Logfile of HijackThis v1.99.1
Scan saved at 05:30:10, on 21/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0
Adobe Stock Photos 1.0
a-squared Free 2.0
avast! Antivirus
CDBurnerXP Pro 3
cis
DAEMON Tools
daw CD Suite
HijackThis 1.99.1
HTMLProtector
HyperCam 2
iTunes
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Macromedia Flash Player 8
Microsoft Office 2003 Resource Kit
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
MiraScan V4.03
MSN Messenger 7.5
Nokia Connectivity Cable Driver
Nokia PC Suite 6.1
NVIDIA Drivers
PhotoNow! 1.0
QuickTime
RealPlayer
Realtek AC'97 Audio
Sage Instant Accounts V12.00
ScanButton 3.0
Sothink DHTMLMenu
Sothink SWF Decompiler
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SWFText
SwiftSwitch
TeamSpeak 2 RC2
Total Video Converter 2.33
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm
version 2.19 off trend micro my search wont work as it is another problem i have and not opening windows when right click a link or sumthing but have posted on other post
Follow the prompts. Make sure that Launch Ewido is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message. Note: If the Update now option is grayed out, follow the steps below.
Click on Update on the toolbar.
Under Manual update, click on the Start Update button.
Wait until you see the Update succesfull message.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
Once in Safe Mode:
Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine(1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button.
Click the Save Report as button.
Save the report to your Desktop.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
Select
My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
im doin scan with Kaspersky atm ewido found nothing but cookies an i fixed the search an links that were not opening by typein
this 1 regsvr32 urlmon.dll and this 1 regsvr32 Shdocvw.dll
To resolve this problem in Internet Explorer, follow these steps: 1. Quit all programs that are running.
2. Click Start, and then click Run.
3. Type regsvr32 urlmon.dll, and then click OK.
4. When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK.
If this does not resolve the problem, repeat steps 2 through 4 for each of the following files (in step 3, replace Urlmon.dll with each of the file names below):
• Shdocvw.dll
• Actxprxy.dll
• Oleaut32.dll
• Mshtml.dll
• Browseui.dll
• Shell32.dll
Comments
Also, I would like to see another log from HijackThis.
Scan saved at 05:30:10, on 21/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Anthony\LOCALS~1\Temp\Rar$EX00.422\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142949271155
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142949259640
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCA846B8-1C5B-48EB-BC57-4B85CB22DEEE}: NameServer = 192.168.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0
Adobe Stock Photos 1.0
a-squared Free 2.0
avast! Antivirus
CDBurnerXP Pro 3
cis
DAEMON Tools
daw CD Suite
HijackThis 1.99.1
HTMLProtector
HyperCam 2
iTunes
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Macromedia Flash Player 8
Microsoft Office 2003 Resource Kit
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
MiraScan V4.03
MSN Messenger 7.5
Nokia Connectivity Cable Driver
Nokia PC Suite 6.1
NVIDIA Drivers
PhotoNow! 1.0
QuickTime
RealPlayer
Realtek AC'97 Audio
Sage Instant Accounts V12.00
ScanButton 3.0
Sothink DHTMLMenu
Sothink SWF Decompiler
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SWFText
SwiftSwitch
TeamSpeak 2 RC2
Total Video Converter 2.33
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm
Current filename: C:\WINDOWS\system32\ctfmon.exe
Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon32.exe
Description
_CoolWebSearch_ parasite related - hijacking to Slawsearch.com
Source: Paul Collins Startup list
____________________
J2SE Runtime Environment 5.0 Update 6
=====
First, your HijackThis log is clean.
Your right that ctfmon32.exe is related to CoolWebSearch, however it hasn't been seen for a long time.
It seems to me that Spybot is showing a False Positive. As you can see, the file is actually ctfmon.exe, which is the legit file.
What version of CWShredder did you run?
Do a search for ctfmon32.exe, and tell me if you find it.
You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!
Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install Ewido by double clicking the installer.
- Follow the prompts. Make sure that Launch Ewido is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Click on Update on the toolbar.
- Under Manual update, click on the Start Update button.
- Wait until you see the Update succesfull message.
- Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.Note: If the Update now option is grayed out, follow the steps below.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Once in Safe Mode:Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
=====Reboot back into Normal Mode=====IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Extended (if available otherwise Standard)
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
Select
My Computer[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.=====
Please post the following...
1) Ewido log
2) Kaspersky log
this 1 regsvr32 urlmon.dll and this 1 regsvr32 Shdocvw.dll
To resolve this problem in Internet Explorer, follow these steps: 1. Quit all programs that are running.
2. Click Start, and then click Run.
3. Type regsvr32 urlmon.dll, and then click OK.
4. When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK.
If this does not resolve the problem, repeat steps 2 through 4 for each of the following files (in step 3, replace Urlmon.dll with each of the file names below):
• Shdocvw.dll
• Actxprxy.dll
• Oleaut32.dll
• Mshtml.dll
• Browseui.dll
• Shell32.dll
thanks for all the help
I'm glad you got the other problem sorted, and thanks for the fix.