10 replies to this topic

[delited2b]

I had noticed that my google search box was missing from my browser. I tried activating it but never would come up. I downloaded spyware doctor and it found infections. The others were deleted, the only one that was quarantined was CWS.Home Search Assistant. Ive ran CWS shredder and I've done scans in Ad Aware, Spybot Search and Destroy, A squared, Ewido, and Ive conducted online scans at Bit defender, panda, and trend micro. Im not able to remove it. The operating sysytem im running is Windows XP service pack 2. Any help would be greatly appreciated.

[little eagle]

Click here for Instructions on how to Scan with Spybot S&D and Ad-Aware



Please click here for instructions on how to set up a HijackThis folder.

There is a newer of HijackThis Download it here
Please scan with this version.


When the program launches, hit the "Scan and save log" button
Press that, and save the log anywhere you like.

Now if you doubleclick the log file.Go to Edit > Select all, then to Edit > copy.
Now you've copied the entire text to the Windows Clipboard

Next, go back to this forum thread, and click "Add Reply".
In an empty area click your RIGHT mouse button, and choose 'Paste' from the context menu.
There's your Hijack This log.

Edited by little eagle, 28 November 2005 - 06:11 PM.

[delited2b]

Logfile of HijackThis v1.99.1
Scan saved at 8:09:07 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128317655608
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128317382905
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe

[little eagle]

I'm not seeing anything in your log try removing google tool bar and reinstalling it.

[delited2b]

I been uninstalled the google toolbar. CWS Home Search Assistant only comes up when doing a scan with Spyware Doctor. Im not able to remove it. Im only able to quarantine it. Whenever I quarantine it, my antivirus software disappears and my internet explorer goes haywire. So I take it out of quarantine and all is back to semi normal.

[little eagle]

Spyware Doctor may be picking up the file in your AV quarantine. Does spyware Doctor give you a path? I don't use it but it should make a log which will have a path to the file

[delited2b]

I ran a scan of the Spyware Doctor to try and see if a path is noted. There is no path of where the infection is. Also, there is nothing in quarantine with my antivirus software. The antivirus software that i'm using is Avast 4 free edition.

[little eagle]

One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK. Then after a reboot then scan with Spyware Doctor

[delited2b]

Im sorry to reply so late. I have been under the weather. I have done all that you have stated for me to complete. I ran the scan it still comes up. It does not give the option to delete, only to quarantine. When I put this into quarantine, my antivirus software disappears from the active icons tray. I have no protection whatsoever.

[little eagle]

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysintern...itRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Copy/Paste the contecnts of that logfile into your next reply

Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.
To prevent as many False Positives 's from happening, and therefore causing lots of head scratching etc, it's wise to do the following -
Physically unplug the cable from the PC to the internet connection, and then you can move on to the next stage Safely.
Close down All Scheduling/Updating + Running Background tasks etc.
Launch + run RR and then do NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.
That way you should have a much simpler and clearer log file in which to peruse and evaluate.

[little eagle]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php