differ Posted March 4, 2006 Report Share Posted March 4, 2006 (edited) Hi,I tried my best to remove CoolWebSearch without success.When run the updated ewido anti-malware, I found CoolWebSearch. I clicked the button to remove it but nothing happened. When scanning finished the report buttons were grey that I couldn't get the report. After a second ewido automatically closed. I also tried cwshredder but coudn't find anything.Can you help?---------------------------------------------------------------------Logfile of HijackThis v1.99.1Scan saved at 22:40:54, on 04/03/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exeC:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exeC:\WINDOWS\System32\inetsrv\inetinfo.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Lin\Tool\ZoneAlarm\zlclient.exeC:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\System32\mdm.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Lin\Tool\hijackthis_199\HijackThis.exeF2 - REG:system.ini: UserInit=userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Lin\Tool\PDF\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Lin\Tool\SpybotSD14\SDHelper.dllO4 - HKLM\..\Run: [Zone Labs Client] C:\Lin\Tool\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [KAVPersonal50] "C:\Lin\Tool\Kaspersky\kav.exe" /minimizeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cabO23 - Service: ewido security suite control - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exeO23 - Service: ewido security suite guard - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exeO23 - Service: kavsvc - Kaspersky Lab - C:\Lin\Tool\Kaspersky\kavsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe Edited March 4, 2006 by differ Link to post Share on other sites
Dragon Posted March 5, 2006 Report Share Posted March 5, 2006 it appears that you ran this log in safe mode or you disabled items using msconfig, could you please post a fresh Hijack this log, making sure that everything in msconfig is set to normal startup.to do this, click on start>runin the box that pops up type msconfig and choose the button that says normal bootup. reboot your computer and then scan and post the hijack this log. Link to post Share on other sites
differ Posted March 5, 2006 Author Report Share Posted March 5, 2006 OK, this is the fresh Hijack this log after set to "Normal Startup" in msconfig. It looks longger?Logfile of HijackThis v1.99.1Scan saved at 17:30:12, on 05/03/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exeC:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exeC:\WINDOWS\System32\inetsrv\inetinfo.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Lin\Tool\ZoneAlarm\zlclient.exeC:\Program Files\Java\jre1.5.0_01\bin\jusched.exeC:\WINDOWS\System32\ctfmon.exeC:\Lin\Tool\hijackthis_199\HijackThis.exeF2 - REG:system.ini: UserInit=userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Lin\Tool\PDF\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Lin\Tool\SpybotSD14\SDHelper.dllO4 - HKLM\..\Run: [Zone Labs Client] C:\Lin\Tool\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [KAVPersonal50] "C:\Lin\Tool\Kaspersky\kav.exe" /minimizeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exeO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXEO4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [babylon Client] C:\Lin\Tool\Babylon\Babylon.exe -AutoStartO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cabO23 - Service: ewido security suite control - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exeO23 - Service: ewido security suite guard - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exeO23 - Service: kavsvc - Kaspersky Lab - C:\Lin\Tool\Kaspersky\kavsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exeit appears that you ran this log in safe mode or you disabled items using msconfig, could you please post a fresh Hijack this log, making sure that everything in msconfig is set to normal startup.to do this, click on start>runin the box that pops up type msconfig and choose the button that says normal bootup. reboot your computer and then scan and post the hijack this log. Link to post Share on other sites
Dragon Posted March 5, 2006 Report Share Posted March 5, 2006 ok, that looks a lot better.I only see one problem file, off the top of my head, have a question though, do you use this computer to debug a winserver? Link to post Share on other sites
differ Posted March 5, 2006 Author Report Share Posted March 5, 2006 Thank you for your response.I don't know what is "debug a winserver". I used my computer for IIS, Java.....ok, that looks a lot better.I only see one problem file, off the top of my head, have a question though, do you use this computer to debug a winserver? Link to post Share on other sites
Dragon Posted March 5, 2006 Report Share Posted March 5, 2006 that answered my question.Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.F2 - REG:system.ini: UserInit=userinit.exeReboot your PC.If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. Link to post Share on other sites
differ Posted March 5, 2006 Author Report Share Posted March 5, 2006 Hi,After doing "fix checked" for the item in HijackThis and rebooted the PC, I run ewido again to scan my PC, and unfortunately the CWS still there. This is what ewido said: Registry: HKLM\SOFTW..\Classes\CLSID\{D2B24D87-699F-16C6-2875-242...Infection: Adware.CoolWebSearchThreat: HighI clicked the button in ewido to remove it but, again nothing happened. Until finishing the scan, the list in ewido still wasInfected objects: 6Cleaned infections: 0Ignored infections: 0(note: only one CWS, the rest are TrackingCookie)Moreover, when finished scan, the Save report and View report buttons remain grey and after a second ewido closed automatically. I just could't read any report. Do you think the CWS made ewido not work properly?that answered my question.Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.F2 - REG:system.ini: UserInit=userinit.exeReboot your PC.If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. Link to post Share on other sites
Dragon Posted March 5, 2006 Report Share Posted March 5, 2006 ok, lets see if we can find it, do you have more then one user account on the machine?Download WindPFindExtract WinPFind.zip to your c:\ folder.Reboot your computer into Safe ModeThen open c:\WinPFind and double-click on WinPFind.exe.When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic. Link to post Share on other sites
differ Posted March 5, 2006 Author Report Share Posted March 5, 2006 Hi,Please check following report from WinPFind, that is a quite big report:WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600Internet Explorer Version: 6.0.2600.0000»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»Checking %SystemDrive% folder...Checking %ProgramFilesDir% folder...Checking %WinDir% folder...KavSvc 01/03/2006 19:20:12 1383 C:\WINDOWS\IE4 Error Log.txtUPX! 03/05/2005 11:44:44 25157 C:\WINDOWS\RMAgentOutput.dllUPX! 10/01/2005 16:17:24 170053 C:\WINDOWS\tsc.exePECompact2 21/07/2005 10:16:24 15400675 C:\WINDOWS\lpt$vpn.741qoologic 21/07/2005 10:16:24 15400675 C:\WINDOWS\lpt$vpn.741SAHAgent 21/07/2005 10:16:24 15400675 C:\WINDOWS\lpt$vpn.741UPX! 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dllaspack 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dllPECompact2 21/07/2005 10:16:24 15400675 C:\WINDOWS\VPTNFILE.741qoologic 21/07/2005 10:16:24 15400675 C:\WINDOWS\VPTNFILE.741SAHAgent 21/07/2005 10:16:24 15400675 C:\WINDOWS\VPTNFILE.741Checking %System% folder...PTech 12/07/2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dllPEC2 14/01/2002 01:16:30 41397 C:\WINDOWS\SYSTEM32\dfrg.mscUPX! 09/07/2005 10:03:06 433152 C:\WINDOWS\SYSTEM32\aswBoot.exewinsync 14/01/2002 01:17:54 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deuPEC2 27/02/2004 4280320 C:\WINDOWS\SYSTEM32\MFC42D.PDBPEC2 27/02/2004 2379776 C:\WINDOWS\SYSTEM32\MFCD42D.PDBPEC2 27/02/2004 1781760 C:\WINDOWS\SYSTEM32\MFCN42D.PDBPEC2 27/02/2004 4722688 C:\WINDOWS\SYSTEM32\MFCO42D.PDBPEC2 27/02/2004 8392704 C:\WINDOWS\SYSTEM32\MFC42.PDBUmonitor 29/08/2002 03:41:10 631808 C:\WINDOWS\SYSTEM32\rasdlg.dllChecking %System%\Drivers folder and sub-folders...Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 05/03/2006 21:22:26 S 2048 C:\WINDOWS\bootstat.dat 05/03/2006 19:48:10 H 35866 C:\WINDOWS\system32\vsconfig.xml 05/03/2006 21:20:54 H 860160 C:\WINDOWS\system32\config\system.LOG 05/03/2006 21:20:54 H 102400 C:\WINDOWS\system32\config\software.LOG 05/03/2006 21:20:54 H 8192 C:\WINDOWS\system32\config\default.LOG 05/03/2006 21:23:10 H 1024 C:\WINDOWS\system32\config\SAM.LOG 05/03/2006 21:22:26 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG 13/02/2006 01:44:28 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred 01/02/2007 23:41:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\ad916a55-8d22-41ba-bb5c-d5ff5da5365d 13/02/2006 01:44:28 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4ab239c2-efc1-4981-8692-5ded1ba01bf3 09/02/2006 16:16:52 H 10820 C:\WINDOWS\Help\update.GID 05/03/2006 21:20:34 H 6 C:\WINDOWS\Tasks\SA.DATChecking for CPL files...Microsoft Corporation 29/08/2002 03:41:28 129024 C:\WINDOWS\SYSTEM32\desk.cplMicrosoft Corporation 29/08/2002 03:41:28 121856 C:\WINDOWS\SYSTEM32\intl.cplMicrosoft Corporation 14/01/2002 01:16:52 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cplMicrosoft Corporation 29/08/2002 03:41:28 65536 C:\WINDOWS\SYSTEM32\joy.cplMicrosoft Corporation 14/01/2002 01:17:02 187904 C:\WINDOWS\SYSTEM32\main.cplMicrosoft Corporation 14/01/2002 01:17:08 559616 C:\WINDOWS\SYSTEM32\mmsys.cplMicrosoft Corporation 14/01/2002 01:17:18 35840 C:\WINDOWS\SYSTEM32\ncpa.cplMicrosoft Corporation 14/01/2002 01:17:24 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cplMicrosoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\nwc.cplMicrosoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\odbccp32.cplMicrosoft Corporation 14/01/2002 01:17:32 109056 C:\WINDOWS\SYSTEM32\powercfg.cplMicrosoft Corporation 29/08/2002 03:41:28 578560 C:\WINDOWS\SYSTEM32\appwiz.cplMicrosoft Corporation 29/08/2002 03:41:28 268288 C:\WINDOWS\SYSTEM32\sysdm.cplMicrosoft Corporation 14/01/2002 01:17:46 28160 C:\WINDOWS\SYSTEM32\telephon.cplMicrosoft Corporation 14/01/2002 01:17:48 90112 C:\WINDOWS\SYSTEM32\timedate.cplMicrosoft Corporation 14/01/2002 01:16:16 66048 C:\WINDOWS\SYSTEM32\access.cplSun Microsystems, Inc. 06/12/2004 21:31:48 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cplMicrosoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cplMicrosoft Corporation 14/01/2002 01:16:56 294912 C:\WINDOWS\SYSTEM32\inetcpl.cplMicrosoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cplMicrosoft Corporation 14/01/2002 01:16:56 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cplMicrosoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cplMicrosoft Corporation 14/01/2002 01:16:16 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cplMicrosoft Corporation 14/01/2002 01:16:52 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cplMicrosoft Corporation 14/01/2002 01:17:02 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cplMicrosoft Corporation 14/01/2002 01:17:08 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cplMicrosoft Corporation 14/01/2002 01:17:18 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cplMicrosoft Corporation 14/01/2002 01:17:24 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cplMicrosoft Corporation 14/01/2002 01:17:32 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cplMicrosoft Corporation 14/01/2002 01:17:46 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cplMicrosoft Corporation 14/01/2002 01:17:48 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»Checking files in %ALLUSERSPROFILE%\Startup folder... 27/11/2004 22:06:06 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini 14/11/2005 17:40:54 1629 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkChecking files in %ALLUSERSPROFILE%\Application Data folder... 27/11/2004 21:37:04 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.iniChecking files in %USERPROFILE%\Startup folder... 27/11/2004 22:06:06 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.iniChecking files in %USERPROFILE%\Application Data folder... 27/11/2004 21:37:04 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved][HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Lin\Tool\ewido\ewido anti-malware\context.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus {dd230880-495a-11d1-b064-008048ec2fc5} = C:\Lin\Tool\Kaspersky\shellex.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus {dd230880-495a-11d1-b064-008048ec2fc5} = C:\Lin\Tool\Kaspersky\shellex.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Lin\Tool\ewido\ewido anti-malware\context.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Lin\Tool\PDF\Reader\ActiveX\AcroIEHelper.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\Lin\Tool\SpybotSD14\SDHelper.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\System32\shdocvw.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} Media Band = %SystemRoot%\System32\browseui.dllHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dllHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Zone Labs Client C:\Lin\Tool\ZoneAlarm\zlclient.exe KAVPersonal50 "C:\Lin\Tool\Kaspersky\kav.exe" /minimize Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe MSPY2002 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 IMEKRMIG6.1 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" Babylon Client C:\Lin\Tool\Babylon\Babylon.exe -AutoStart[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\servicesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolderHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupregHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avast! key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item ashDisp hkey HKLM inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item ashDisp hkey HKLM inimapping 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSGuard spyware remover key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item PSGuard hkey HKLM inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item PSGuard hkey HKLM inimapping 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 0 win.ini 0 bootini 0 services 0 startup 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer NoActiveDesktopChanges 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\runHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\RatingsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 DisableTaskMgr 0[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop NoChangingWallPaper 0 NoAddingComponents 0 NoComponents 0 NoDeletingComponents 0 NoEditingComponents 0 NoCloseDragDropBands 0 NoMovingBands 0 NoHTMLWallPaper 1HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 NoActiveDesktop 0 NoSaveSettings 0 ClassicShell 0 NoThemesTab 0HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System DisableTaskMgr 0 NoColorChoice 0 NoSizeChoice 0 NoDispScrSavPage 0 NoDispCPL 0 NoVisualStyleChoice 0 NoDispSettingsPage 0 NoDispAppearancePage 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe, Shell = explorer.exe System = csbtv.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.Scan completed on 05/03/2006 21:38:13ok, lets see if we can find it, do you have more then one user account on the machine?Download WindPFindExtract WinPFind.zip to your c:\ folder.Reboot your computer into Safe ModeThen open c:\WinPFind and double-click on WinPFind.exe.When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic. Link to post Share on other sites
Dragon Posted March 6, 2006 Report Share Posted March 6, 2006 well, you have a hidden email worm working here. which we will get taken care of. However, i am seeing no signs of CoolWebSearch.Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files, and remove the following files in bold (if found):C:\WINDOWS\SYSTEM32\aswBoot.exeNext we need to remove the Registry Entry.Important: It is strongly recommended that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.1. Click Start > Run. 2. Type regedit Then click OK. 3. Navigate to the key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services 4. In the left pane, delete the subkey: "Xuy v palto" 5. Exit the Registry Editor.Then reboot the machine, going back into Safe mode, and get a new winpfind log and post that in this thread. Link to post Share on other sites
differ Posted March 6, 2006 Author Report Share Posted March 6, 2006 Hi,In safe mode, I found C:\WINDOWS\SYSTEM32\aswBoot.exe and the Description of the file is "avast! start-up scanner". I deleted it into the Recycle Bin.In the Registry, I found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services (instead of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services) but there is no "Xuy v palto"!!well, you have a hidden email worm working here. which we will get taken care of. However, i am seeing no signs of CoolWebSearch.Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files, and remove the following files in bold (if found):C:\WINDOWS\SYSTEM32\aswBoot.exeNext we need to remove the Registry Entry.Important: It is strongly recommended that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.1. Click Start > Run. 2. Type regedit Then click OK. 3. Navigate to the key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services 4. In the left pane, delete the subkey: "Xuy v palto" 5. Exit the Registry Editor.Then reboot the machine, going back into Safe mode, and get a new winpfind log and post that in this thread. Link to post Share on other sites
Dragon Posted March 6, 2006 Report Share Posted March 6, 2006 if it had been the legit aswboot it should have been located hereC:\programfiles\alwils~1\avast4\aswboot.exeTo test that they didn't change locations, when you rebooted your computer did you get any error messages about Avast not starting properly? Link to post Share on other sites
differ Posted March 6, 2006 Author Report Share Posted March 6, 2006 Hi,I am confused: I deleted aswBoot.exe in C:\WINDOWS\SYSTEM32\, not in C:\Program Files\Alwil Software\Avast4 and I remember I have removed Avast long time ago.When rebooted my PC I didn't get any error message about Avast not starting properly.if it had been the legit aswboot it should have been located hereC:\programfiles\alwils~1\avast4\aswboot.exeTo test that they didn't change locations, when you rebooted your computer did you get any error messages about Avast not starting properly? Link to post Share on other sites
differ Posted March 6, 2006 Author Report Share Posted March 6, 2006 (edited) Until now, my questions are not being solved, they are too difficult 1. ewido found CoolWebSearch but cannot remove it and I cannot get the report because ewido closed automatically.2. Cannot find the CoolWebSearch by other ways. Edited March 6, 2006 by differ Link to post Share on other sites
Dragon Posted March 6, 2006 Report Share Posted March 6, 2006 I am leaning towards a false positive on Ewido's part. If CWShredder didn't find anything, then it seems there is nothing to be worried about. have you tried spybot: Search And Destroy? It also will detect coolwebsearch if you have it on your machine. Never rely on only one program. Try spybot, if you haven't already, and let me know if it detects it.I am confused: I deleted aswBoot.exe in C:\WINDOWS\SYSTEM32\, not in C:\Program Files\Alwil Software\Avast4 and I remember I have removed Avast long time ago.if you don't have Avast on your machine anymore, then aswboot.exe would not have been on your computer from that program. Link to post Share on other sites
therock247uk Posted April 5, 2006 Report Share Posted April 5, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts