Ewido Vs Coolwebsearch (hijack This Added)[INACTIVE]


Recommended Posts

Hi,

I tried my best to remove CoolWebSearch without success.

When run the updated ewido anti-malware, I found CoolWebSearch. I clicked the button to remove it but nothing happened. When scanning finished the report buttons were grey that I couldn't get the report. After a second ewido automatically closed.

I also tried cwshredder but coudn't find anything.

Can you help?

---------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 22:40:54, on 04/03/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exe

C:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Lin\Tool\ZoneAlarm\zlclient.exe

C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\mdm.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Lin\Tool\hijackthis_199\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Lin\Tool\PDF\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Lin\Tool\SpybotSD14\SDHelper.dll

O4 - HKLM\..\Run: [Zone Labs Client] C:\Lin\Tool\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [KAVPersonal50] "C:\Lin\Tool\Kaspersky\kav.exe" /minimize

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab

O23 - Service: ewido security suite control - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exe

O23 - Service: kavsvc - Kaspersky Lab - C:\Lin\Tool\Kaspersky\kavsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Edited by differ
Link to post
Share on other sites

it appears that you ran this log in safe mode or you disabled items using msconfig, could you please post a fresh Hijack this log, making sure that everything in msconfig is set to normal startup.

to do this, click on start>run

in the box that pops up type msconfig and choose the button that says normal bootup.

reboot your computer and then scan and post the hijack this log.

Link to post
Share on other sites

OK, this is the fresh Hijack this log after set to "Normal Startup" in msconfig. It looks longger?

Logfile of HijackThis v1.99.1

Scan saved at 17:30:12, on 05/03/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exe

C:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Lin\Tool\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Lin\Tool\hijackthis_199\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Lin\Tool\PDF\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Lin\Tool\SpybotSD14\SDHelper.dll

O4 - HKLM\..\Run: [Zone Labs Client] C:\Lin\Tool\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [KAVPersonal50] "C:\Lin\Tool\Kaspersky\kav.exe" /minimize

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [babylon Client] C:\Lin\Tool\Babylon\Babylon.exe -AutoStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab

O23 - Service: ewido security suite control - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Lin\Tool\ewido\ewido anti-malware\ewidoguard.exe

O23 - Service: kavsvc - Kaspersky Lab - C:\Lin\Tool\Kaspersky\kavsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

it appears that you ran this log in safe mode or you disabled items using msconfig, could you please post a fresh Hijack this log, making sure that everything in msconfig is set to normal startup.

to do this, click on start>run

in the box that pops up type msconfig and choose the button that says normal bootup.

reboot your computer and then scan and post the hijack this log.

Link to post
Share on other sites

ok, that looks a lot better.

I only see one problem file, off the top of my head, have a question though, do you use this computer to debug a winserver?

Link to post
Share on other sites

Thank you for your response.

I don't know what is "debug a winserver". I used my computer for IIS, Java.....

ok, that looks a lot better.

I only see one problem file, off the top of my head, have a question though, do you use this computer to debug a winserver?

Link to post
Share on other sites

that answered my question.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

F2 - REG:system.ini: UserInit=userinit.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :)

Link to post
Share on other sites

Hi,

After doing "fix checked" for the item in HijackThis and rebooted the PC, I run ewido again to scan my PC, and unfortunately the CWS still there. This is what ewido said:

Registry: HKLM\SOFTW..\Classes\CLSID\{D2B24D87-699F-16C6-2875-242...

Infection: Adware.CoolWebSearch

Threat: High

I clicked the button in ewido to remove it but, again nothing happened. Until finishing the scan, the list in ewido still was

Infected objects: 6

Cleaned infections: 0

Ignored infections: 0

(note: only one CWS, the rest are TrackingCookie)

Moreover, when finished scan, the Save report and View report buttons remain grey and after a second ewido closed automatically. I just could't read any report. Do you think the CWS made ewido not work properly?

that answered my question.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

F2 - REG:system.ini: UserInit=userinit.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :)

Link to post
Share on other sites

ok, lets see if we can find it, do you have more then one user account on the machine?

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.

When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Link to post
Share on other sites

Hi,

Please check following report from WinPFind, that is a quite big report:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600

Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

KavSvc 01/03/2006 19:20:12 1383 C:\WINDOWS\IE4 Error Log.txt

UPX! 03/05/2005 11:44:44 25157 C:\WINDOWS\RMAgentOutput.dll

UPX! 10/01/2005 16:17:24 170053 C:\WINDOWS\tsc.exe

PECompact2 21/07/2005 10:16:24 15400675 C:\WINDOWS\lpt$vpn.741

qoologic 21/07/2005 10:16:24 15400675 C:\WINDOWS\lpt$vpn.741

SAHAgent 21/07/2005 10:16:24 15400675 C:\WINDOWS\lpt$vpn.741

UPX! 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dll

aspack 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dll

PECompact2 21/07/2005 10:16:24 15400675 C:\WINDOWS\VPTNFILE.741

qoologic 21/07/2005 10:16:24 15400675 C:\WINDOWS\VPTNFILE.741

SAHAgent 21/07/2005 10:16:24 15400675 C:\WINDOWS\VPTNFILE.741

Checking %System% folder...

PTech 12/07/2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll

PEC2 14/01/2002 01:16:30 41397 C:\WINDOWS\SYSTEM32\dfrg.msc

UPX! 09/07/2005 10:03:06 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe

winsync 14/01/2002 01:17:54 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

PEC2 27/02/2004 4280320 C:\WINDOWS\SYSTEM32\MFC42D.PDB

PEC2 27/02/2004 2379776 C:\WINDOWS\SYSTEM32\MFCD42D.PDB

PEC2 27/02/2004 1781760 C:\WINDOWS\SYSTEM32\MFCN42D.PDB

PEC2 27/02/2004 4722688 C:\WINDOWS\SYSTEM32\MFCO42D.PDB

PEC2 27/02/2004 8392704 C:\WINDOWS\SYSTEM32\MFC42.PDB

Umonitor 29/08/2002 03:41:10 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

05/03/2006 21:22:26 S 2048 C:\WINDOWS\bootstat.dat

05/03/2006 19:48:10 H 35866 C:\WINDOWS\system32\vsconfig.xml

05/03/2006 21:20:54 H 860160 C:\WINDOWS\system32\config\system.LOG

05/03/2006 21:20:54 H 102400 C:\WINDOWS\system32\config\software.LOG

05/03/2006 21:20:54 H 8192 C:\WINDOWS\system32\config\default.LOG

05/03/2006 21:23:10 H 1024 C:\WINDOWS\system32\config\SAM.LOG

05/03/2006 21:22:26 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG

13/02/2006 01:44:28 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred

01/02/2007 23:41:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\ad916a55-8d22-41ba-bb5c-d5ff5da5365d

13/02/2006 01:44:28 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4ab239c2-efc1-4981-8692-5ded1ba01bf3

09/02/2006 16:16:52 H 10820 C:\WINDOWS\Help\update.GID

05/03/2006 21:20:34 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...

Microsoft Corporation 29/08/2002 03:41:28 129024 C:\WINDOWS\SYSTEM32\desk.cpl

Microsoft Corporation 29/08/2002 03:41:28 121856 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 14/01/2002 01:16:52 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

Microsoft Corporation 29/08/2002 03:41:28 65536 C:\WINDOWS\SYSTEM32\joy.cpl

Microsoft Corporation 14/01/2002 01:17:02 187904 C:\WINDOWS\SYSTEM32\main.cpl

Microsoft Corporation 14/01/2002 01:17:08 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 14/01/2002 01:17:18 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl

Microsoft Corporation 14/01/2002 01:17:24 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\nwc.cpl

Microsoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Microsoft Corporation 14/01/2002 01:17:32 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl

Microsoft Corporation 29/08/2002 03:41:28 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl

Microsoft Corporation 29/08/2002 03:41:28 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 14/01/2002 01:17:46 28160 C:\WINDOWS\SYSTEM32\telephon.cpl

Microsoft Corporation 14/01/2002 01:17:48 90112 C:\WINDOWS\SYSTEM32\timedate.cpl

Microsoft Corporation 14/01/2002 01:16:16 66048 C:\WINDOWS\SYSTEM32\access.cpl

Sun Microsystems, Inc. 06/12/2004 21:31:48 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl

Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Microsoft Corporation 14/01/2002 01:16:56 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl

Microsoft Corporation 14/01/2002 01:16:56 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl

Microsoft Corporation 14/01/2002 01:17:26 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl

Microsoft Corporation 14/01/2002 01:16:16 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl

Microsoft Corporation 14/01/2002 01:16:52 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl

Microsoft Corporation 14/01/2002 01:17:02 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl

Microsoft Corporation 14/01/2002 01:17:08 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl

Microsoft Corporation 14/01/2002 01:17:18 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl

Microsoft Corporation 14/01/2002 01:17:24 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl

Microsoft Corporation 14/01/2002 01:17:32 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl

Microsoft Corporation 14/01/2002 01:17:46 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Microsoft Corporation 14/01/2002 01:17:48 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

27/11/2004 22:06:06 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

14/11/2005 17:40:54 1629 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

27/11/2004 21:37:04 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...

27/11/2004 22:06:06 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...

27/11/2004 21:37:04 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido

{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Lin\Tool\ewido\ewido anti-malware\context.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus

{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Lin\Tool\Kaspersky\shellex.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu

{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus

{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Lin\Tool\Kaspersky\shellex.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu

{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} =

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido

{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Lin\Tool\ewido\ewido anti-malware\context.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

AcroIEHlprObj Class = C:\Lin\Tool\PDF\Reader\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}

= C:\Lin\Tool\SpybotSD14\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}

ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}

Media Band = %SystemRoot%\System32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Zone Labs Client C:\Lin\Tool\ZoneAlarm\zlclient.exe

KAVPersonal50 "C:\Lin\Tool\Kaspersky\kav.exe" /minimize

Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe

MSPY2002 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

IMEKRMIG6.1 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Babylon Client C:\Lin\Tool\Babylon\Babylon.exe -AutoStart

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

IMAIL Installed = 1

MAPI Installed = 1

MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avast!

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ashDisp

hkey HKLM

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ashDisp

hkey HKLM

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSGuard spyware remover

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item PSGuard

hkey HKLM

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item PSGuard

hkey HKLM

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

system.ini 0

win.ini 0

bootini 0

services 0

startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

NoActiveDesktopChanges 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

DisableTaskMgr 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

NoChangingWallPaper 0

NoAddingComponents 0

NoComponents 0

NoDeletingComponents 0

NoEditingComponents 0

NoCloseDragDropBands 0

NoMovingBands 0

NoHTMLWallPaper 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun 145

NoActiveDesktop 0

NoSaveSettings 0

ClassicShell 0

NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

DisableTaskMgr 0

NoColorChoice 0

NoSizeChoice 0

NoDispScrSavPage 0

NoDispCPL 0

NoVisualStyleChoice 0

NoDispSettingsPage 0

NoDispAppearancePage 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

Shell = explorer.exe

System = csbtv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 05/03/2006 21:38:13

ok, lets see if we can find it, do you have more then one user account on the machine?

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.

When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Link to post
Share on other sites

well, you have a hidden email worm working here. which we will get taken care of. However, i am seeing no signs of CoolWebSearch.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\SYSTEM32\aswBoot.exe

Next we need to remove the Registry Entry.

Important: It is strongly recommended that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

  • 1. Click Start > Run.
    2. Type regedit
    Then click OK.
    3. Navigate to the key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services
    4. In the left pane, delete the subkey:
    "Xuy v palto"
    5. Exit the Registry Editor.

Then reboot the machine, going back into Safe mode, and get a new winpfind log and post that in this thread.

Link to post
Share on other sites

Hi,

In safe mode, I found C:\WINDOWS\SYSTEM32\aswBoot.exe and the Description of the file is "avast! start-up scanner". I deleted it into the Recycle Bin.

In the Registry, I found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services (instead of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services) but there is no "Xuy v palto"!!

well, you have a hidden email worm working here. which we will get taken care of. However, i am seeing no signs of CoolWebSearch.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\SYSTEM32\aswBoot.exe

Next we need to remove the Registry Entry.

Important: It is strongly recommended that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

  • 1. Click Start > Run.
    2. Type regedit
    Then click OK.
    3. Navigate to the key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services
    4. In the left pane, delete the subkey:
    "Xuy v palto"
    5. Exit the Registry Editor.

Then reboot the machine, going back into Safe mode, and get a new winpfind log and post that in this thread.

Link to post
Share on other sites

if it had been the legit aswboot it should have been located here

C:\programfiles\alwils~1\avast4\aswboot.exe

To test that they didn't change locations, when you rebooted your computer did you get any error messages about Avast not starting properly?

Link to post
Share on other sites

Hi,

I am confused: I deleted aswBoot.exe in C:\WINDOWS\SYSTEM32\, not in C:\Program Files\Alwil Software\Avast4 and I remember I have removed Avast long time ago.

When rebooted my PC I didn't get any error message about Avast not starting properly.

if it had been the legit aswboot it should have been located here

C:\programfiles\alwils~1\avast4\aswboot.exe

To test that they didn't change locations, when you rebooted your computer did you get any error messages about Avast not starting properly?

Link to post
Share on other sites

Until now, my questions are not being solved, they are too difficult :(

1. ewido found CoolWebSearch but cannot remove it and I cannot get the report because ewido closed automatically.

2. Cannot find the CoolWebSearch by other ways.

Edited by differ
Link to post
Share on other sites

I am leaning towards a false positive on Ewido's part. If CWShredder didn't find anything, then it seems there is nothing to be worried about. have you tried spybot: Search And Destroy? It also will detect coolwebsearch if you have it on your machine. Never rely on only one program. Try spybot, if you haven't already, and let me know if it detects it.

I am confused: I deleted aswBoot.exe in C:\WINDOWS\SYSTEM32\, not in C:\Program Files\Alwil Software\Avast4 and I remember I have removed Avast long time ago.

if you don't have Avast on your machine anymore, then aswboot.exe would not have been on your computer from that program.

Link to post
Share on other sites
  • 5 weeks later...
Guest
This topic is now closed to further replies.