CWS.H.omeSearch Infestation!

**pataz** · 26-05-2005

I have a PC with CWS.homesearch on it. I've ran quite a few different spyware removal tools and they all say they removed it but like most post I've read it still comes back after rebooting. I'll cut right to the chase here and post my Hijackthis log:

**pataz** · 26-05-2005

Tried to attach the log file but for some reason it didn't, sorry, so here it is...

Logfile of HijackThis v1.99.1
Scan saved at 8:27:00 AM, on 5/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\addxr.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\WINNT\system32\mfcmn.exe
C:\program files\captureeze pro\czepro.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\msconfig.exe
C:\Documents and Settings\Cking\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {D2880D6B-BFB0-CB82-310B-B1E9130ED515} - C:\WINNT\appio32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [mfcmn.exe] C:\WINNT\system32\mfcmn.exe
O4 - HKCU\..\Run: [CaptureEze Pro] c:\program files\captureeze pro\czepro.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wilshire.webex.com/client/v_...ex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: Domain = dsaco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: NameServer = 4.2.2.1,4.2.2.3,4.2.2.3
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addxr.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith Ltd. - C:\WINNT\system32\k9nt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

**HJThis** · 26-05-2005

Hello,pataz & Welcome

First do this for me

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

& now

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Copy all my instructions into wordpad and save to your desktop. You can't have any open browser windows.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\system32\addxr.exe
C:\WINNT\system32\mfcmn.exe
C:\WINNT\appio32.dll

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.

Now Download the following Cleanup! About:Buster, CWshredder,Ad-aware, & Spy-bot

* Updating Ad-aware:
Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
* Updating Spybot:
Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {D2880D6B-BFB0-CB82-310B-B1E9130ED515} - C:\WINNT\appio32.dll

O4 - HKLM\..\Run: [mfcmn.exe] C:\WINNT\system32\mfcmn.exe

This item here if not put inplace by you or Admins of the PC fix it
NOTE some software like Spybot has this option so make sure
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wilshire.webex.com/client/v...bex/ieatgpc.cab

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addxr.exe

and click fix.

Remain in safe mode for the next part of the removal.

- First Run the Cleanit! Program

- Next, Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'

* Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
check: "Unload recognized processes during scanning."
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
Check: "Let Windows remove files in use at next reboot."

Press 'Proceed'

Press 'Start'

* Select option 'Use Custom scanning options'
* Click 'Activate in-depth scan'
* Press 'Select drives\folders to scan' Select the active partition which is usually C:

Click 'Customize'

* Make sure the following are all are Checked:
o 'Scan Within Archives'
o 'Scan Active Processes'
o 'Scan Registry'
o 'Deep Scan Registry'
o 'Scan My IE Favorites For Banned URL'S
o 'Scan My Hosts File'

Click 'Proceed'

* Now press "Next" to let Ad-aware scan your drives.
* Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
* Now Click 'Next' and Finally Click 'OK'

Close Out Ad-aware

Open Spybot.

* Click 'Search & Destroy'
* Click 'Check for problems' (the program will now search your HDD)
* Make sure all finding are checked and click 'Fix Selected Problems'

Close SpyBot!

Now Delete the following Files.

Files:
C:\WINNT\appio32.dll<---This file
C:\WINNT\system32\mfcmn.exe<---This file
C:\WINNT\system32\addxr.exe<---This file

Reboot back into normal mode
Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Once complete post a fresh Hijackthis log in your thread.

HGD

**pataz** · 27-05-2005

Thanks getting back to me so quickly HGD.

I did everything you said but ran into a few snags...

I was not able to delete addxr.exe from C:\winnt\system32
it said the file was in use by windows.
I moved on.

Not sure what you meant by this:
"This item here if not put inplace by you or Admins of the PC fix it
NOTE some software like Spybot has this option so make sure
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present"
Plus it wasn't listed anyway.
I moved on.

I ran Cleanit!
It deleted around 2500 items
It then asked me to reboot
I did reboot.
Hope that did screw things up. If so let me know and I'll run through the process again.
After the reboot I went back into safemode right away.
I moved on.

I configured AdAware as you requested but couldn't find "Active in-depth scan"
I moved on.

I couldn't delete appio32.dll- file in use by windows.
mfcmn.exe deleted
addxr.exe not present

Rebooted back into normal mode, plugged the network cable back in while it was coming back up.

Opened IE to got get Hoster and got the about.blank web page
Finished following your directions and a new HJT log follows.

Logfile of HijackThis v1.99.1
Scan saved at 4:25:30 PM, on 5/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\PDesk.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\WINNT\mfcbt.exe
C:\WINNT\system32\iedl32.exe
C:\WINNT\explorer.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wtovh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wtovh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\wtovh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wtovh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wtovh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\wtovh.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {E7AA0E14-6AA3-079F-8230-B3512F8D010A} - C:\WINNT\system32\cryp.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [iedl32.exe] C:\WINNT\system32\iedl32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: Domain = dsaco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: NameServer = 4.2.2.1,4.2.2.3,4.2.2.3
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\mfcbt.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith Ltd. - C:\WINNT\system32\k9nt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thanks again for your help HDG

Patrick

Originally Posted by HJThis

Hello,pataz & Welcome

First do this for me

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

& now

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Copy all my instructions into wordpad and save to your desktop. You can't have any open browser windows.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\system32\addxr.exe
C:\WINNT\system32\mfcmn.exe
C:\WINNT\appio32.dll

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.

Now Download the following Cleanup! About:Buster, CWshredder,Ad-aware, & Spy-bot

* Updating Ad-aware:
Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
* Updating Spybot:
Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\zjamo.dll/sp.html#12047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {D2880D6B-BFB0-CB82-310B-B1E9130ED515} - C:\WINNT\appio32.dll

O4 - HKLM\..\Run: [mfcmn.exe] C:\WINNT\system32\mfcmn.exe

This item here if not put inplace by you or Admins of the PC fix it
NOTE some software like Spybot has this option so make sure
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wilshire.webex.com/client/v...bex/ieatgpc.cab

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addxr.exe

and click fix.

Remain in safe mode for the next part of the removal.

- First Run the Cleanit! Program

- Next, Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'

* Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
check: "Unload recognized processes during scanning."
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
Check: "Let Windows remove files in use at next reboot."

Press 'Proceed'

Press 'Start'

* Select option 'Use Custom scanning options'
* Click 'Activate in-depth scan'
* Press 'Select drives\folders to scan' Select the active partition which is usually C:

Click 'Customize'

* Make sure the following are all are Checked:
o 'Scan Within Archives'
o 'Scan Active Processes'
o 'Scan Registry'
o 'Deep Scan Registry'
o 'Scan My IE Favorites For Banned URL'S
o 'Scan My Hosts File'

Click 'Proceed'

* Now press "Next" to let Ad-aware scan your drives.
* Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
* Now Click 'Next' and Finally Click 'OK'

Close Out Ad-aware

Open Spybot.

* Click 'Search & Destroy'
* Click 'Check for problems' (the program will now search your HDD)
* Make sure all finding are checked and click 'Fix Selected Problems'

Close SpyBot!

Now Delete the following Files.

Files:
C:\WINNT\appio32.dll<---This file
C:\WINNT\system32\mfcmn.exe<---This file
C:\WINNT\system32\addxr.exe<---This file

Reboot back into normal mode
Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Once complete post a fresh Hijackthis log in your thread.

HGD

**HJThis** · 27-05-2005

Hi,pataz

Hmmm looks like this thing is playing with me try this here

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

1. Prepare CWShredder for use:
* Download CWShredder.
* Save CWShredder.exe to a convenient location.
* Please do not do anything with it yet.

2. Prepare AboutBuster for use:
* Download AboutBuster.
* Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
* Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
* Click "OK" at the prompt with instructions.
* Click "Update" and then "Check For Update" to begin the update process.
* If any updates exist please download them by clicking "Download Update".
* You should not run the program yet so click "Exit".

3. Prepare cwsserviceremove.reg for use:
* Download cwsserviceremove.zip.
* Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
* Please do not do anything with it yet.

Reconfigure Windows 2000 to show hidden files:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.[list=1][*]Run CWShredder:

* Double-click on CWShredder.exe.
* Click "Fix ->" and click "OK" at the prompt.
* CWShredder will scan and clean your system of CWS files.
* Click "Next->" and then "Exit".
[*]Remove the offending service:

* Double-click on cwsserviceremove.reg you downloaded earlier.
* When it asks you to merge the information to the registry click "Yes".

Run AboutBuster

* Browse to where you saved AboutBuster and run AboutBuster.exe.
* Click OK at the directions prompt.
* Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
* Click Yes to allow it to shutdown explorer.exe.
* It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
[*]Clean out temporary files:

* Start | Run | type cleanmgr | OK
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Click "OK" to remove them.
* Click "Yes" to confirm the deletion.
[*]Restart your computer normally to return to normal mode.

Please download ewido security suite it is a trial version of the program.

* Install ewido security suite
* Launch ewido, there should be an icon on your desktop double-click it.
* The program will prompt you to update click the OK button
* The program will now go to the main screen

You will need to update ewido to the latest definition files.

* On the left hand side of the main screen click update
* Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

* Click on scanner
* Make sure the following boxes are checked before scanning:
o Binder
o Crypter
o Archives
* Click on Start Scan
* Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report

* Click Save report
* Save the report to your desktop

Reply here with a fresh HJT log, and a copy of your Ewido log!

HGD

**pataz** · 27-05-2005

Hey HDG, thanks again for your help. I followed all your directions with one notable bump in the road:

When I ran CWShreeder in Safemode it crashed the system, the screen went blank and became unresponsive, had to hard boot back into safemode. I ran a scan only and it it was Not Present all down the list. I didn't scan/fix again.

Everything else seemed to go as directed, but it looks like it's still present from the HJT log. Here it is and the Ewido log follows that:

Logfile of HijackThis v1.99.1
Scan saved at 11:10:31 AM, on 5/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {B61D0404-F516-7087-1955-3932F9A674ED} - C:\WINNT\system32\appqk.dll
O2 - BHO: Class - {E7AA0E14-6AA3-079F-8230-B3512F8D010A} - C:\WINNT\system32\cryp.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: Domain = dsaco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: NameServer = 4.2.2.1,4.2.2.3,4.2.2.3
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\apivu.exe (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith Ltd. - C:\WINNT\system32\k9nt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Here's the Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:09:57 AM, 5/27/2005
+ Report-Checksum: A084E8AD

+ Date of database: 5/27/2005
+ Version of scan engine: v3.0

+ Duration: 17 min
+ Scanned Files: 68489
+ Speed: 66.68 Files/Second
+ Infected files: 62
+ Removed files: 62
+ Files put in quarantine: 62
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\!Submit\appio32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\!Submit\jecyl.dll -> Spyware.SearchPage -> Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20050525-155752-723.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20050525-160203-873.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@32940089[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@bfast[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@data.coremetrics[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@ehg-golfsmith.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@phg.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@server.iad.liveperson[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@stat.onestat[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cking\Cookies\cking@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Hijackthis\backups\backup-20050526-153023-493.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\Hijackthis\backups\backup-20050526-153023-984.dll -> Spyware.WebEx -> Cleaned with backup
C:\WINNT\addhc32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\appdi32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\atlpr.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\bad.bad -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINNT\d3da.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\iexd32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\mfcbt.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\mfcgy.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\mfcgy.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINNT\mscg32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\mscg32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\msdh.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\msrl.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINNT\mswn32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\ntcb.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\n_hgqlqd.txt -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\oyakv.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINNT\sdkye.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\system32\addej32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\system32\addoj32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\apiim.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\apivu.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\atlfs32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\system32\bycce.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINNT\system32\crnv32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\crut32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\d3li.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\hhnmm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINNT\system32\iedl32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINNT\system32\iexw.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\system32\ipkr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\javafo32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINNT\system32\jdtwz.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINNT\system32\msam.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\ntlc32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\sdkwv32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\winct32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\system32\winfn32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINNT\system32\wtovh.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__cryp.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINNT\syswd32.exe -> Trojan.Agent.bi -> Cleaned with backup

::Report End

Thanks again for all your help.
Patrick

Originally Posted by HJThis

Hi,pataz

Hmmm looks like this thing is playing with me try this here

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

1. Prepare CWShredder for use:
* Download CWShredder.
* Save CWShredder.exe to a convenient location.
* Please do not do anything with it yet.

2. Prepare AboutBuster for use:
* Download AboutBuster.
* Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
* Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
* Click "OK" at the prompt with instructions.
* Click "Update" and then "Check For Update" to begin the update process.
* If any updates exist please download them by clicking "Download Update".
* You should not run the program yet so click "Exit".

3. Prepare cwsserviceremove.reg for use:
* Download cwsserviceremove.zip.
* Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
* Please do not do anything with it yet.

Reconfigure Windows 2000 to show hidden files:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.[list=1][*]Run CWShredder:

* Double-click on CWShredder.exe.
* Click "Fix ->" and click "OK" at the prompt.
* CWShredder will scan and clean your system of CWS files.
* Click "Next->" and then "Exit".
[*]Remove the offending service:

* Double-click on cwsserviceremove.reg you downloaded earlier.
* When it asks you to merge the information to the registry click "Yes".

Run AboutBuster

* Browse to where you saved AboutBuster and run AboutBuster.exe.
* Click OK at the directions prompt.
* Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
* Click Yes to allow it to shutdown explorer.exe.
* It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
[*]Clean out temporary files:

* Start | Run | type cleanmgr | OK
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Click "OK" to remove them.
* Click "Yes" to confirm the deletion.
[*]Restart your computer normally to return to normal mode.

Please download ewido security suite it is a trial version of the program.

* Install ewido security suite
* Launch ewido, there should be an icon on your desktop double-click it.
* The program will prompt you to update click the OK button
* The program will now go to the main screen

You will need to update ewido to the latest definition files.

* On the left hand side of the main screen click update
* Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

* Click on scanner
* Make sure the following boxes are checked before scanning:
o Binder
o Crypter
o Archives
* Click on Start Scan
* Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report

* Click Save report
* Save the report to your desktop

Reply here with a fresh HJT log, and a copy of your Ewido log!

HGD

**HJThis** · 27-05-2005

Hi,pataz

Great work it looks like all you have to do is some cleanup
do all of this from Safe Mode.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jdtwz.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {B61D0404-F516-7087-1955-3932F9A674ED} - C:\WINNT\system32\appqk.dll
O2 - BHO: Class - {E7AA0E14-6AA3-079F-8230-B3512F8D010A} - C:\WINNT\system32\cryp.dll (file missing)

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\apivu.exe (file missing)

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\WINNT\system32\appqk.dll<---This file
C:\WINNT\system32\cryp.dll<---This file
C:\WINNT\system32\apivu.exe<---This file

& clean out all temp files

Then do a reboot lit me know show new logfile

As i said do all of this cleanup from Safe Mode

HGD

**pataz** · 27-05-2005

One word... BRILLIANT!

That sure enough did the trick! Though I was going to have to do a rebuild there for a little while. Glad I stuck with it and I learned a lot in the process. Thank you!

Here is hopefully the last HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:23 PM, on 5/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://206.242.232.11/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: Domain = dsaco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F271FBF4-8351-4AE9-8AB6-52026301DB89}: NameServer = 4.2.2.1,4.2.2.3,4.2.2.3
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\apivu.exe (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith Ltd. - C:\WINNT\system32\k9nt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Once again, HGD, thank you very much for your knowledgeable help with this. I will pass along the good word for you guys. Keep up the excellent work!

Patrick

**HJThis** · 27-05-2005

Hi,pataz

Now i need you to do this right away or it will be back on us

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer.

& do these here

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

& at last the new tools keep all of them updated

SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
http://www.javacoolsoftware.com/spywareguard.html

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

and this prog here will help keep your PC clean.

popular programs for doing this, is a freeware program Called Crap Cleaner. Crap Cleaner is a single utility that lets you clear your Cookies, Internet Explorer History, Empty the Recycle Bin, Uninstall Programs, Clear Usage Tracks and much more. As well as this, it has an Advanced Registry Scanner. Using a program like this is one of the easiest methods.

You should also think about using Firefox & Mozilla & us IE for updates

Get your Firefox here

Mo who

If you have a problem lit us know

HGD

**pataz** · 31-05-2005

Thanks HJThis, I took care of the updates/config changes you mentioned and we're all set now. Thanks again for all your knowledgeable assistance, it is much appreciated.

pataz

CWS.H.omeSearch Infestation!

CWS.HomeSearch Infestation!

Similar Threads

Cleaning Up After Spyware Infestation...(RESOLVED)

new cws hijack infestation, hijacks internet logfiles