36 replies to this topic

[Kingparrot]

Logfile of HijackThis v1.99.1
Scan saved at 11:00:40, on 24-Nov-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\sdkyr32.exe
C:\WINNT\system32\mfcpe.exe
C:\WINNT\explorer.exe
C:\Program Files\Hijack\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pkqmn.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pkqmn.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\pkqmn.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pkqmn.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pkqmn.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pkqmn.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pkqmn.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - C:\WINNT\system32\msco32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winjj32.exe] C:\WINNT\system32\winjj32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sysvw.exe] C:\WINNT\system32\sysvw.exe
O4 - HKLM\..\Run: [sdkyr32.exe] C:\WINNT\system32\sdkyr32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O15 - Trusted Zone: iress.com.au
O15 - Trusted Zone: web.iress.com.au
O15 - Trusted Zone: webdf.iress.com.au
O16 - DPF: webiress - http://web.iress.com...ess-0_8_4_6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mfcpe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

I have been hijacked by CoolWWWSearch, CoolWWWSearch.IElinks, CoolWWWSearch.HomeSearch, CoolWWWSearch.SearchClick and Trek Blue Error Nuker.

I have used Spybot, then removed the offenders in Spybot. Done the same with Ad-Aware SE Personal. However, after each restart the hijackers are back, only the numbers of them change.

Thank you in advance for any assistance

[little eagle]

Please download and run CWShredder. Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

http://www.majorgeek...7fd6b3ff02edc90

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine.
Detailed instructions from here http://service1.syma...001052409420406


Then post another log.

[Kingparrot]

I did run CWshredder in Safe Mode but after restart the CoolWWWetc are back after restart. However, I noticed that those CoolWWWetc hijackers I detailed in my first post were not listed in the CWshredder "worklisting" when it was running, so presumably it could not remove them. Hoping for more advice, Cheers

[little eagle]

Please post another log from hijack this.

[Kingparrot]

Before I saw your last post I did the following. The system works now well and is stable, no crashes. Did run Spybot and Ad-aware one after the other, then restart. Did this 5 times in a row. Trek Nuker and one of the CoolWWWSearch varieties still popped up in Spybot. In Ad-aware removed winnt\system32\sdkyr32.exe. Unticked in Spybot\Tools\System Startup sdkyr32.exe, sysvw.exe and winjj32.exe. Deleted in Spybot\Tools\System Internals all (ab 10) entries. Changed in Spybot\Tools\Browser Pages all entries (some looked garbled) to my ISP. Later checked and saw that most were "about blank", one was www.msn.com, rest stayed as my ISP. Can I still send the latest log for your perusal? Something probably is still lurking in the system waiting to pounce. Cheers

[little eagle]

Yes post another log from hijackthis but I will need you to recheck all the start up in spybot.

[Kingparrot]

Logfile of HijackThis v1.99.1
Scan saved at 13:25:45, on 01-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bordernet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bordernet.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bordernet.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - C:\WINNT\system32\msco32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkyr32.exe] C:\WINNT\system32\sdkyr32.exe
O4 - HKLM\..\Run: [sysvw.exe] C:\WINNT\system32\sysvw.exe
O4 - HKLM\..\Run: [winjj32.exe] C:\WINNT\system32\winjj32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O15 - Trusted Zone: iress.com.au
O15 - Trusted Zone: web.iress.com.au
O15 - Trusted Zone: webdf.iress.com.au
O16 - DPF: webiress - http://web.iress.com...ess-0_8_4_6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132818435921
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Hi, it took a while.

All items are checked in Spybot.

I forgot to mention that I also used NoAdware which I wanted to trial. However at "Remove items" it asked for money, and because my credit cards where elsewhere I jotted down the 6 baddies (belnk/Tracking Cookie; dist.belnk/Tracking Cookie; www.burstbeacon/Tracking Cookie;apigj.exe/CoolWebSearch/IEfeats; Install.dat/Trojan,FakeAlert; and ieqn32/AdultLinks,Quabar), removed them manually. and exited NoAdware.

What irks me is that then running Spybot it picked up a red "NoAdware" tracker, which I removed and which has not returned.

Tanks and regards

[little eagle]

Read through the instructions before you start (you may want to print this out or copy it into a word program).

Please download and install these programs - don't run them yet!!

Download System Security Suite v1.04 here

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. Exit Ewido. DO NOT scan yet.

Download and unzip
AboutBuster to a folder.
AboutBuster MUST be updated before you use it.
Check the AboutBuster Tutorial for instructions.
Don't run it yet.

Download and unzip HSfix to your desktop.

Download CW-Shredder at the link below
http://www.trendmicr.../cwshredder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot into SafeMode.

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O15 - Trusted Zone: iress.com.au
O15 - Trusted Zone: web.iress.com.au
O15 - Trusted Zone: webdf.iress.com.au
O16 - DPF: webiress - http://web.iress.com...ess-0_8_4_6.cab

Double click on the HSfix and when asked to merge say yes.

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Run Ewido Security Suite
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Run 3S under items to clear check all but the last one.

Reboot into normal mode and open up Internet Explorer

Download and run this online virus scan if you can:
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

Reboot and post a fresh HJT log back here by using the add reply button below, and lets see how we did. [/b]

Edited by little eagle, 30 November 2005 - 09:25 PM.

[Kingparrot]

Logfile of HijackThis v1.99.1
Scan saved at 23:59:49, on 11-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bordernet.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bordernet.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - C:\WINNT\system32\msco32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sdkyr32.exe] C:\WINNT\system32\sdkyr32.exe
O4 - HKLM\..\Run: [sysvw.exe] C:\WINNT\system32\sysvw.exe
O4 - HKLM\..\Run: [winjj32.exe] C:\WINNT\system32\winjj32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132818435921
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

It took a while, I just wanted to find the time to do it right. I managed to do it all except the Housecall which somewhere in the middle of the cleaning task came up with some Internet data transfer problem. I tried to repeat it but same error popped up repeatedly. In short, Housecall has not been done.

Thanks again and regards.

[little eagle]

Download System Security Suite v1.04 here
Tutorial here.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.


Reboot in safe mode. Close all Browser and Program Windows.
Have HijackThis fix the following. Do this by checking the box beside each and then clicking on Fix checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Class - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - C:\WINNT\system32\msco32.dll
O4 - HKLM\..\Run: [sdkyr32.exe] C:\WINNT\system32\sdkyr32.exe
O4 - HKLM\..\Run: [sysvw.exe] C:\WINNT\system32\sysvw.exe
O4 - HKLM\..\Run: [winjj32.exe] C:\WINNT\system32\winjj32.exe
O16 - DPF: webiress -


You may need to set you computer to show hidden files. Click here for Instructions.
Then click start>my computer>local disk
(then follow the path) or Using Windows Explorer, locate the following files/folders, and delete them:
Delete the following file(s) listed.
C:\WINNT\system32\msco32.dll
C:\WINNT\system32\sdkyr32.exe
C:\WINNT\system32\sysvw.exe
C:\WINNT\system32\winjj32.exe

Reboot then Run 3S under “Items To Clear” tab place a checkmark in all of them but the last one on the left.

Download AboutBuster 5 © RubbeRDuckY: http://www.malwareby...AboutBuster.zip
Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.
Click Update. This will start updating AboutBuster with the latest definition database.
Once it's done updating you will see that dialog click Ok.
Next, click Begin Removal.
When the scan is done, click Ok.

Run CWShreadder.
Reboot and Rescan with HJT and post a new log here.
Also please describe how your computer behaves now.

[Kingparrot]

Logfile of HijackThis v1.99.1
Scan saved at 11:55:04, on 12-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\explorer.exe
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bordernet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bordernet.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132818435921
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Did all that. Thanks again. Am I now squeeky clean?

Computer behaviour is perfectly normal.

[little eagle]

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box and/or Uncheck Resident.
Click Allow Change box.

Then, check next to the computerclock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
You can enable these after resolving your problem.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O16 - DPF: webiress -

Click on Fix Checked when finished and exit HijackThis.
That should do it

[Kingparrot]

Thank you for all the work and advise. I thought I would see how the computer runs for a few days. Today launching the Internet Explorer Browser a File Download window appeared with the following information: File name: bordernet.com[1] File type: From: www.bordernet.com.au I thought it odd, so I did not open or save it. When cancelled there is no Internet Explorer, except trying several times, and suddenly IE is there without the File Download request. I can without problem access the web via a web site inside an email. I have asked Bordernet support and they have definitely not released anything like it. I did run again, all in Safe mode, CW Shredder, AboutBuster, Ewido and 3S. Yesterday I did run Lavasoft Adaware and Norton Antivirus. But it still pops up. Any thoughts on this variety on the problem? Thanks again.

[little eagle]

Can you post another log from hijackthis? And are you from Canberra, Australia Do a scan with Ewido save the log and post it also.

Edited by little eagle, 14 December 2005 - 05:17 AM.

[Kingparrot]

Logfile of HijackThis v1.99.1
Scan saved at 16:28:26, on 15-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bordernet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bordernet.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132818435921
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

And the Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:58:19, 15-Dec-05
+ Report-Checksum: 30692C0B

+ Scan result:

No infected objects found.


::Report End

I am baffled because now it works. What I did run last night was Adaware, Spybot and Norton Antivirus. Only Adaware found something: "Cookie: Administrator@servedby.netshelter.net/", which I quarantined.

I did run both reports above just before sending this reply.

I am from Kempsey, NSW Mid North Coast, which is half way between Siydney and Brisbane. Can I be of any assistance?

Thanks again

PS. I noticed that the following two HijackThis files are still there even if I have removed them twice:

02 - BHO: (no name) ........ (no file)
016 - DPF: webiress.