General discussion

Locked

HijackThis Output Review needed

By jerman00 ·
I've been having problems with various CWS variants on my hard drive. I have the HijackThis output but it had more than 2000 characters and I was unable to post it to this site. I've already run CWShredder and Spybot which cleans but something remains deep in the registry which comes back on bootup.

Any ideas how to handle?

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to HijackThis Output Review ...

Post the HijackThis log in pieces, and let's see.
There is a new version of CWShredder; it was released on June 7th. So, make sure you have this latest version. Maybe the CWS variant you are infected with needs the new CWShredder to remove it.

Collapse -

by Joseph Moore In reply to

Ok, here's what I see that is potentially bad:

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\spool\drivers\w32 x86\3\hpztsb04.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"


I would remove these items with HijackThis.
Now, there might be more, but this should be a start. Good luck.

Collapse -

by jerman00 In reply to

Thanks Joseph. Between your help and actually deleting all references to About:Blank from my registry, the problem appears solved as I have been trouble-free for 18 hours.

Collapse -

by jerman00 In reply to HijackThis Output Review ...

PAGE 1 of Logfile of HijackThis v1.97.7
Scan saved at 6:11:24 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
\Turbotax\Content Watch\ContentWatch\Updater\cwupdate.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Documents and Settings\Jerry\Desktop\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

Collapse -

by jerman00 In reply to HijackThis Output Review ...

PAGE 2 of Logfile of HijackThis v1.97.7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Collapse -

by jerman00 In reply to HijackThis Output Review ...

PAGE 3 of Logfile of HijackThis v1.97.7
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwhook.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwhook.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwhook.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Collapse -

by jerman00 In reply to HijackThis Output Review ...

PAGE 4 of Logfile of HijackThis v1.97.7
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37883.1620486111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Collapse -

by jun1cez1 In reply to HijackThis Output Review ...

Your answer is in this web page.

http://pestpatrol.com/pestinfo/c/cws.asp

However, as a tech myself, it took my nearly the whole day troubleshooting this. Unless you wanted to but the Pest patrol program that they said they detect and remove this spyware which was considered to be one of the severest of all, go ahead and good luck.

Best solution i can offer you is boot the PC without any network connection and connect a CD burner, copy all of the files (if any) to a burner and reformat the hdd and then reinstall everything. This process will actually takes less hours of aggravation than troubleshooting the CWS.

Good Luck

Collapse -

by jerman00 In reply to

I bought the PestPatrol product for $40 and it failed as well. Like I mentioned in my posting, I was looking for someone to review the HijackThis output to clean the registry.

Collapse -

by gralfus In reply to HijackThis Output Review ...

The best palce to upload your HijackThis logs are to the official support forum: http://forums.spywareinfo.com/ (under Malware Removal)

You will typically get a more informed and speedy answer from those who deal with these logs on a continuous basis.

Back to Desktop Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums