at 14:55:55, on 20/07/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\PEREGR~1\DESKTO~1\bin\iftlsnr.exe

C:\WINNT\floplock.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\program files\notes\ntmulti.exe

C:\WINNT\system32\NALNTSRV.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe

C:\PROGRA~1\Xpoint\agent\Xpagent.exe

C:\WINNT\System32\wm.exe

C:\PROGRA~1\Xpoint\EEClient\xpclient.exe

C:\NOVELL\ZENRC\wuser32.exe

C:\WINNT\system32\cmd.exe

C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe

C:\NOVELL\ZENRC\WUOLService.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\ltmsg.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINNT\System32\dpmw32.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\WINNT\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\Xpoint\PE\pcrecsa.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINNT\system32\TpShocks.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINNT\system32\rundll32.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\aboutbuster\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\DOCUME~1\richarnl\LOCALS~1\Temp\se.dll/space.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\DOCUME~1\richarnl\LOCALS~1\Temp\se.dll/space.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

195.51.87.140:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

170.230.*;213.62.*;62.185.95.179;*.cpb.com;*.soups.com;<local>

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {B9D65F0D-A3C3-408D-BA0B-2C4A6139387C} - C:\WINNT\system32\hhnj.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client

Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client

Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client

Access\cwbwlwiz.exe"

O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE"

/STANDALONE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [Rapid Restore] C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32

C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bMMMONWND] rundll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\richarnl\LOCALS~1\Temp\se.dll,DllInstall

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll

O11 - Options group: [JAVA_IBM] Java (IBM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=about:blank

O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) -

http://dccamus01.soups.com/qp2.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) -

https://www-3.ibm.com/pc/support/access/sdc...ad/IbmEgath.cab

O16 - DPF: {95E52A86-61B2-11D6-976A-00B0D09A3628} (ProjectBPSInterface3.BPSInterface3) -

http://worldpanel.tns-global.com/Worldpane...SInterface3.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A22ECFD-1D48-4F30-A047-F4AB3D5657DC}: Domain =

europe.soups.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{E6B6CEA5-4CF2-4550-9CCB-E7A8F1B20603}: Domain =

europe.soups.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{E6B6CEA5-4CF2-4550-9CCB-E7A8F1B20603}: NameServer =

170.230.236.46,170.230.236.36

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

eu.cpb.com,cpb.com,europe.soups.com,soups.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

eu.cpb.com,cpb.com,europe.soups.com,soups.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

eu.cpb.com,cpb.com,europe.soups.com,soups.com

O18 - Filter: text/html - {FA713029-439F-41FE-A74E-6EE1BD142EEE} -

C:\WINNT\system32\hhnj.dll

O18 - Filter: text/plain - {FA713029-439F-41FE-A74E-6EE1BD142EEE} -

C:\WINNT\system32\hhnj.dll

O23 - Service: Peregrine Listener 6.0.1 (agtlsnr601) - Peregrine Systems, Inc. -

C:\PROGRA~1\PEREGR~1\DESKTO~1\bin\iftlsnr.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. -

C:\WINNT\system32\cusrvc.exe

O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation -

C:\WINNT\CWBRXD.EXE

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software

Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: floppylock - Unknown owner - C:\WINNT\floplock.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. -

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. -

C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. -

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program

files\notes\ntmulti.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. -

C:\WINNT\system32\NALNTSRV.EXE

O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. -

C:\NOVELL\ZENRC\wuser32.exe

O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner -

C:\PROGRA~1\Xpoint\PE\pcradmin.exe

O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner -

C:\WINNT\system32\PsaSrv.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe

O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner -

C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe

O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner -

C:\PROGRA~1\Xpoint\agent\Xpagent.exe

Hoping you can help, as there are 2 users who have the same problem. I have installed Mozilla Firefox as a temporary solution.

Many thanks,

Claire (newbie!!)

therock247uk · July 20, 2005

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.

Download CWShredder Here.

Download SpSeHjfix Here.

Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck

cromwell_4 · July 21, 2005

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.
You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.
Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here
Save all of these files somewhere you will remember like to the Desktop.
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)
Run the CleanUp! installer. You dont need to do anything with it right now.
Update About:Buster
Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster
Update CWShredder
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please run about:buster by RubbeRDuckY:
Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.
Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.
Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
Good Luck
<{POST_SNAPBACK}>

cromwell_4 · July 21, 2005

I was unable to update AboutBuster - An error has occurred while updating. I ran v4.0

I was unable to update CWShredder - Unable to check for updates. I ran v2.12

I have added log file for about buster

CWShredder found a file - I have added a screen shot

I have added log file for SpSeHjfix

Sp.html - se.dll - hijack fix - this appeared after rebooting the PC into normal windows. I rebooted again

I was unable to run any of the 3 virus scans as they wanted IE and not Mozilla Firefox.

I have clicked on IE icon and nothing happens.

I used My Computer to gain access to address bar and browsed to the Trendmicro scan which is currently running undefined- I selected virus and spy ware

I have aslo run McAfee Virus scan and no infected files have been found.

I have added the hijack file as requested

How do I get IE to launch again?

Thanks for you help so far,

Claire

logs.zip

therock247uk · July 21, 2005

Can you post the Hijackthis log here in a reply. Not attach

cromwell_4 · July 22, 2005

Logfile of HijackThis v1.99.1

Scan saved at 17:20:18, on 21/07/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\PEREGR~1\DESKTO~1\bin\iftlsnr.exe

C:\WINNT\floplock.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\program files\notes\ntmulti.exe

C:\WINNT\system32\NALNTSRV.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe

C:\PROGRA~1\Xpoint\agent\Xpagent.exe

C:\WINNT\System32\wm.exe

C:\NOVELL\ZENRC\wuser32.exe

C:\PROGRA~1\Xpoint\EEClient\xpclient.exe

C:\WINNT\system32\cmd.exe

C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe

C:\NOVELL\ZENRC\WUOLService.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\ltmsg.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINNT\System32\dpmw32.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\WINNT\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\Xpoint\PE\pcrecsa.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINNT\system32\TpShocks.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Network Associates\VirusScan\scan32.exe

C:\aboutbuster\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.51.87.140:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 170.230.*;213.62.*;62.185.95.179;*.cpb.com;*.soups.com;<local>

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"

O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [Rapid Restore] C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O11 - Options group: [JAVA_IBM] Java (IBM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=about:blank

O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://dccamus01.soups.com/qp2.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdc...ad/IbmEgath.cab

O16 - DPF: {95E52A86-61B2-11D6-976A-00B0D09A3628} (ProjectBPSInterface3.BPSInterface3) - http://worldpanel.tns-global.com/Worldpane...SInterface3.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A22ECFD-1D48-4F30-A047-F4AB3D5657DC}: Domain = europe.soups.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{E6B6CEA5-4CF2-4550-9CCB-E7A8F1B20603}: Domain = europe.soups.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{E6B6CEA5-4CF2-4550-9CCB-E7A8F1B20603}: NameServer = 170.230.236.46,170.230.236.36

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eu.cpb.com,cpb.com,europe.soups.com,soups.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = eu.cpb.com,cpb.com,europe.soups.com,soups.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eu.cpb.com,cpb.com,europe.soups.com,soups.com

O23 - Service: Peregrine Listener 6.0.1 (agtlsnr601) - Peregrine Systems, Inc. - C:\PROGRA~1\PEREGR~1\DESKTO~1\bin\iftlsnr.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe

O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: floppylock - Unknown owner - C:\WINNT\floplock.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\notes\ntmulti.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE

O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe

O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\PE\pcradmin.exe

O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe

O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe

O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\Xpoint\agent\Xpagent.exe

therock247uk · July 22, 2005

1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

2. Then post a new Hijackthis log here in a reply.

cromwell_4 · July 26, 2005

Here is the new hijack this log.

Logfile of HijackThis v1.99.1

Scan saved at 13:56:40, on 26/07/2005