CWS.Feads

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

I am having all sorts of problems with this one. I can't
get rid of it. It keeps restarting itself after I think
I delete. It changes my homepage almost immediately to
about:blank after I try to set it. I can't browse my
machine... I doubleclick on My Computer and it does
nothing. I watched in task manager when I tried to
browse and all it does it start a drwtsn32.exe process
and then locks the taskbar and all icons. Once I kill
that process, it resets explorer and then I can use my
start button, icons, etc. This is killing me.
 
Jason said:
I am having all sorts of problems with this one. I can't
get rid of it. It keeps restarting itself after I think
I delete. It changes my homepage almost immediately to
about:blank after I try to set it. I can't browse my
machine... I doubleclick on My Computer and it does
nothing. I watched in task manager when I tried to
browse and all it does it start a drwtsn32.exe process
and then locks the taskbar and all icons. Once I kill
that process, it resets explorer and then I can use my
start button, icons, etc. This is killing me.
Click to expand...

Download Adaware .

http://www.download.com/Ad-aware-SE-Personal-Edition/3000-8022_4-10045910.html?tag=prod

Dont forget "Check for updates"


Download Cwshredder, standalone version:

http://www.intermute.com/spysubtract/cwshredder_download.html


If this doesnt work, go to Lavasofts forum, they will
help/guide you.

http://www.lavasoftsupport.com/index.php?showforum=120

Settings for correct logfiles if needed:
http://www.lavasoftsupport.com/index.php?showtopic=48134
 
Try running AntiSpyware in safe mode. On the Scan Page, choose Scan Options
Full System Scan. Remember to turn off System restore before you enter
Click to expand...
Safe Mode.
As plun said, please continue to use additional third party solutions along
with AntiSpyware and make sure you are updated to the latest build of MSAS:
http://download.microsoft.com/downl...-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe


Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://forum.aumha.org/downloads/cwshredder.zip
Spy Sweeper - www.webroot.com
 
CWS has got to be one of the most cunning and malicious
of all trojans in my view,Heres some examples of the
levels they go to and i wanted to add that even hijack
this cannot touch some CWS trojans in some cases.

Like this variant

CWS.Realyellowpage -

Log reference: (not visible in HijackThis log)
Symptoms: IE pages changed to real-yellow-page.com,
drxcount.biz, list2004.com or linklist.cc, hijack
inexplicably returning on reboot with no file seemingly
responsible

Manual removal difficulty: Battle axe or chainsaw
recommended

(not visible in HijackThis)

This variant is a nightmare. If you come across an
infected machine that keeps changing back to the
aforementioned sites over and over again for no visible
reason, you've probably seen this one. It's like whoever
is reponsible for this hired some blackhat coder and told
him to make the most complex, invisible and devious
hijacker he could think of. And he did.
The file is randomly named, and normally hooks into the
IE process, loading itself as a module into it. And then
it hides the host process from the process list. Yes, you
read that right, the process hosting the dll disappears
from the task list and most process viewers/managers.

CWS.Msspi -

Symptoms: Popups with 'enhanced results' when doing
searches on Google, Yahoo and Altavista
Cleverness: 9/10
Manual removal difficulty: Impossible, I kid you not

Users started reporting that when they went to Google,
Yahoo or Altavista to search for something, popups
appeared that (most of the time) advertised
bogus 'enhanced results'. This was the one and only
symptom.

After looking over the log, it was quickly concluded the
msspi.dll file was to blame. One expert took the file
apart and found several key URLs that were monitored, and
when he changed them to bogus URLs the popups were gone.

However, the file hooked into the Winsock LSP chain,
which lies very deep into the bowels of Windows and is
one of the hardest parts of Windows to manipulate. Only a
very small selection of spyware used this method of
infection, and incorrect removal left a computer with a
broken Internet connection that could not be fixed even
by reinstalling Windows.

Luckily there were one tool that could fix a broken
Internet connection due to this problem. LSPFix was the
one used most since it allowed direct editing of the LSP
chain.

http://www.cexx.org/lspfix.zip


I could go on forever naming the various variants and the
effects but this isnt helping you remove it so instead
will list all the known entries that will show in hijack
this logs that are related to cool web search,advise
using the fix these button in safe mode for any you have
on yours(Note this is gonna be a long list so make a
drink and prepare for battle :)

O19 - User stylesheet: c:\windows\my.css
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page=http://yourbookmarks.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default)=http://www.searchxp.com/search.php?qq=%s
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O19 - User stylesheet: C:\WINNT\default.css
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.coolwwwsearch.com/z/b/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.coolwwwsearch.com/z/c/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.coolwwwsearch.com/z/a/x1.cgi?100 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.jetseeker.com/ffeed.php?term=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.coolwwwsearch.com/z/b/x1.cgi?656387
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.allhyperlinks.com/
redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.coolwwwsearch.com/z/a/ x1.cgi?656387
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.coolwwwsearch.com/z/b/ x1.cgi?656387
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main\,HomeOldSP =
http://www.coolwwwsearch.com/z/a/ x1.cgi?656387
(obfuscated)
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
O10 - Unknown file in Winsock LSP: c:\windows\system32
\msspi.dll
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://vrape.hardloved.com/ top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://
vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://
vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O13 - DefaultPrefix:
http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix:
http://vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
O4 - HKLM\..\Run: [SysPnP] rundll32
setupapi,InstallHinfSection OemVideoPnP 128 oemsyspnp.inf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page=http://www.slawsearch.com
O4 - HKLM\..\Run:
[svchost.exe] "C:\WINDOWS\SYSTEM\svchost32.exe"

(the seemingly unsuspicious filename of 'svchost32.exe'
to look like the Windows system file 'svchost.exe'. )

R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-
AB2F-204C4F4F5020} - C:\WINDOWS\System32\dnsrelay.dll
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://out.true-
counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://out.true-
counter.com/a/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://out.true-
counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://out.true-
counter.com/c/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://out.true-
counter.com/b/?101 (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1
\MSINFO\msinfo.exe
F1 - win.ini: run=msinfo.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.slawsearch.com/autosearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.slawsearch.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = javascript:window.close
()
O4 - HKLM\..\Run: [CTFMON32.EXE] "C:\WINDOWS\System32
\ctfmon32.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://acc.count-all.com/--/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://acc.count-all.com/--- /?
oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://acc.count-all.com/-- /?
oaoca (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1
\MSINFO\info32.exe
O1 - Hosts: 3510794918 auto.search.msn.com
O4 - HKLM\..\Run: [Tapicfg.exe]
C:\WINDOWS\SYSTEM\tapicfg.exe
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css
Running processes:
C:\WINDOWS\System32\SVCINIT.EXE

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http:////
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://xwebsearch.biz
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O4 - HKLM\..\RunServices: [SVC Service]
C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKLM\..\Run: [mssys] C:\WINDOWS\mssys.exe
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows
NT\CurrentVersion\WinLogon]
UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32
\svcinit.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.searchdot.net
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKCU\..\Run: [Msoffice]
C:\WINDOWS\Fonts\msoffice.hta
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = http://xwebsearch.biz/
O1 - Hosts: 213.159.117.233 sitefinder.verisign.com
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-
715F53797E85} - C:\WINDOWS\System32\DReplace.dll
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
Page=http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page=http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
Bar=http://www.searchv.com/search.html
F0 - system.ini: Shell=explorer.exe mupdate.exe
F1 - win.ini: run=mupdate.exe
F2 - REG:system.ini: Shell=explorer.exe mupdate.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O15 - Trusted Zone: *.masspass.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.rightfinder.net/search/
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\TEMP\ADDCLASS.EXE
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.idgsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.idgsearch.com/
O2 - BHO: GoogleMS Search Helper - {79369D5C-2903-4b7a-
ADE2-D5E0DEE14D24} - C:\Documents and Settings\[username]
\Application Data\GoogleMS.dll
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.alfa-
search.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.alfa-
search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.alfa-
search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.alfa-search.com/search.html
O4 - Global Startup: MSupdate.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://ie-
search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://ie-
search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = c:\windows\hp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://ie-
search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://ie-
search.com/srchasst.html (obfuscated)
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
[...]
O1 - Hosts: 206.161.200.103 www29.smutserver.com
O4 - HKLM\..\Run: [Windows Shell Library Loader] load
shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [Win64 Compatibility Check] load
win64.drv /c /set -- by windows setup --
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.start-space.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.start-space.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = http://www.start-space.com/
O4 - HKCU\..\Run: [QuickTime Task]
c:\windows\qttasks.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe
msconfd,Restore ControlPanel
Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\Windows:
AppInit_DLLs=msconfd.dll
Running processes:
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.therealsearch.com/sp.php
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.windowws.cc/ sp.htm?
id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.windowws.cc/
sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.windowws.cc/ hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = http://super-spider.com
O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE
O4 - HKCU\..\RunServices: [Windows Control]
C:\WINDOWS\CONTROL.EXE
Running processes:
C:\WINDOWS\OLEHELP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.omega-search.com/go/panel_search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.omega-search.com/go
panel_search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.omega-
search.com/go/panel_search.html
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\olehelp.exe
Running processes:
C:\Program Files\directx\directx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smartsearch.ws/?
q=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smartsearch.ws/?
q=
O4 - HKLM\..\Run: [SystemEmergency] C:\Program
Files\directx\directx.exe
O4 - HKLM\..\RunServices: [SystemEmergency] C:\Program
Files\directx\directx.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program
Files\directx\directx.exe
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [UserSystem]
C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=
F1 - win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-
03CA8155F0B3} - C:\WINDOWS\System\services\1.00.07.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32
\services\y.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32
\services\y.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.gonnasearch.com/
iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.gonnasearch.com/?
ref=sp
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.gonnasearch.com/
iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.gonnasearch.com/?
ref=sp
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.gonnasearch.com/ iesearch.php?ref=sb
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-
0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-
71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-
E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.nkvd.us/s.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
O13 - DefaultPrefix: http://www.nkvd.us/1507/
O13 - WWW Prefix: http://www.nkvd.us/1507/
O13 - Home Prefix: http://www.nkvd.us/1507/
O13 - Mosaic Prefix: http://www.nkvd.us/1507/
Enumerating ShellServiceObjectDelayLoad items:

DDE Control Module: C:\WINDOWS\SYSTEM\mtwirl32.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-
A43F- 9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
Running processes:
C:\WINDOWS\SYSTEM32\WINPROC32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://4- counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://4-counter.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://4- counter.com/?
a=2
O4 - HKCU\..\Run: [Windows Internet Protocol]
C:\WINDOWS\SYSTEM32\WINPROC32.EXE
Running processes:
C:\WINDOWS\SYSTEM\MSCONFIG.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.31234.com/www/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.31234.com/www/homepage.html
O4 - HKLM\..\Run: [msconfig]
C:\WINDOWS\SYSTEM\msconfig.exe
O4 - HKCU\..\Run: [msconfig]
C:\WINDOWS\SYSTEM\msconfig.exe
O8 - Extra context menu item: ?????? - C:\WINDOWS\system32
\openme.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://
www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://
www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http:// www.enjoysearch.info/
O4 - HKLM\..\Run: [xxxvid] C:\WINDOWS\system32
\xxxvideo.hta
O4 - HKCU\..\Run: [xxxvid] C:\Documents and
Settings\<username>\My Documents\xxxvideo.hta
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = about:blank
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-
48675AA2B494} - C:\WINDOWS\winres.dll
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol: about - {53B95211-7D77-11D2-9F80-
00104B107C96} - C:\WINDOWS\System32\msxmlpp.dll

ABOUT BLANK RELATED FILES :

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://about-
blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://about-blank.ws/
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
[..]
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-
sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-
sr -0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt

End of about blank files

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.your-
search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.your- search.info/start.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http:// www.your-
search.info/start.html
O4 - HKLM\..\Run: [system32.dll]
C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://defaultsearching.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://defaultsearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://defaultsearching.com
O4 - HKCU\..\RunOnce: [sounddrv]
C:\WINDOWS\SYSTEM\SNDBDRV3104.EXE
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINDOWS\System32
\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINDOWS\System32
\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = res://
C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0-
12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll
Running processes:
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\LOADER.EXE

O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
O1 - Hosts file: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents And
Settings\username\Application Data\winshow\Winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - Global Startup: MSUpdater.exe
Running processes:
C:\WINDOWS\System32\svc.exe

O1 - BHO: (no name) - {FCADDC14-BD46-408A-9842-
CDBE1C6D37EB} - C:\WINDOWS\System32\BrowserHelper.dll
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://tooncomics.com/main/hp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP =
http://66.250.130.194/main/hp.php
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-
D7ACAC95951F} - C:\WINDOWS\DNSErr.dll



I appreciate there is no chance you can manually check
all these files against a hijack this log and alot of
these are automatically dealt with my using cwshredder in
safe mode but this is more to show how much of a parasite
this is and why its causing so many problems to so many
users,I think personally the spybot search & destroy
immunize feature and spware blasters guard is so
important these days as it stops alot of the sites
carrying this trojan even opening but adding 127.0.0.1 to
the website addresses that carry this and other
spyware/trojans etc it can stop the infection ever
getting into the pc,basically it fools the internet into
believing the sites dont exist and you get the error page
is unavailable but Once its there the damage caused can
be huge and manual removal of everyfile is virtually
impossible with alot of the variants Id advise anyone who
doesnt have them to get spybot search & destroy and use
the immunize buttton after updating plus spyware blaster
and enable all protection after updating again

Spybot Search & Destroy

http://www.majorgeeks.com/downloadget.php?
id=2471&file=11&evp=2470f9bfb0cc682334ff8c4459556118


SpywareBlaster

http://majorgeeks.com/downloadget.php?
id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

For anyone trying to remove these types of things
remember these general tips

ALWAYS do these when trying to remove a bug.

First: Turn off Windows XP System Restore (Start,Right
click my computer,Properties,then system restore and
disable and apply)


Next: Show hidden files and folders. (Start,Search,Then
tools at the top bar,choose folder options then go to the
second page View,and tick show hidden files and folders)

Next to boot into Safe Mode
Reboot the system and tap F8, choose Safe Mode.


Next: Delete Temp Internet files :
Open a internet browser window, click Tools then Internet
Options.
Click on the Delete Cookies and the Delete Files buttons,
then click OK and close the browser window.

Next: Close all open internet browser windows.

Next: Delete Windows Temporary Files - (start,run then
type %temp% delete all files you can in this folder
The Windows temporary directory (usually located at
C:\windows\temp).
This directory should not be confused with the Internet
Explorer "Temporary Internet Files Directory".
The Windows temporary directory stores temporary files
that are used during installation of programs and at
other various times.
Cleaning this directory regularly is generally a good
idea.



Try spy subtract (30day trial CWS added to definitions)

http://download.intermute.com/downloads/spysubtract/2.64/1
005/SpyInstall.exe


CWShredder

http://cwshredder.net/bin/CWShredder.exe


MANUAL REMOVAL INSTRUCTIONS *
Try using Prc view

(Find out detailed information about the processes
running under Windows. This utility gives you the full
list of DLLs for each running application, including full
path and version information. You can also write scripts
and debuggers to more closely examine processes. The
program shows all parent/child relationships to system
processes. This latest version displays all DLLs
currently in use, as well as which processes use a DLL
you select)

Download PrcView here:
http://www.spywareinfo.com/~merijn/files/pv.zip, unzip it
to the desktop.

Be sure to have at least 1 Internet Explorer window open,
then double click on the runme.bat.

Select option '2' from the menu.

Notepad will open with a log in it. Look for a line with
this file, size and beginning to it.
The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll

This part indicates the bad file:
61c00000 61440
It will always start with that header.

Write down the filename behind it.

Now download KillBox:
http://www.downloads.subratam.org/KillBox.zip

Unzip and run it.

Don't click any of the buttons though, instead please
click on the Action menu and choose "Delete on Reboot".

On the next screen, click on the File menu and
choose "Add File". The file you copied earlier should now
show up in the window. If that's successful, choose the
Action menu and select "Process and Reboot". You'll be
prompted to reboot, do so.

After rebooting, make sure the file is gone.

Andy
 
CWShredder did not find it. Pest Patrol would find it
and delete it, but it would come back. Same with Adaware
and the MS Spyware. However, I finally was able to
figure out that I had a bad add-on in internet explorer.
As soon as I disabled it, I was able to browse My
Computer. I ended up having to delete two randomly named
files (after stopping the processes) and then was able to
reset my homepage. Had to also reset my default prefix
so that I wouldn't have to type http:// before typing in
a non www. beginning webpage. What a pain in the butt
that little pest ended up being.
 
Hi Jason,
Two thoughts on this:
1. Boot into Safe Mode (F8) at startup;
Empty your temporary files AND your Temporary Internet Files C:\Documents
and Settings\Username\Local Settings\Temporary Internet Files folder ;
Run the scan while in safe mode;
If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recognize.

2.Google for CWShredder and run that.

Ron Chamberlin
MS-MVP
 
Hi Ian,
Two thoughts on this:
1. Boot into Safe Mode (F8) at startup;
Empty your temporary files AND your Temporary Internet Files C:\Documents
and Settings\Username\Local Settings\Temporary Internet Files folder ;
Run the scan while in safe mode;
If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recognize.

2.Google for CWShredder and run that.

Ron Chamberlin
MS-MVP
 
Damn! That's detailed! Thanks for the effort. I'm going to give it a
shot. I'm about to lose a client if I can't fix his CWS issue, and he won't
let me re-image the machine (not that I like to admit defeat).


AndyManchesta said:
CWS has got to be one of the most cunning and malicious
of all trojans in my view,Heres some examples of the
levels they go to and i wanted to add that even hijack
this cannot touch some CWS trojans in some cases.

Like this variant

CWS.Realyellowpage -

Log reference: (not visible in HijackThis log)
Symptoms: IE pages changed to real-yellow-page.com,
drxcount.biz, list2004.com or linklist.cc, hijack
inexplicably returning on reboot with no file seemingly
responsible

Manual removal difficulty: Battle axe or chainsaw
recommended

(not visible in HijackThis)

This variant is a nightmare. If you come across an
infected machine that keeps changing back to the
aforementioned sites over and over again for no visible
reason, you've probably seen this one. It's like whoever
is reponsible for this hired some blackhat coder and told
him to make the most complex, invisible and devious
hijacker he could think of. And he did.
The file is randomly named, and normally hooks into the
IE process, loading itself as a module into it. And then
it hides the host process from the process list. Yes, you
read that right, the process hosting the dll disappears
from the task list and most process viewers/managers.

CWS.Msspi -

Symptoms: Popups with 'enhanced results' when doing
searches on Google, Yahoo and Altavista
Cleverness: 9/10
Manual removal difficulty: Impossible, I kid you not

Users started reporting that when they went to Google,
Yahoo or Altavista to search for something, popups
appeared that (most of the time) advertised
bogus 'enhanced results'. This was the one and only
symptom.

After looking over the log, it was quickly concluded the
msspi.dll file was to blame. One expert took the file
apart and found several key URLs that were monitored, and
when he changed them to bogus URLs the popups were gone.

However, the file hooked into the Winsock LSP chain,
which lies very deep into the bowels of Windows and is
one of the hardest parts of Windows to manipulate. Only a
very small selection of spyware used this method of
infection, and incorrect removal left a computer with a
broken Internet connection that could not be fixed even
by reinstalling Windows.

Luckily there were one tool that could fix a broken
Internet connection due to this problem. LSPFix was the
one used most since it allowed direct editing of the LSP
chain.

http://www.cexx.org/lspfix.zip


I could go on forever naming the various variants and the
effects but this isnt helping you remove it so instead
will list all the known entries that will show in hijack
this logs that are related to cool web search,advise
using the fix these button in safe mode for any you have
on yours(Note this is gonna be a long list so make a
drink and prepare for battle :)

O19 - User stylesheet: c:\windows\my.css
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page=http://yourbookmarks.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default)=http://www.searchxp.com/search.php?qq=%s
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O19 - User stylesheet: C:\WINNT\default.css
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.coolwwwsearch.com/z/b/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.coolwwwsearch.com/z/c/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.coolwwwsearch.com/z/a/x1.cgi?100 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.jetseeker.com/ffeed.php?term=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.coolwwwsearch.com/z/b/x1.cgi?656387
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.allhyperlinks.com/
redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.coolwwwsearch.com/z/a/ x1.cgi?656387
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.coolwwwsearch.com/z/b/ x1.cgi?656387
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/ redir?lang=
{S...201058341631385
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main\,HomeOldSP =
http://www.coolwwwsearch.com/z/a/ x1.cgi?656387
(obfuscated)
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
O10 - Unknown file in Winsock LSP: c:\windows\system32
\msspi.dll
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://vrape.hardloved.com/ top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://
vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://
vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://
vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O13 - DefaultPrefix:
http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix:
http://vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
O4 - HKLM\..\Run: [SysPnP] rundll32
setupapi,InstallHinfSection OemVideoPnP 128 oemsyspnp.inf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page=http://www.slawsearch.com
O4 - HKLM\..\Run:
[svchost.exe] "C:\WINDOWS\SYSTEM\svchost32.exe"

(the seemingly unsuspicious filename of 'svchost32.exe'
to look like the Windows system file 'svchost.exe'. )

R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-
AB2F-204C4F4F5020} - C:\WINDOWS\System32\dnsrelay.dll
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://out.true-
counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://out.true-
counter.com/a/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://out.true-
counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://out.true-
counter.com/c/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://out.true-
counter.com/b/?101 (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1
\MSINFO\msinfo.exe
F1 - win.ini: run=msinfo.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.slawsearch.com/autosearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.slawsearch.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = javascript:window.close
()
O4 - HKLM\..\Run: [CTFMON32.EXE] "C:\WINDOWS\System32
\ctfmon32.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://acc.count-all.com/--/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://acc.count-all.com/--- /?
oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://acc.count-all.com/-- /?
oaoca (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1
\MSINFO\info32.exe
O1 - Hosts: 3510794918 auto.search.msn.com
O4 - HKLM\..\Run: [Tapicfg.exe]
C:\WINDOWS\SYSTEM\tapicfg.exe
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css
Running processes:
C:\WINDOWS\System32\SVCINIT.EXE

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http:////
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://xwebsearch.biz
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O4 - HKLM\..\RunServices: [SVC Service]
C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKLM\..\Run: [mssys] C:\WINDOWS\mssys.exe
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows
NT\CurrentVersion\WinLogon]
UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32
\svcinit.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.searchdot.net
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKCU\..\Run: [Msoffice]
C:\WINDOWS\Fonts\msoffice.hta
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http:///
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = http://xwebsearch.biz/
O1 - Hosts: 213.159.117.233 sitefinder.verisign.com
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-
715F53797E85} - C:\WINDOWS\System32\DReplace.dll
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
Page=http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page=http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
Bar=http://www.searchv.com/search.html
F0 - system.ini: Shell=explorer.exe mupdate.exe
F1 - win.ini: run=mupdate.exe
F2 - REG:system.ini: Shell=explorer.exe mupdate.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O15 - Trusted Zone: *.masspass.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.rightfinder.net/search/
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\TEMP\ADDCLASS.EXE
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.idgsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.idgsearch.com/
O2 - BHO: GoogleMS Search Helper - {79369D5C-2903-4b7a-
ADE2-D5E0DEE14D24} - C:\Documents and Settings\[username]
\Application Data\GoogleMS.dll
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.alfa-
search.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.alfa-
search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.alfa-
search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.alfa-search.com/search.html
O4 - Global Startup: MSupdate.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://ie-
search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://ie-
search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = c:\windows\hp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://ie-
search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://ie-
search.com/srchasst.html (obfuscated)
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
[...]
O1 - Hosts: 206.161.200.103 www29.smutserver.com
O4 - HKLM\..\Run: [Windows Shell Library Loader] load
shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [Win64 Compatibility Check] load
win64.drv /c /set -- by windows setup --
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.start-space.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.start-space.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = http://www.start-space.com/
O4 - HKCU\..\Run: [QuickTime Task]
c:\windows\qttasks.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe
msconfd,Restore ControlPanel
Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\Windows:
AppInit_DLLs=msconfd.dll
Running processes:
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.therealsearch.com/sp.php
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.windowws.cc/ sp.htm?
id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.windowws.cc/
sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.windowws.cc/ hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = http://super-spider.com
O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE
O4 - HKCU\..\RunServices: [Windows Control]
C:\WINDOWS\CONTROL.EXE
Running processes:
C:\WINDOWS\OLEHELP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.omega-search.com/go/panel_search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.omega-search.com/go
panel_search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.omega-
search.com/go/panel_search.html
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\olehelp.exe
Running processes:
C:\Program Files\directx\directx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smartsearch.ws/?
q=
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smartsearch.ws/?
q=
O4 - HKLM\..\Run: [SystemEmergency] C:\Program
Files\directx\directx.exe
O4 - HKLM\..\RunServices: [SystemEmergency] C:\Program
Files\directx\directx.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program
Files\directx\directx.exe
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [UserSystem]
C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=
F1 - win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-
03CA8155F0B3} - C:\WINDOWS\System\services\1.00.07.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32
\services\y.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32
\services\y.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.gonnasearch.com/
iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.gonnasearch.com/?
ref=sp
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.gonnasearch.com/
iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.gonnasearch.com/?
ref=sp
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.gonnasearch.com/ iesearch.php?ref=sb
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-
0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-
71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-
E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.nkvd.us/s.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
O13 - DefaultPrefix: http://www.nkvd.us/1507/
O13 - WWW Prefix: http://www.nkvd.us/1507/
O13 - Home Prefix: http://www.nkvd.us/1507/
O13 - Mosaic Prefix: http://www.nkvd.us/1507/
Enumerating ShellServiceObjectDelayLoad items:

DDE Control Module: C:\WINDOWS\SYSTEM\mtwirl32.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-
A43F- 9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
Running processes:
C:\WINDOWS\SYSTEM32\WINPROC32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://4- counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://4-counter.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://4- counter.com/?
a=2
O4 - HKCU\..\Run: [Windows Internet Protocol]
C:\WINDOWS\SYSTEM32\WINPROC32.EXE
Running processes:
C:\WINDOWS\SYSTEM\MSCONFIG.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.31234.com/www/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.31234.com/www/homepage.html
O4 - HKLM\..\Run: [msconfig]
C:\WINDOWS\SYSTEM\msconfig.exe
O4 - HKCU\..\Run: [msconfig]
C:\WINDOWS\SYSTEM\msconfig.exe
O8 - Extra context menu item: ?????? - C:\WINDOWS\system32
\openme.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://
www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://
www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http:// www.enjoysearch.info/
O4 - HKLM\..\Run: [xxxvid] C:\WINDOWS\system32
\xxxvideo.hta
O4 - HKCU\..\Run: [xxxvid] C:\Documents and
Settings\<username>\My Documents\xxxvideo.hta
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://
www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = about:blank
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-
48675AA2B494} - C:\WINDOWS\winres.dll
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol: about - {53B95211-7D77-11D2-9F80-
00104B107C96} - C:\WINDOWS\System32\msxmlpp.dll

ABOUT BLANK RELATED FILES :

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://about-
blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://about-blank.ws/
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
[..]
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-
sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-
sr -0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt

End of about blank files

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.your-
search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.your- search.info/start.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http:// www.your-
search.info/start.html
O4 - HKLM\..\Run: [system32.dll]
C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://defaultsearching.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://defaultsearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://defaultsearching.com
O4 - HKCU\..\RunOnce: [sounddrv]
C:\WINDOWS\SYSTEM\SNDBDRV3104.EXE
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINDOWS\System32
\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINDOWS\System32
\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = res://
C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0-
12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll
Running processes:
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\LOADER.EXE

O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
O1 - Hosts file: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents And
Settings\username\Application Data\winshow\Winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - Global Startup: MSUpdater.exe
Running processes:
C:\WINDOWS\System32\svc.exe

O1 - BHO: (no name) - {FCADDC14-BD46-408A-9842-
CDBE1C6D37EB} - C:\WINDOWS\System32\BrowserHelper.dll
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://tooncomics.com/main/hp.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP =
http://66.250.130.194/main/hp.php
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-
D7ACAC95951F} - C:\WINDOWS\DNSErr.dll



I appreciate there is no chance you can manually check
all these files against a hijack this log and alot of
these are automatically dealt with my using cwshredder in
safe mode but this is more to show how much of a parasite
this is and why its causing so many problems to so many
users,I think personally the spybot search & destroy
immunize feature and spware blasters guard is so
important these days as it stops alot of the sites
carrying this trojan even opening but adding 127.0.0.1 to
the website addresses that carry this and other
spyware/trojans etc it can stop the infection ever
getting into the pc,basically it fools the internet into
believing the sites dont exist and you get the error page
is unavailable but Once its there the damage caused can
be huge and manual removal of everyfile is virtually
impossible with alot of the variants Id advise anyone who
doesnt have them to get spybot search & destroy and use
the immunize buttton after updating plus spyware blaster
and enable all protection after updating again

Spybot Search & Destroy

http://www.majorgeeks.com/downloadget.php?
id=2471&file=11&evp=2470f9bfb0cc682334ff8c4459556118


SpywareBlaster

http://majorgeeks.com/downloadget.php?
id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

For anyone trying to remove these types of things
remember these general tips

ALWAYS do these when trying to remove a bug.

First: Turn off Windows XP System Restore (Start,Right
click my computer,Properties,then system restore and
disable and apply)


Next: Show hidden files and folders. (Start,Search,Then
tools at the top bar,choose folder options then go to the
second page View,and tick show hidden files and folders)

Next to boot into Safe Mode
Reboot the system and tap F8, choose Safe Mode.


Next: Delete Temp Internet files :
Open a internet browser window, click Tools then Internet
Options.
Click on the Delete Cookies and the Delete Files buttons,
then click OK and close the browser window.

Next: Close all open internet browser windows.

Next: Delete Windows Temporary Files - (start,run then
type %temp% delete all files you can in this folder
The Windows temporary directory (usually located at
C:\windows\temp).
This directory should not be confused with the Internet
Explorer "Temporary Internet Files Directory".
The Windows temporary directory stores temporary files
that are used during installation of programs and at
other various times.
Cleaning this directory regularly is generally a good
idea.



Try spy subtract (30day trial CWS added to definitions)

http://download.intermute.com/downloads/spysubtract/2.64/1
005/SpyInstall.exe


CWShredder

http://cwshredder.net/bin/CWShredder.exe


MANUAL REMOVAL INSTRUCTIONS *
Try using Prc view

(Find out detailed information about the processes
running under Windows. This utility gives you the full
list of DLLs for each running application, including full
path and version information. You can also write scripts
and debuggers to more closely examine processes. The
program shows all parent/child relationships to system
processes. This latest version displays all DLLs
currently in use, as well as which processes use a DLL
you select)

Download PrcView here:
http://www.spywareinfo.com/~merijn/files/pv.zip, unzip it
to the desktop.

Be sure to have at least 1 Internet Explorer window open,
then double click on the runme.bat.

Select option '2' from the menu.

Notepad will open with a log in it. Look for a line with
this file, size and beginning to it.
The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll

This part indicates the bad file:
61c00000 61440
It will always start with that header.

Write down the filename behind it.

Now download KillBox:
http://www.downloads.subratam.org/KillBox.zip

Unzip and run it.

Don't click any of the buttons though, instead please
click on the Action menu and choose "Delete on Reboot".

On the next screen, click on the File menu and
choose "Add File". The file you copied earlier should now
show up in the window. If that's successful, choose the
Action menu and select "Process and Reboot". You'll be
prompted to reboot, do so.

After rebooting, make sure the file is gone.

Andy
Click to expand...
 
-----Original Message-----
Damn! That's detailed! Thanks for the effort. I'm going to give it a
shot. I'm about to lose a client if I can't fix his CWS issue, and he won't
let me re-image the machine (not that I like to admit
Click to expand...
defeat).

Hi again sorry to hear your going to lose a client
through this surely he must realise its alot more his
fault that yours and if he would of had the right
protection to begin with,he wouldnt be having these
problems now,I think you should use hijack this on his pc
and post it to any support forums you can even email it
me if you wish at (e-mail address removed) and i will do
everything i can to help you get rid of this,Theres
plenty of tools and programs that can be used once we
know exactly what the files are and where they are
located.I work long hours in the week so it would take me
a day or two to give you a detailed reply if you sent
thelog,Plus any errors in hijack this can cause major
problems with windows so i would also have to double
check everything in the log before advising the next
step,If you dont have hijack this get it here :

http://www.majorgeeks.com/downloadget.php?
id=3155&file=1&evp=3304750663b552982a8baee6434cfc13

Save it to its own folder,Open c/drive,right click and
right click then choose New > then Folder and call it
Hijack this then go to the download page and save it into
this folder,open and run,The reason for its own folder as
it can make a back up incase you make a mistake anywhere.

Theres alot of forums offering help for hijack this logs
but the trojan/adware problems are getting out of hand
and all the sites i know that help with them are swamped
and cannot cope so most people will not get a response
for about 10 days or more,but like i say feel free to
send it to my email and i will review it and offer some
advise.

Good luck Andy
 
AndyManchesta said:
Theres alot of forums offering help for hijack this logs
but the trojan/adware problems are getting out of hand
and all the sites i know that help with them are swamped
and cannot cope so most people will not get a response
for about 10 days or more,but like i say feel free to
send it to my email and i will review it and offer some
advise.
Click to expand...

10 days....???

I personally trust these forums. I also think its
important that MS in some way support these forums/people
who works as volunteers.

Left menu:

http://www.a-sap.org/
 
Hi again N2 before going the hijack this route try these
first Hijack this is really a last resort and im noticing
more on there forums problems removing the Trojan.Hope
this helps,I just posted it to someone else on here so
wanted to resend it to you,Good luck mate

Getting Prepared; Steps to be sure your system is ready
to be scanned:

1: Disable System Restore temporarily (WinXP & WinME
only) if you are infected; Any trojans, spyware, etc. you
may have picked up could have been saved in System
Restore and are waiting to re-infect you. Since System
Restore is a protected directory, your tools can not
access it to delete files, trapping viruses inside.
Please follow instructions to do that here:
(Start>Right click my computer>Properties>System
Restore>Disable then apply and exit)


2: Network Security, Workstation Netlogon Services &
Remote Procedure Call (RPC) Helper (Windows XP, 2K, NT);
Only do this step if you have the about:blank or home
search hijack. You need to check to see if any of the
following three Windows services are running:
Network Security Service
Workstation Netlogon Service
Remote Procedure Call (RPC) Helper
To do this, click Start, Run, and enter the following in
the Open box: "services.msc" (without the quotes). Then
click OK. Now, in the Services window that pops up look
for exactly the following service names (no
others) "Network Security Service" or "Workstation
Netlogon Service" or "Remote Procedure Call (RPC)
Helper". (NOTE: DO NOT DISABLE: Remote Procedure Call
(RPC) or Remote Procedure Call (RPC) Locator. They are
both required services and are unrelated to the
hijacker.). You could have more than one of the 3
mentioned bad services, so look for all of them. If you
find these services, you must right click on it to bring
up the service Properties window and do the following :


Step 1: Stop the service by click the Stop button.

Step 2: Now, disable it by changing the Startup type to
Disabled and click Apply


If you do not find these exact services, do not worry and
just skip this step. DO NOT DISABLE ANYTHING UNLESS THE
EXACT WORDING OF THE SERVICE NAMES IS MATCHED.



3: Enable viewing of hidden files and folders and
extensions; Some programs can hide this way by not being
visible in Windows. Start Windows Explorer and click on
your main hard drive, usually c:\. Then select Tools from
the top of Windows Explorer and then Folder Options. Go
to the View tab. Scroll down to the folder icon that says
Hidden files and folders and check show hidden files and
folders. Also, right below it, uncheck the hide file
extensions for known types. Not doing this could allow
file extensions commonly used by trojans and spyware to
be hidden, for example a file ending in .exe or dll
making manually finding it, if needed, difficult to
impossible.


4: Downloading Tools; Download the following tools and
save in your favorite download folder or create one, for
example C:\Temp or C:\Downloads. And then install,
update, and configure as indicated below. While this may
seem like overkill, there currently is no one perfect
removal tool. Because of this, to properly find and fix
your problem, you need to try a variety of programs.

Ad-Aware SE.......Install, click Check for Updates now
and get any updates, then exit.

http://www.majorgeeks.com/downloadget.php?
id=506&file=11&evp=8dbaff7daca8f4b55bf695220993fc0f

Ad-Aware VX2 Cleaner Plug-In.....Install only

http://majorgeeks.com/downloadget.php?
id=4283&file=1&evp=34312f31f5a8511bfb7cf839b1eaff0b

CCleaner.............Install only, then exit

http://majorgeeks.com/downloadget.php?
id=4191&file=11&evp=a12d758b021af1a4f0a6bfe45b0c7a82

Spybot................Install, do the search for updates
now and get any updates, then exit.

http://www.majorgeeks.com/downloadget.php?
id=2471&file=11&evp=2470f9bfb0cc682334ff8c4459556118

Spybot - Search and Destroy DSO Exploit Fix - Install
this patch on top of Spybot to fix the DSO Exploit bug

http://www.majorgeeks.com/downloadget.php?
id=4392&file=1&evp=17a4645dc80f11461d8549719a9350e0

SpywareBlaster...Install, click Download Latest
Protection Updates, Check for Updates, and then Enable
All Protection, then exit. It does a great job of
blocking known vulnerabilities as well as known malicious
websites.

http://majorgeeks.com/downloadget.php?
id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

McAfee AVERT Stinger.....No installation required! Ready
to run as is.

http://majorgeeks.com/downloadget.php?
id=4063&file=1&evp=9cf4d4f57a4c688fe042954e1ef29968


CWShredder......No installation required! Just unzip it
to a folder.

http://cwshredder.net/bin/CWShredder.exe

Kill2me..............No installation required! Just unzip
it to a folder.

http://www.majorgeeks.com/downloadget.php?
id=4166&file=1&evp=e994cf5e9abe6c93b47c01f2922c271f

about:Buster......No installation required! Just unzip it
to a folder. Click Update and download any before
scanning.

http://majorgeeks.com/downloadget.php?
id=4289&file=1&evp=ae3de3780275c1771c4e5047af537d4a

HSRemove........No installation required! Ready to run as
is.

http://majorgeeks.com/downloadget.php?
id=4286&file=11&evp=71f181068920b47d2133db96f04fb442


Your system is now ready to be properly scanned for
spyware, trojans and viruses.

Scanning And Cleaning Steps: (note steps 1 thru 4 are NOT
optional!)

1: Virus And Trojan Scanning (do not skip these two scans)

a) Win9x (Windows 95, 98, 98SE) users boot normal mode.

do an online scan at Trend Micro's Free Online Virus Scan

http://housecall.trendmicro.com/housecall/start_corp.asp

do an online scan at Symantec Security Check

http://security.norton.com/sscv6/default.asp?
langid=ie&venid=sym

now boot in safe mode (and remain there) and run McAfee
AVERT Stinger.

How to boot in safe mode: To boot into safe mode, restart
your computer and tap the f8 key (after first black and
white screen, but before the Windows splash screen) until
you get to a black and white screen asking you what to
do. With Windows XP, 2000, NT, ME: Use your arrow keys
and select "safe mode with networking support".

Booting in safe mode is important because best results
are achieved since safe mode disables most drivers and
running programs.


Clean Your Hard Drive; Remove temporary internet and
other files not needed with CCleaner. Run CCleaner with
the default options to clean out temporary files.

3: Main Spyware Scan And Removal; Scan your machine with
Ad-Aware SE (remember to install the Ad-Aware VX2 Cleaner
Plug-In for it) and Spybot. Look for the Immunize feature
in Spybot and use it. Make sure you install the Spybot
DSO Exploit patch before running a scan with Spybot.

4: Secondary Spyware Scan And Removal: Other Removal
Tools; Run the other programs you downloaded; CWShredder
(make sure you select Fix), Kill2me, about:Buster and
HSRemove. They are free, standalone and easy to use.

Note: about:Buster and HSRemove need only be run if you
are having about:blank or HomeSearchAssistent hijacks.
Also, note that HSRemove is not compatible with Win9x or
WinMe systems.


If these items fail then the next step is Hijack this but
that isnt a simple program to use as any mistakes can
seriously damage your pc,

Please repost though and let me know how you get on,Same
if you have any problems just repost and i will help
where i can



Regards Andy
 
Back
Top