Please help. I may have been hijacked! View previous topic :: View next topic  


NFOHump.com Forum Index - Applications
Page 1 of 1
z00mer




Posts: 94
Location: U.S.A.
PostPosted: Thu, 4th May 2006 20:21    Post subject: Please help. I may have been hijacked!
Everytime I try to go online my PG2 blocks something called CWS Exploits. I've found out that it is a CoolWebSearch! spyware hijacker. I ran Spybot, Microsoft AntiSpyware, Ad-Aware, Webroot Spysweeper and nothing seems to get rid of it. I even ran CWShredder and that didn't detect or correct the problem either. The only way I can surf the web is to disable PG2 or run in Linux.

I ran HijackThis and here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 1:06:14 PM, on 5/4/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\AOL\1144872244\ee\aolsoftware.exe
C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files (x86)\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files (x86)\DAEMON Tools\daemon.exe
C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\AGEIA Technologies\TrayIcon.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files (x86)\Microsoft AntiSpyware\gcasDtServ.exe
E:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://peerguardian.sourceforge.net/genuine.html
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files (x86)\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files (x86)\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HostManager] "C:\Program Files (x86)\Common Files\AOL\1144872244\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] "C:\Program Files (x86)\AGEIA Technologies\TrayIcon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~2\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~2\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139521708515
O17 - HKLM\System\CCS\Services\Tcpip\..\{07ED556A-60E2-4FAA-8048-42140BD1AB3C}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{9915D2B5-D441-4A6F-B3C5-39A2D13997FB}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D1935E4-CAD7-43D1-864A-E37C4931A0A8}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF533D7-4CBA-43E1-8175-ABDA32A816DB}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CS1\Services\Tcpip\..\{07ED556A-60E2-4FAA-8048-42140BD1AB3C}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CS2\Services\Tcpip\..\{07ED556A-60E2-4FAA-8048-42140BD1AB3C}: NameServer = 85.255.114.4,85.255.112.137
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Ipintnkmsvi - Unknown owner - (no file)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)



I'm running Windows XP Professional x64 and use Firefox browser mostly, though IE cannot get on the web either unless I disable PG2. I deleted cookies and my internet cache and that did nothing. I also uninstalled and reinstalled the 64bit PG2 and it still detects CWS Exploits. What other programs can I use? One's that I've been recommended I have to pay for.

Please someone help me!
Back to top
nerrd




Posts: 3607
Location: Poland / USA
PostPosted: Thu, 4th May 2006 21:19    Post subject:
Just an idea. Run your spyware cleaners in safe mode. If you tried that already, then nvm.
Back to top
ToCS




Posts: 433
Location: -USA-
PostPosted: Fri, 5th May 2006 03:58    Post subject:
try looking for vundofix.exe, if im thinking right - what you have is a java exploit/virus.. i cant remember, but it sounds alot like a problem i had with cws.
Back to top
skidrow
Moderator



Posts: 8691
PostPosted: Fri, 5th May 2006 11:24    Post subject:
Also a tip. (if system restore is on)

When dealing with hard to remove adware/virusses, try, when removing it, to disable system restore. When you finished scanning and removing them, put restore back on.
Back to top
z00mer




Posts: 94
Location: U.S.A.
PostPosted: Sat, 6th May 2006 04:56    Post subject:
Tried spyware cleaners in safe mode; didn't work. Tried vundofix.exe and that didn't work. Tried with system restore off, but they still don't find anything since I first initally ran the scan on Wednesday night.

Is there anything else I can do? I've never had a spyware problem as bad as this before.
Back to top
z00mer




Posts: 94
Location: U.S.A.
PostPosted: Sat, 6th May 2006 08:15    Post subject:
Ok, I seemed to fix it for now. I did a system restore to monday while in safe mode. I really hope I don't have that CWS Exploits show up again.
Back to top
indiana




Posts: 298
PostPosted: Mon, 8th May 2006 00:55    Post subject:
Format.

And then properly secure your machine the next time. It's not that hard and you don't even need to run another browser (although that always helps).

Oh, and does that PhysX card work? I didn't think any games supported it?
Back to top
Page 1 of 1 All times are GMT + 1 Hour
NFOHump.com Forum Index - Applications
Signature/Avatar nuking: none (can be changed in your profile)  


Display posts from previous:   

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB 2.0.8 © 2001, 2002 phpBB Group