it.s got me again. this time its cws - eyesonly
EyesOnly
Sweden New
I'm just starting to recover from a harddrive crash (more info will come in another thread) but now it seems i got spyware as well. I tried very hard to make sure i had all security programs installed before i got internet but i must have done something wrong. This is very iretationg since i rarly even use ie.
Oh well here's what's wrong. adaware finds only tracking cookies and some mru so nothing to worry about there. Spybot however finds coolwebsearch components but can't remove them. It says i should reboot since it might still be in memory. When i did its still found them. cwshredder finds none of that though it keeps asking me if i want to delete notepad.exe. But why would i want that, its an ms app for crying out loud.
So please help me with this. Here's my log
Logfile of HijackThis v1.99.1
Scan saved at 16:00:08, on 2005-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Folding @ Home\FAH502-Console.exe
C:\WINDOWS\system32\Smartscaps.exe
E:\Folding @ Home\FahCore_65.exe
C:\ASUS\Probe\AsusProb.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
E:\Program\HP\hpcoretech\hpcmpmgr.exe
E:\Program\Java\jre1.5.0_01\bin\jusched.exe
E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\Program\MSN Messenger\MsnMsgr.Exe
E:\Program\framxpro\FreeRAM XP Pro 1.40.exe
E:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
E:\Program\JetToolBar\JetTB.exe
E:\Program\Logitech\SetPoint\KEM.exe
E:\Program\Personal\bin\Personal.exe
E:\Program\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\EMIII\EMIII.exe
E:\Program\Logitech\SetPoint\KHALMNPR.EXE
E:\Program\DC++\DCPlusPlus.exe
E:\Program\Mozilla Firefox\firefox.exe
E:\Program\RegSupreme Pro\RegSupremePro.exe
E:\Spyware apps\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - E:\Program\FreshDevices\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HP Component Manager] "E:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SmcService] E:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "E:\Program\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: Electron Microscope.lnk = E:\EMIII\EMIII.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: jetToolBar.lnk = E:\Program\JetToolBar\JetTB.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Personal.lnk = E:\Program\Personal\bin\Personal.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: FAH@E:+Folding @ Home+FAH502-Console.exe - Stanford University - E:\Folding @ Home\FAH502-Console.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program\Sygate\SPF\smc.exe
Oh well here's what's wrong. adaware finds only tracking cookies and some mru so nothing to worry about there. Spybot however finds coolwebsearch components but can't remove them. It says i should reboot since it might still be in memory. When i did its still found them. cwshredder finds none of that though it keeps asking me if i want to delete notepad.exe. But why would i want that, its an ms app for crying out loud.
So please help me with this. Here's my log
Logfile of HijackThis v1.99.1
Scan saved at 16:00:08, on 2005-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Folding @ Home\FAH502-Console.exe
C:\WINDOWS\system32\Smartscaps.exe
E:\Folding @ Home\FahCore_65.exe
C:\ASUS\Probe\AsusProb.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
E:\Program\HP\hpcoretech\hpcmpmgr.exe
E:\Program\Java\jre1.5.0_01\bin\jusched.exe
E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\Program\MSN Messenger\MsnMsgr.Exe
E:\Program\framxpro\FreeRAM XP Pro 1.40.exe
E:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
E:\Program\JetToolBar\JetTB.exe
E:\Program\Logitech\SetPoint\KEM.exe
E:\Program\Personal\bin\Personal.exe
E:\Program\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\EMIII\EMIII.exe
E:\Program\Logitech\SetPoint\KHALMNPR.EXE
E:\Program\DC++\DCPlusPlus.exe
E:\Program\Mozilla Firefox\firefox.exe
E:\Program\RegSupreme Pro\RegSupremePro.exe
E:\Spyware apps\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - E:\Program\FreshDevices\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HP Component Manager] "E:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SmcService] E:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "E:\Program\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: Electron Microscope.lnk = E:\EMIII\EMIII.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: jetToolBar.lnk = E:\Program\JetToolBar\JetTB.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Personal.lnk = E:\Program\Personal\bin\Personal.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: FAH@E:+Folding @ Home+FAH502-Console.exe - Stanford University - E:\Folding @ Home\FAH502-Console.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program\Sygate\SPF\smc.exe
0
This discussion has been closed.
Comments
edit
here's what spybot says about the 3 entries i finds. I've run spywareshooter now. So how do i fix this.
CoolWWWSearch.Toolband: Trusted Site (Registerändring, fixing failed)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4
CoolWWWSearch.Leftovers: Trusted Site (Registerändring, fixing failed)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4
CoolWWWSearch.Mupdate: Trusted Site (Registerändring, fixing failed)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4
That fixed it. Thanks for the help. Let's hope something like this doesn't happen again. I've not heard a single good thing about cws so i really don't want it on my pc.