1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cws.hiddendll

Discussion in 'Virus & Other Malware Removal' started by espressoguy, Jan 11, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. espressoguy

    espressoguy Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    1,119
    Every time I run CWShredder, it finds this object. After the program runs and I tell it to remove the file. do a reboot, it shows up again? Is this a false reading or am I doing something wrong. I run the following programs each time:

    NOD32 antivirus
    Spysweeper
    Microsoft Antispyware
    spyblaster
    spyguard
    adaware
    SB S&D
    and I run Wintasks Pro in the background to monitor activity.


    Logfile of HijackThis v1.99.1
    Scan saved at 5:06:32 PM, on 1/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\programfiles\security suite\ewidoctrl.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    D:\programfiles\Spy Sweeper\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    D:\programfiles\Spy Sweeper\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    D:\programfiles\MicrosoftAntivirus\gcasServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    D:\programfiles\MicrosoftAntivirus\gcasDtServ.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\programfiles\Spybot - Search & Destroy\TeaTimer.exe
    D:\programfiles\SpywareGuard\sgmain.exe
    D:\programfiles\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Hijack This\HijackThis.exe

    HTML:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.techguy.org
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\acrobatreader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SpySweeper] "D:\programfiles\Spy Sweeper\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [gcasServ] "D:\programfiles\MicrosoftAntivirus\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\programfiles\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Dragon NaturallySpeaking.lnk = D:\programfiles\scansoft\naturally speaking\Program\natspeak.exe
    O4 - Startup: SpywareGuard.lnk = D:\programfiles\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\acrobatreader\Reader\reader_sl.exe
    O4 - Global Startup: WinTasks.lnk = D:\Config.Msi\58a6fba.rbf
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124304562906
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ewido security suite control - ewido networks - D:\programfiles\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\programfiles\Spy Sweeper\Spy Sweeper\WRSSSDK.exe
    
    
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Have you run CWShredderin Safe Mode?
    If that doesn't work, run CWShredder and click Create Report and post the report here.
     
  3. espressoguy

    espressoguy Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    1,119
    O.K. I ran shredder in safe mode and it came back clean. I then ran shredder in normal mode and it came back with CWS.HIDDENDLL as removed. I ran shredder again andhave the report.
    It is very long and I have attached it.
     

    Attached Files:

  4. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    This might be a false positive in CWShredder. Does it give you any more details on where exactly it finds this CWS.hiddenDLL?
     
  5. espressoguy

    espressoguy Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    1,119
    Thanks for all the time you're giving me. I ran the hoster progran and told it to unblock, restarted computer, and my microsoft antispyware detected a program trying to change the host file and blocked it. I ran shredder and CWS.HIDDENDLL was there and then removed. Should I be doing something to the MS program, I am wondering if that is the culprit?
     
  6. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Whoops I edited that out at it seemed that wouldn't be the problem. Does CWShredder give you any more details about where its finding CWS.HiddenDLL? Have you previously had a CWS infection that was removed?
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/433310

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice