Options
Urgent CWShredder help!!
my work computer has a trojan on it. I've run ad-aware, spybot and am currently running trend micro's house call virus scan on the computer(the house call cirus scan turned up nothing). This computer doesn't have a virus scan computer such as mcaffe or norton on it.
Anyway I ran CWShredder and was following your guide on defeating spyware when I noticed that the program kept closing and saying that it had a trojan on it. "you have a variant of the CoolWeb Search torjan (CWS.SmartSearch.2) that has attempted to close CWShredder. To counter this CWShredder is now starting with a random string of text in the title bar. CWShredder is still functioning fine, it has not been corrupted."
Now once I click ok, click Fix, make sure all browsers are closed, click ok again. This then pops up "CWShredder.exe has generated and will be closed by windows. you will need to restart the program. an error log is being created."
I have no idea how to fix this and am in dire need of having it fixed soon so I can get back to work without having these pop ups all over the place. I'm going to post my hijack this log in the hopes that it may help anyone help me with this problem.
Logfile of HijackThis v1.98.2
Scan saved at 6:49:56 PM, on 10/27/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\HmmG2c.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\HmmG2c.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SCANPC~1.RR1\LOCALS~1\Temp\Rar$EX03.235\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reyrey.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 205.139.80.162 edcsweb # primary application server (pas) - port 80
O1 - Hosts: 205.139.80.35 edcsftp01 # primary ftp server - data exchange only
O1 - Hosts: 205.139.80.41 edcsventuri # porsche venturi server
O1 - Hosts: 205.139.80.165 edcsmail # domino mail server - port 80?
O1 - Hosts: 205.139.80.168 edcsdoc # domino documents server - port 80?
O1 - Hosts: 205.139.80.171 edcsftp02 # secondary ftp server
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3BAD3C2B-B712-5EB1-D553-655504FB794F} - C:\WINNT\System32\xufv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [VNC Viewer] "C:\Program Files\ORL\VNC\WinVNC.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [scFR246] C:\documents and settings\scanpc01\local settings\temp\scFR246.exe
O4 - HKLM\..\Run: [Wy8] C:\documents and settings\scanpc01\local settings\temp\Wy8.exe
O4 - HKLM\..\Run: [FinorJ] C:\documents and settings\scanpc01\local settings\temp\FinorJ.exe
O4 - HKLM\..\Run: [32@2KNM3WQPCRQ] C:\WINNT\System32\AhybI.exe
O4 - HKLM\..\Run: [2F9R3FW] mmftil.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.1.28/canasta/canasta-ob-assets.cab
O16 - DPF: Chess by pogo - http://chess2.pogo.com/applet-5.9.1.18/chess2/chess2-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.6.20/pool2/pool-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.1.18/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.9.0.18/mahjong/mahjong-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.0.18/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/flinger/flinger-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game3.pogo.com/applet-5.9.1.28/squelchies/squelchies-ob-assets.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
Anyway I ran CWShredder and was following your guide on defeating spyware when I noticed that the program kept closing and saying that it had a trojan on it. "you have a variant of the CoolWeb Search torjan (CWS.SmartSearch.2) that has attempted to close CWShredder. To counter this CWShredder is now starting with a random string of text in the title bar. CWShredder is still functioning fine, it has not been corrupted."
Now once I click ok, click Fix, make sure all browsers are closed, click ok again. This then pops up "CWShredder.exe has generated and will be closed by windows. you will need to restart the program. an error log is being created."
I have no idea how to fix this and am in dire need of having it fixed soon so I can get back to work without having these pop ups all over the place. I'm going to post my hijack this log in the hopes that it may help anyone help me with this problem.
Logfile of HijackThis v1.98.2
Scan saved at 6:49:56 PM, on 10/27/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\HmmG2c.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\HmmG2c.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SCANPC~1.RR1\LOCALS~1\Temp\Rar$EX03.235\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reyrey.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 205.139.80.162 edcsweb # primary application server (pas) - port 80
O1 - Hosts: 205.139.80.35 edcsftp01 # primary ftp server - data exchange only
O1 - Hosts: 205.139.80.41 edcsventuri # porsche venturi server
O1 - Hosts: 205.139.80.165 edcsmail # domino mail server - port 80?
O1 - Hosts: 205.139.80.168 edcsdoc # domino documents server - port 80?
O1 - Hosts: 205.139.80.171 edcsftp02 # secondary ftp server
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3BAD3C2B-B712-5EB1-D553-655504FB794F} - C:\WINNT\System32\xufv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [VNC Viewer] "C:\Program Files\ORL\VNC\WinVNC.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [scFR246] C:\documents and settings\scanpc01\local settings\temp\scFR246.exe
O4 - HKLM\..\Run: [Wy8] C:\documents and settings\scanpc01\local settings\temp\Wy8.exe
O4 - HKLM\..\Run: [FinorJ] C:\documents and settings\scanpc01\local settings\temp\FinorJ.exe
O4 - HKLM\..\Run: [32@2KNM3WQPCRQ] C:\WINNT\System32\AhybI.exe
O4 - HKLM\..\Run: [2F9R3FW] mmftil.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.1.28/canasta/canasta-ob-assets.cab
O16 - DPF: Chess by pogo - http://chess2.pogo.com/applet-5.9.1.18/chess2/chess2-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.6.20/pool2/pool-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.1.18/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.9.0.18/mahjong/mahjong-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.0.18/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/flinger/flinger-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game3.pogo.com/applet-5.9.1.28/squelchies/squelchies-ob-assets.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
0
Comments
O4 - HKLM\..\Run: [Wy8] C:\documents and settings\scanpc01\local settings\temp\Wy8.exe
O4 - HKLM\..\Run: [FinorJ] C:\documents and settings\scanpc01\local settings\temp\FinorJ.exe
O4 - HKLM\..\Run: [32@2KNM3WQPCRQ] C:\WINNT\System32\AhybI.exe
O4 - HKLM\..\Run: [2F9R3FW] mmftil.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\maxspeed.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
Fix those entries then find and delete the files listed above, reboot and post a new log.
Logfile of HijackThis v1.98.2
Scan saved at 7:59:21 PM, on 10/27/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\Vacv1.exe
C:\WINNT\System32\Vacv1.exe
C:\DOCUME~1\SCANPC~1.RR1\LOCALS~1\Temp\Rar$EX00.766\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reyrey.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 205.139.80.162 edcsweb # primary application server (pas) - port 80
O1 - Hosts: 205.139.80.35 edcsftp01 # primary ftp server - data exchange only
O1 - Hosts: 205.139.80.41 edcsventuri # porsche venturi server
O1 - Hosts: 205.139.80.165 edcsmail # domino mail server - port 80?
O1 - Hosts: 205.139.80.168 edcsdoc # domino documents server - port 80?
O1 - Hosts: 205.139.80.171 edcsftp02 # secondary ftp server
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3BAD3C2B-B712-5EB1-D553-655504FB794F} - C:\WINNT\System32\xufv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [VNC Viewer] "C:\Program Files\ORL\VNC\WinVNC.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [32@2KNM3WQPCRQ] C:\WINNT\System32\Eah1q5.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.1.28/canasta/canasta-ob-assets.cab
O16 - DPF: Chess by pogo - http://chess2.pogo.com/applet-5.9.1.18/chess2/chess2-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.6.20/pool2/pool-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.1.18/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.9.0.18/mahjong/mahjong-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.0.18/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/flinger/flinger-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game3.pogo.com/applet-5.9.1.28/squelchies/squelchies-ob-assets.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reyrey.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 205.139.80.162 edcsweb # primary application server (pas) - port 80
O1 - Hosts: 205.139.80.35 edcsftp01 # primary ftp server - data exchange only
O1 - Hosts: 205.139.80.41 edcsventuri # porsche venturi server
O1 - Hosts: 205.139.80.165 edcsmail # domino mail server - port 80?
O1 - Hosts: 205.139.80.168 edcsdoc # domino documents server - port 80?
O1 - Hosts: 205.139.80.171 edcsftp02 # secondary ftp server
O2 - BHO: (no name) - {3BAD3C2B-B712-5EB1-D553-655504FB794F} - C:\WINNT\System32\xufv.dll (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [32@2KNM3WQPCRQ] C:\WINNT\System32\Eah1q5.exe
Fix those entries then find and delete Eah1q5.exe, reboot and post a new log.
Logfile of HijackThis v1.98.2
Scan saved at 6:55:32 PM, on 10/29/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\TuqG.exe
C:\WINNT\System32\PlrO0Z54.exe
C:\Documents and Settings\scanpc01.RR18380\Local Settings\Temp\Rar$EX00.766\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reyrey.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [VNC Viewer] "C:\Program Files\ORL\VNC\WinVNC.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [32@2KNM3WQPCRQ] C:\WINNT\System32\Khq4be.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
Fix that entry then find and delete Khq4be.exe, reboot and post a new log.
You also have the peper trojan. Download the PeperFix.exe tool from here:
http://downloads.subratam.org/PeperFix.exe
Click on the PeperFix.exe to launch it.
Click the Find and Fix button.
It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.
Then delete that file Spywareshooter noted, both with hijackthis and manually. Put hijackthis in a permanent folder too. You do not want to lose any backups that it creates
The peperfix worked great!!! Thanks to you it found 11 files and got them off my thing!! But the link you gave me for the thign to help CWS said that v1/v2 wasn't found at all. I went on merjin.org though and found out that the process thats been running is IEXPLORER.EXE. It has an extra R. I sitll can't run CWS even after running Ad-aware and spy-bot again. Also, I deleted the entry that spy todl me to and now here is my new hijack this log. I can't delete the reyscan startup page entry because my boss likes us to have that as our start page in case somethign goes wrogn with our scanning system.
Logfile of HijackThis v1.98.2
Scan saved at 11:28:25 AM, on 10/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\scanpc01.RR18380\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reyrey.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [VNC Viewer] "C:\Program Files\ORL\VNC\WinVNC.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
Umm what do I do now?
Logfile of HijackThis v1.98.2
Scan saved at 9:49:24 PM, on 11/1/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\Program Files\Conquer1.0\Conquer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SCANPC~1.RR1\LOCALS~1\Temp\Rar$EX00.937\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reyrey.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rr18380.reyrey.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: Domain = rr18380
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C84097D-CB6B-4335-9477-411C68A9DFFA}: NameServer = 10.13.191.196