it.s got me again. this time its cws - eyesonly

EyesOnly

I'm just starting to recover from a harddrive crash (more info will come in another thread) but now it seems i got spyware as well. I tried very hard to make sure i had all security programs installed before i got internet but i must have done something wrong. This is very iretationg since i rarly even use ie.

Oh well here's what's wrong. adaware finds only tracking cookies and some mru so nothing to worry about there. Spybot however finds coolwebsearch components but can't remove them. It says i should reboot since it might still be in memory. When i did its still found them. cwshredder finds none of that though it keeps asking me if i want to delete notepad.exe. But why would i want that, its an ms app for crying out loud.

So please help me with this. Here's my log

Logfile of HijackThis v1.99.1
Scan saved at 16:00:08, on 2005-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Folding @ Home\FAH502-Console.exe
C:\WINDOWS\system32\Smartscaps.exe
E:\Folding @ Home\FahCore_65.exe
C:\ASUS\Probe\AsusProb.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
E:\Program\HP\hpcoretech\hpcmpmgr.exe
E:\Program\Java\jre1.5.0_01\bin\jusched.exe
E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\Program\MSN Messenger\MsnMsgr.Exe
E:\Program\framxpro\FreeRAM XP Pro 1.40.exe
E:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
E:\Program\JetToolBar\JetTB.exe
E:\Program\Logitech\SetPoint\KEM.exe
E:\Program\Personal\bin\Personal.exe
E:\Program\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\EMIII\EMIII.exe
E:\Program\Logitech\SetPoint\KHALMNPR.EXE
E:\Program\DC++\DCPlusPlus.exe
E:\Program\Mozilla Firefox\firefox.exe
E:\Program\RegSupreme Pro\RegSupremePro.exe
E:\Spyware apps\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - E:\Program\FreshDevices\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HP Component Manager] "E:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SmcService] E:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "E:\Program\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: Electron Microscope.lnk = E:\EMIII\EMIII.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: jetToolBar.lnk = E:\Program\JetToolBar\JetTB.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Personal.lnk = E:\Program\Personal\bin\Personal.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: FAH@E:+Folding @ Home+FAH502-Console.exe - Stanford University - E:\Folding @ Home\FAH502-Console.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program\Sygate\SPF\smc.exe

SpywareShooter

Your log is clean. Those spybot entries are false positives. If you have a new version of Spyware Shooter installed (I believe this problem started happening with the 4/29 update) it will cause those to appear. The problem is that Spybot is not reading the "restricted zone" part of the key, and automatically assumes that they are trusted zone sites that have been installed by CWS.

EyesOnly

but i havent installed shooter yet. should i.

edit
here's what spybot says about the 3 entries i finds. I've run spywareshooter now. So how do i fix this.

CoolWWWSearch.Toolband: Trusted Site (Registerändring, fixing failed)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4

CoolWWWSearch.Leftovers: Trusted Site (Registerändring, fixing failed)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4

CoolWWWSearch.Mupdate: Trusted Site (Registerändring, fixing failed)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4

SpywareShooter

Those are the same entries that show up with SS. Do you have IE-SpyAd or SpywareBlaster installed?

EyesOnly

yes blaster is installed and updated

SpywareShooter

Okay, that may be causing these entries to appear. They are caused by having those sites in your Restricted Sites zone. Spybot isn't reading the part of the registry key that tells it to be restricted, and assumes that it is Trusted. You can either ignore those entries or open up Internet Explorer's Restricted Sites zone site list and remove those sites from there.

EyesOnly

SpywareShooter wrote:

Okay, that may be causing these entries to appear. They are caused by having those sites in your Restricted Sites zone. Spybot isn't reading the part of the registry key that tells it to be restricted, and assumes that it is Trusted. You can either ignore those entries or open up Internet Explorer's Restricted Sites zone site list and remove those sites from there.

That fixed it. Thanks for the help. Let's hope something like this doesn't happen again. I've not heard a single good thing about cws so i really don't want it on my pc.