1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Csw About: Blank Hijack!

Discussion in 'Virus & Other Malware Removal' started by inbigtrouble, Apr 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. inbigtrouble

    inbigtrouble Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    42
    :mad:

    hello, I have been hijacked by cws about:blank for about 3-4 days now. I installed cwshredder and although it says it fixed it, it keeps coming back. I installed hjt and removed all line entries referring to cws (please see attached) and still it comes back, I used pest control deleted all reg entries, it keeps coming back, everytime it changes the dll name and pops back up changing my bho's and with the help of the bho monitor I can see the dll and delete it, but I need to get to the source file that keeps creating these random dlls. Any help will be much appreciated. Thank you very much.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:09:52, on 09.04.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
    C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\BAHAR\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
    O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
    O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Multi Reminders.lnk = C:\Program Files\Multi Reminders\reminder.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38016.298599537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CF84AA48-8F1B-4711-A434-B4AD556534D8}: NameServer = 212.156.4.1,212.156.4.20
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Thats a clean log..........If you have anything disabled with MSConfig,then you should enable everything and re-post your logfile.
    ;)
     
  3. inbigtrouble

    inbigtrouble Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    42
    Hello Steve

    I know it is clean as well but I also know in a few hours time, the about:blank cws trojan will spring back to life with a renamed dll which I will see from the BHO monitor and delete. But so far I am unable to find the source file that seeds these dll files. That is my problem. Cleaning the effects of the recently named dll from the registry does nothing to remedy the problem. it just springs back in a few hours. How can I find the source? I need to find an .exe and blast it.

    all services in msconfig services section are enabled.
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Ok............as long as nothing is halted then we can work to find the problem.

    Do this......open H/T and hit the "Config" tab....then "Misc Tools".you will see a "Generate Startuplist" button......post the Startuplist in your next post.If its around it will show in there.
    ;)
     
  5. inbigtrouble

    inbigtrouble Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    42
    Here you go. Thanks.

    StartupList report, 09.04.2004, 11:49:29
    StartupList version: 1.52
    Started from : C:\Documents and Settings\BAHAR\Desktop\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
    C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\BAHAR\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\BAHAR\Start Menu\Programs\Startup]
    SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    Multi Reminders.lnk = C:\Program Files\Multi Reminders\reminder.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    TPWRSAVE = C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
    TMEPROP = C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
    THotkey = C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    DpUtil = C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    ATIModeChange = Ati2mdxx.exe
    Apoint = C:\Program Files\Apoint2K\Apoint.exe
    ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe
    tcactive = C:\Program Files\The Cleaner\tca.exe
    tcmonitor = C:\Program Files\The Cleaner\tcm.exe
    MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Gadwin PrintScreen 2.6 = C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    seticlient = C:\Program Files\[email protected]\[email protected] -min

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\SETIHOME.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [ppctlcab]
    CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
    OSD = C:\WINDOWS\Downloaded Program Files\OSD406.OSD

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [PPSDKActiveXScanner.MainScreen]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx
    CODEBASE = http://www.pestscan.com/scanner/axscanner.cab

    [Cult3D ActiveX Player]
    InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
    CODEBASE = http://www.cult3d.com/download/cult.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38016.298599537

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 7.252 bytes
    Report generated in 0,161 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. inbigtrouble

    inbigtrouble Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    42
    As I predicted it became active again just now. This time the file name is kicpn.dll you can see it now in the hijack this log as below. I have been doing the same thing for the last 4 days now. Cleaning up this log and the dll itself does not clean up the trojan itself.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:03:14, on 09.04.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
    C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\BAHAR\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kicpn.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kicpn.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kicpn.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kicpn.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kicpn.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kicpn.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {456D87F0-3838-4C10-8664-C46C7E6A4883} - C:\WINDOWS\System32\kicpn.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
    O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
    O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Multi Reminders.lnk = C:\Program Files\Multi Reminders\reminder.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38016.298599537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CF84AA48-8F1B-4711-A434-B4AD556534D8}: NameServer = 212.156.4.1,212.156.4.20
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    hmmm!.........nothing.can you post a HijackThis log when this happens?
    ;)
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Forget that last post..let me check your log
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Ok....dont do or delete anything...im going to check back on your 1st log as well..may take me a few minutes ok but im not going anywhere.
    ;)
     
  10. inbigtrouble

    inbigtrouble Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    42
    Thanks Steve. I am right here as well.
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    This has worked in several ccases, while cwshredder is being updated to deal with it

    Start in Safe mode
    run HJT and look at the R1 & R0 entries

    and the O2 bho entries

    fix all the entries with the random name dll and then still in safe mode look in windows\system32 folder for the dll name and look for all other random dlls or any .exe that were created/modified at exactly the same time and move them all to a new folder preferably not in system 32

    then reboot and in 9 out of 10 cases it has cured the problem

    it's difficult and messy and time consuming and if you are not sure then don't try it as deleting the wrong file can be very dangerous for the computer.

    Experts are working on it and hopefully within a couple of days there should be a proper fix

    once you have all the entries in a separate folder copy the folder send it to me preferably zipped to the email address listed in the spykiller site in my siganature.

    once we have a lot more copies of all the files we stand a better chance of finding a cure
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    ok...when you tried to get rid of it before.............did you just use H/T to do it?
    Did you try to find the actual.dll in safe mode and nuke it from there?
    You just "fixed" its HijackThis entry yes?
     
  13. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi Derek;)
    Just trying to establish what had been done previously......by all means feel free though to add(y)
     
  14. inbigtrouble

    inbigtrouble Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    42
    I cleaned them from hijack this and deleted the actual dll files as well.
     
  15. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Ok....try Dereks advice above...........it is more or less my next step anyway.
    One of us is usually around here.
    ;)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218642

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice