Options
"computer is infested" becomes CoolWWWSearch
I have read the previous thread from SUNBRAT "my computer is infested" and the replies from Buckeye_Sam. SUNBRAT's problem looks similar to the one I have. This previous post was very, very helpful in my attempts to fix my current CoolWWWSearch. This is my first post. This looks like a fine neat group of helping folks.
I use Spybot v1.4 (sometimes in safe mode), Ad-Aware SE, and Hijackthis v1.99.1. I am running WinXP Pro and have a new DSL Gateway by ActionTec. I am blocking web addresses at the router to try to hold the virus at bay. Seems like it is changing the addresses sometimes.
It seems that CoolWWWSearch is a virus on my computer. Spybot is trying hard to eliminate it, but is not successful. See the attached PDF file and Hijackthis log. Some registry entries cannot be deleted and then the offending ones are regenerated. Also MSIE home page is hijacked to "about:blank".
Any help will be greatly appreciated.
I use Spybot v1.4 (sometimes in safe mode), Ad-Aware SE, and Hijackthis v1.99.1. I am running WinXP Pro and have a new DSL Gateway by ActionTec. I am blocking web addresses at the router to try to hold the virus at bay. Seems like it is changing the addresses sometimes.
It seems that CoolWWWSearch is a virus on my computer. Spybot is trying hard to eliminate it, but is not successful. See the attached PDF file and Hijackthis log. Some registry entries cannot be deleted and then the offending ones are regenerated. Also MSIE home page is hijacked to "about:blank".
Any help will be greatly appreciated.
0
Comments
thanks
...Jim
Logfile of HijackThis v1.99.1
Scan saved at 12:27:47 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atlvs32.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\sdklp32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Jim\Virus Stuff\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\otzip.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\otzip.dll/sp.html#77035%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\otzip.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\otzip.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\otzip.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\otzip.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\otzip.dll/sp.html#77035%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1EDDA893-407F-4AA4-792C-9D75EC6A544B} - C:\WINDOWS\appbl32.dll
O2 - BHO: Class - {7116ABC7-7412-4CAE-B029-91AEAE42B1D5} - C:\WINDOWS\system32\sdkyt.dll
O2 - BHO: Class - {83F24B08-AF24-AADE-19B1-E8C89AC653C5} - C:\WINDOWS\crxh32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [netbo.exe] C:\WINDOWS\netbo.exe
O4 - HKLM\..\Run: [apino.exe] C:\WINDOWS\apino.exe
O4 - HKLM\..\Run: [netal32.exe] C:\WINDOWS\netal32.exe
O4 - HKLM\..\Run: [d3gm.exe] C:\WINDOWS\system32\d3gm.exe
O4 - HKLM\..\Run: [sdkrl.exe] C:\WINDOWS\sdkrl.exe
O4 - HKLM\..\Run: [ipri.exe] C:\WINDOWS\ipri.exe
O4 - HKLM\..\Run: [ntfv32.exe] C:\WINDOWS\system32\ntfv32.exe
O4 - HKLM\..\Run: [sysrq32.exe] C:\WINDOWS\system32\sysrq32.exe
O4 - HKLM\..\Run: [sdklp32.exe] C:\WINDOWS\system32\sdklp32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120573498890
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlvs32.exe
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
When I restart the computer, a message usually comes up saying that ccApp had to be ended.
My MSIE home page is still being hijacked to "about:blank". (I hope 'hijacked is the correct term to use here) SpyBot continues to report CoolWWWSearch problems. They can be cleared (except for 2 registry entries) and then re-occur, maybe at restart.
This looks like a special place where people try to help each other.
Here is HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 3:33:13 AM, on 12/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\atlvs32.exe
C:\WINDOWS\netaj.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Jim\Virus Stuff\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsnhx.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsnhx.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nsnhx.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsnhx.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsnhx.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsnhx.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsnhx.dll/sp.html#77035%
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1EDDA893-407F-4AA4-792C-9D75EC6A544B} - C:\WINDOWS\appbl32.dll (file missing)
O2 - BHO: Class - {7116ABC7-7412-4CAE-B029-91AEAE42B1D5} - C:\WINDOWS\system32\sdkyt.dll (file missing)
O2 - BHO: Class - {83F24B08-AF24-AADE-19B1-E8C89AC653C5} - C:\WINDOWS\crxh32.dll (file missing)
O2 - BHO: Class - {A65F11A0-3D1B-37FD-F86D-9AB8607151F1} - C:\WINDOWS\winyh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [netbo.exe] C:\WINDOWS\netbo.exe
O4 - HKLM\..\Run: [apino.exe] C:\WINDOWS\apino.exe
O4 - HKLM\..\Run: [netal32.exe] C:\WINDOWS\netal32.exe
O4 - HKLM\..\Run: [d3gm.exe] C:\WINDOWS\system32\d3gm.exe
O4 - HKLM\..\Run: [sdkrl.exe] C:\WINDOWS\sdkrl.exe
O4 - HKLM\..\Run: [ipri.exe] C:\WINDOWS\ipri.exe
O4 - HKLM\..\Run: [ntfv32.exe] C:\WINDOWS\system32\ntfv32.exe
O4 - HKLM\..\Run: [sysrq32.exe] C:\WINDOWS\system32\sysrq32.exe
O4 - HKLM\..\Run: [sdklp32.exe] C:\WINDOWS\system32\sdklp32.exe
O4 - HKLM\..\Run: [d3sn.exe] C:\WINDOWS\d3sn.exe
O4 - HKLM\..\Run: [netaj.exe] C:\WINDOWS\netaj.exe
O4 - HKLM\..\RunOnce: [atlvs32.exe] C:\WINDOWS\system32\atlvs32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120573498890
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Choosing and maintaining an anti-virus scanner and firewall to use daily is my next task. Windows is a great operating system because it has many capabilities, is very flexible, and it is common to most of our desktop usage. Often, it seems to be far more complicated than is necessary. This complication makes analysis and diagnoses of virus threats time consuming and sometime frustrating. Norton AntiVirus is my first choice for these prevention tools (because it is commonly used), but it is similarly complicated (as is Windows). Lots of times, I don't what it is doing.
and now the log ...12-26-2005 Activities
--> DSL link is turned OFF
Have purchased and installed Spyware Doctor. It seems to have cleared
MSIE 'about:blank' hijack, but there are other problems. All were cleared
except 6 or 7 'Command Service' registry settings that could not be cleared.
This is similar to Spybot's 2 'Command Service' registry setting that it
can not clear.
Addition problems occur when operating, and subsequent scans will remove them
except for some of the registry 'Command Service' entries. It looks like
maybe these registry entries are setting addition adware problems after they
are cleared.
Ad-Adware SE found some problems and all were cleared.
2nd scan was clean.
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
now run "C:\WINDOWS\regedit.exe" (very carefully not in Safe Mode yet)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService is not present
(removed by Spybot previously).
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
has an 'Enum' entry with:
(Default), REG_SZ, (value not set)
0, REG_SZ, Root\LEGACY_CMDSERVICE\0000
Count, REG_DWORD, 0x00000001 (1)
NextInstance, REG_DWORD, 0x00000001 (1)
Try to Delete the 'cmdService' key results:
Error Deleting Key - Cannot delete cmdService: Error while deleting key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
has an 'Enum' entry with:
(Default), REG_SZ, (value not set)
0, REG_SZ, Root\LEGACY_CMDSERVICE\0000
Count, REG_DWORD, 0x00000001 (1)
NextInstance, REG_DWORD, 0x00000001 (1)
Try to Delete the 'cmdService' key results:
Error Deleting Key - Cannot delete cmdService: Error while deleting key.
Now I run a Spyware Doctor scan: (DSL is still OFF)
Scan Results:
scan start: 12/26/2005 11:18:59 AM
scan stop: 12/26/2005 11:35:48 AM
scanned items: 96444
found items: 7
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults,
Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner
Infection Name Location Risk
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##0 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##Count Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##NextInstance Elevated
These infections were NOT reported 'fixed' by Spyware Doctor
now run "C:\WINDOWS\regedit.exe"
(I am assuming HKLM in the Spyware Doctor is "HKEY_LOCAL_MACHINE")
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\
are all present, but none have a cmdService key...???
now rebooting to Safe Mode - DSL has not been turned on yet
Ad-Aware SE scan is clean
Spybot scan is clean
Spyware Doctor quick scan is clean
now rebooting to Normal Mode - DSL has not been turned on yet
Slow to restart (after desktop shows), before task tray is populated.
Sound control in task tray is not present (should be). This has been
intermitent in the past.
The ubiquitous Windows alert telling me to get automatice updates is also
not present...???
Ad-Aware SE scan is clean
Spybot scan is clean
Spyware Doctor quick scan is clean
now turn DSL Gateway ON and run these tests again (no reboot)
Check e-mail. Got 5 spams, did not open, deleted each.
MSIE home page has NOT been hijacked. GOOD...
Logon at Short-Media to check for replies to
"computer is infested" becomes CoolWWWSearch". There were none. Logoff.
DSL Gateway remains on and connected during these tests:
Ad-Aware SE scan is clean
Spybot scan is clean
Spyware Doctor quick scan is clean ...this is looking pretty good!
now restart Windows with DSL Gateway ON and run these tests again
check e-mail, no new messages.
Browse alittle doing a simple search on Google. Home page is still good.
Ad-Aware SE scan is clean
Spybot scan is clean
Spyware Doctor quick scan is clean
Spyware Doctor full scan is clean
Norton AntiVirus full scan: (3 hours 30 minutes to complete)
Detected 9 Deleted 6 (none of these were likely to be accessible)
Six files deleted:
1. C:\Documents and Settings\Judi Hughen\Local Settings\Temporary Internet Files\..
..Content.IE5\8TIN4TM7\1001[1].exe is a Dialer threat.
2. C:\RECYCLER\S-1-5-21-1220945662-179605362-725345543-1004\Dc1.dat is a Dialer threat
3. C:\WINDOWS\system32\removed from system32 2\popcorn72.exe is a Security risk threat
4. C:\WINDOWS\system32\removed from system32 2\upd633.exe is a Security risk threat.
5. C:\WINDOWS\system32\removed from system32 2\upd77.exe is a Security risk threat.
6. C:\WINDOWS\system32\removed from system32 2\winctrl64.exe is a Dialer threat.
Three files not deleted:
7. C:\JimsOldDriveImage\Program Files\GameSpy Arcade\Aphex.exe is a Adware threat
8. C:\JimsOldDriveImage\Program Files\Army Operations\ArcadeInstallARMYOPS11c.EXE is a Adware threat.
9. C:\JimsOldDriveImage\Program Files\GameSpy Arcade\fpupdate.exe is a Adware threat.
Actions:
1-6 were deleted by Norton AntiVirus
"C:\WINDOWS\system32\removed from system32" manually created delete/restore folder deleted manually
"C:\WINDOWS\system32\removed from system32 2" manually created delete/restore folder deleted manually
7,9 C:\JimsOldDriveImage\Program Files\GameSpy Arcade\ old archive folder deleted manually
8 C:\JimsOldDriveImage\Program Files\Army Operations\ old archive folder deleted manually
restart Windows and with DSL Gateway ON and re-run scans:
Sound control is not in system tray...???
Ad-Aware SE scan is clean
Spybot scan is clean
Spyware Doctor quick scan is clean
Spyware Doctor full scan is clean
Norton AntiVirus full scan is clean
http://pandasoftware.com/activescan/activescan.asp
http://pandasoftware.com/activescan/activescan.asp
I get:
"The page cannot be displayed"
I will try again later.
http://pandasoftware.com/activescan/activescan.asp
It shows Spyware 4, Dialers 2, but hangs at 77,944 files scanned:
"MS Visual C++, Buffer Overrun detected... cannot continue"
Other scans run at the same time:
Ad-Adware SE - Clean
Spyware Doctor - Clean
Spybot - Clean
I ran Panda Active Scan from:
http://www.pandasoftware.com/products/activescan.htm