harshale
asked on
Has CWS.SmartSearch.2 still got me? CWShredder says I'm safe but...I'm not so sure.
Each time I open CWShredder v.1.59.0 and hit the "Check for update" button I get the "Fetching CWShredder update....etc." panel. After a nominal minute, I get the message; "Unable to retrieve...etc. Server might be unavailable, try again later." This has been going on for 3 days. This is the SWI site and I realize that it is very busy and that it has been under "attack' for some time now, but 3 days of failing to get thru seemed excessive.
What has me most concerned is the following sequence of events; 3 days ago on my first attempt, I opened CWS Shredder and checked for updates, the message came up that there were updates available. I hit the "Download and open the update", a message popped on screen informing me that "...CoolWebSearch trojan (CWS.SmartSearch.2) has attempted to...etc...to counter this,....random string of text,...Cws is still functioning....has not been corrupted." When I closed that message, I was back at the CWSHredder opening panel. Closing and restarting CWShredder, I again hit the Check for updates, got the "Fetching...etc." and then after the short wait I got the "Unable to retrieve...etc.". Since that time, after 10 or 12 attempts each day I am still unable to reach the updates. Further:
Yesterday, on 2 of my attempts, as soon as the CWShredder panel hit the screen, the "....CWS.SmartSearch.2 has attempted to close CWShredder...etc." came up. Yesterday I was plagued with a lot of "failures to respond", inability to remove programs by means of "Add/Remove" (MediaPlayer 7.1 specifically) it would take control of my machine, locking me up in whatever program was running, dead mouse, etc. The 3 finger salute was the only way out. On each of these occassions. WMP7.1 was the prime offender. After 5 or 6 hours of work with Regedit, Explorer, and 3 different registry utilities I managed to get rid of MediaPlayer and the lock-ups. During all of this, IE has never seemed to be affected.
I have run Panda, Housecalls, and McAfee several times. All 3 report nothing. I run SpywareBlaster, Spybot S&D, Ad-Aware daily, always after seeking updates. All of them have nothing to report.
Well, wouldn't you just know it, as of 2 minutes ago; I attempted the CWShredder update routine and finally it got past the "Unable to retrieve" and it said there was an update. I hit "Download and open the update", got the "Connecting", waited it out, and got the download, but, "An error occurred opening the downloaded file"...... "You need a file compression program like Winzip....etc". My trial period with Winzip expired yesterday, I have no means by which to open the download. Any suggestions? I need a means of unzipping zipped downloads...Googling brings up several possibilities but I have no familiarity with any of them and am therefore fearful to select one. I really liked the Winzip but I just can't afford it (or anything else for that matter - my signature says it all, plain and simple). I'm not cheap and looking for free rides, I'm just living on very limited means and there is no room in the budget for anything more than necessities.
I have submitted my most recent HJT log to SWI for evaluation and am waiting to see what that brings... if anyone here wants to look at it I will post it on request. I know that SWI, as well as you folks at EE, are swamped so if it takes some bit of time to get to my query I'll understand, but believe me, I will be waiting with great antici...........pation (as Dr. Frankenfurter, in Rocky Horror Picture Show put it).
In summary, I am concerned that CWS.SmartSearch.2 is still lurking somewhere, waiting for another exploitable such as MP7.1.
This may be relevant; whenever I have run HJT during the past few days it does that "quick as a flash" scan and then stalls for about 45 seconds, the progress bar is about 90% across and it says "015 - Trusted Zone enumeration...", during the delay my mouse is essentially dead. After the delay, HJT finishes the scan and all is normal.
In passing; if BillDl hits me again with the Tweakui stuff, forget it Bill...that thing is still doing crazy stuff, but nothing that is of great import in this issue, have a good one BillDl.
Thanks for any help, advice, or commentary anyone would care to offer. Harshale
What has me most concerned is the following sequence of events; 3 days ago on my first attempt, I opened CWS Shredder and checked for updates, the message came up that there were updates available. I hit the "Download and open the update", a message popped on screen informing me that "...CoolWebSearch trojan (CWS.SmartSearch.2) has attempted to...etc...to counter this,....random string of text,...Cws is still functioning....has not been corrupted." When I closed that message, I was back at the CWSHredder opening panel. Closing and restarting CWShredder, I again hit the Check for updates, got the "Fetching...etc." and then after the short wait I got the "Unable to retrieve...etc.". Since that time, after 10 or 12 attempts each day I am still unable to reach the updates. Further:
Yesterday, on 2 of my attempts, as soon as the CWShredder panel hit the screen, the "....CWS.SmartSearch.2 has attempted to close CWShredder...etc." came up. Yesterday I was plagued with a lot of "failures to respond", inability to remove programs by means of "Add/Remove" (MediaPlayer 7.1 specifically) it would take control of my machine, locking me up in whatever program was running, dead mouse, etc. The 3 finger salute was the only way out. On each of these occassions. WMP7.1 was the prime offender. After 5 or 6 hours of work with Regedit, Explorer, and 3 different registry utilities I managed to get rid of MediaPlayer and the lock-ups. During all of this, IE has never seemed to be affected.
I have run Panda, Housecalls, and McAfee several times. All 3 report nothing. I run SpywareBlaster, Spybot S&D, Ad-Aware daily, always after seeking updates. All of them have nothing to report.
Well, wouldn't you just know it, as of 2 minutes ago; I attempted the CWShredder update routine and finally it got past the "Unable to retrieve" and it said there was an update. I hit "Download and open the update", got the "Connecting", waited it out, and got the download, but, "An error occurred opening the downloaded file"...... "You need a file compression program like Winzip....etc". My trial period with Winzip expired yesterday, I have no means by which to open the download. Any suggestions? I need a means of unzipping zipped downloads...Googling brings up several possibilities but I have no familiarity with any of them and am therefore fearful to select one. I really liked the Winzip but I just can't afford it (or anything else for that matter - my signature says it all, plain and simple). I'm not cheap and looking for free rides, I'm just living on very limited means and there is no room in the budget for anything more than necessities.
I have submitted my most recent HJT log to SWI for evaluation and am waiting to see what that brings... if anyone here wants to look at it I will post it on request. I know that SWI, as well as you folks at EE, are swamped so if it takes some bit of time to get to my query I'll understand, but believe me, I will be waiting with great antici...........pation (as Dr. Frankenfurter, in Rocky Horror Picture Show put it).
In summary, I am concerned that CWS.SmartSearch.2 is still lurking somewhere, waiting for another exploitable such as MP7.1.
This may be relevant; whenever I have run HJT during the past few days it does that "quick as a flash" scan and then stalls for about 45 seconds, the progress bar is about 90% across and it says "015 - Trusted Zone enumeration...", during the delay my mouse is essentially dead. After the delay, HJT finishes the scan and all is normal.
In passing; if BillDl hits me again with the Tweakui stuff, forget it Bill...that thing is still doing crazy stuff, but nothing that is of great import in this issue, have a good one BillDl.
Thanks for any help, advice, or commentary anyone would care to offer. Harshale
ASKER
Greetings Rossfingal,
I have downloaded the HJT upgrade but cannot install it due to my lack of an "unzip utility"...as I said in my first post, my trial period of Winzip expired yesterday, now I have no way to install any zip downloads.
I will include the most recent HJT log, hopefully that will help.
One thing that seems odd to me is the triple entry: C:\Program Files\Internet Explorer\Explore.exe I have gone there in Windows Explorer and find only one such entry yet, HJT reports it 3 times. Also, 8 of the 9 items bearing an 09 prefix are suffixed with "File Missing", I'm always tempted in these cases to just eliminate the item(s), I mean, if the file ain't there, why carry listings which reference missing files?
In any case, my first hurdle is obtaining a utility by which I can unzip and open these updates/upgrades. Until I can do that I'm dead in the water. Again, any suggestion as to a good utility for this purpose?
Thanks for your reply, Harshale
Logfile of HijackThis v1.98.1
Scan saved at 11:22:38 AM, on 8/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\ZONELABS
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\COMPAQ\CPQINET\CPQINET.
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\PROGRAM FILES\TI ADSL\BIN\WIN9X\TIDSLMON.EX
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EX
C:\WINDOWS\SYSTEM\QTTASK.E
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\PRODIGY COMMUNICATIONS\PRODIGY DSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\WINDOWS\START MENU\PROGRAMS\SECURITY\CWS
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.
C:\UNZIPPED\HIJACKTHIS\HIJ
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\W
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-0
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-0
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-0
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-0
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {F5C90925-ABBF-4475-88F5-8
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
I have downloaded the HJT upgrade but cannot install it due to my lack of an "unzip utility"...as I said in my first post, my trial period of Winzip expired yesterday, now I have no way to install any zip downloads.
I will include the most recent HJT log, hopefully that will help.
One thing that seems odd to me is the triple entry: C:\Program Files\Internet Explorer\Explore.exe I have gone there in Windows Explorer and find only one such entry yet, HJT reports it 3 times. Also, 8 of the 9 items bearing an 09 prefix are suffixed with "File Missing", I'm always tempted in these cases to just eliminate the item(s), I mean, if the file ain't there, why carry listings which reference missing files?
In any case, my first hurdle is obtaining a utility by which I can unzip and open these updates/upgrades. Until I can do that I'm dead in the water. Again, any suggestion as to a good utility for this purpose?
Thanks for your reply, Harshale
Logfile of HijackThis v1.98.1
Scan saved at 11:22:38 AM, on 8/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\ZONELABS
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\COMPAQ\CPQINET\CPQINET.
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\PROGRAM FILES\TI ADSL\BIN\WIN9X\TIDSLMON.EX
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EX
C:\WINDOWS\SYSTEM\QTTASK.E
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\PRODIGY COMMUNICATIONS\PRODIGY DSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\WINDOWS\START MENU\PROGRAMS\SECURITY\CWS
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.
C:\UNZIPPED\HIJACKTHIS\HIJ
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\W
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-0
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-0
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-0
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-0
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-0
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {F5C90925-ABBF-4475-88F5-8
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
try this zip program. I have used it for years without a problem.
http://www.pcworld.com/downloads/file_description/0,fid,6383,00.asp
http://www.pcworld.com/downloads/file_description/0,fid,6383,00.asp
May be the 'Coolwebsearch' is still there in your system.
try this tool which will remove that trojan.
Here's the link
http://www.safer-networking.org/files/delcwssk.zip
I have posted the link here with the reference from this website
http://www.spywareinfo.com/~merijn/downloads.html
try this tool which will remove that trojan.
Here's the link
http://www.safer-networking.org/files/delcwssk.zip
I have posted the link here with the reference from this website
http://www.spywareinfo.com/~merijn/downloads.html
ASKER
Greetings, ravisimpi, I downloaded the delcwssk.zip to may desk-top and unzipped from there. I am unsure of what I have accomplished.
It appears that it upgraded my CWShredder from ver. 1.56.0002 to ver.1.59. It has also added; "miniremoval_coolwebsearch
What has me wondering is that I when I go to either location and click to open "miniremoval....etc.", I get a message that "Coolwwwsearch.smartkiller
What does this message mean? Does it indicate a faulty installation of "delcwssk"?.... or does it mean that the item which delcwssk is designed to destroy (Coolwwwsearch.smartkiller
A few days ago I had spent a 16 hr. span ridding my self of some variant of CWS, after searching thru EE, I found some help, the "accepted answer" by spiderfix gave me the clue I needed...wmplayer.exe had been taken over. In spite of the fact this was in the XP area I was able to extrapolate from there enough info to allow me to get it out of my 98SE. I'm including the Experts Exchange link to that discussion and solution just in case it might be helpful.
https://www.experts-exchange.com/questions/21043564/CWShredder-closes-on-CWS-SMARTSEARCH-2.html#11440389
Thank you for your recommendation and thank you for any further help you may give me. Harshale
It appears that it upgraded my CWShredder from ver. 1.56.0002 to ver.1.59. It has also added; "miniremoval_coolwebsearch
What has me wondering is that I when I go to either location and click to open "miniremoval....etc.", I get a message that "Coolwwwsearch.smartkiller
What does this message mean? Does it indicate a faulty installation of "delcwssk"?.... or does it mean that the item which delcwssk is designed to destroy (Coolwwwsearch.smartkiller
A few days ago I had spent a 16 hr. span ridding my self of some variant of CWS, after searching thru EE, I found some help, the "accepted answer" by spiderfix gave me the clue I needed...wmplayer.exe had been taken over. In spite of the fact this was in the XP area I was able to extrapolate from there enough info to allow me to get it out of my 98SE. I'm including the Experts Exchange link to that discussion and solution just in case it might be helpful.
https://www.experts-exchange.com/questions/21043564/CWShredder-closes-on-CWS-SMARTSEARCH-2.html#11440389
Thank you for your recommendation and thank you for any further help you may give me. Harshale
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
akboss,
That's great news!!
On the zip front: I tried one and it looked great but during the installation I was asked too many times to make selections concerning things about which I knew nothing! I tend to go with defaults on installations, and learn from there. This Wizard was too tough for me, so I bailed out on that one and found another that is doing the job, as is evidenced, in that the 2 downloads referrenced in these posts have been successful.
The HJT log; coming up, but first: there were 8 09 listings all faulted for "File Missing", I just wiped them out and looked for the debris and got rid of it. That explains their absence in this report, Thank you for taking an interest in this, it's not only helpful to me but I also learn something more. Thanks again Harshale
Logfile of HijackThis v1.98.1
Scan saved at 4:59:35 PM, on 8/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\ZONELABS
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\COMPAQ\CPQINET\CPQINET.
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\PROGRAM FILES\TI ADSL\BIN\WIN9X\TIDSLMON.EX
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EX
C:\WINDOWS\SYSTEM\QTTASK.E
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\PRODIGY COMMUNICATIONS\PRODIGY DSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.
C:\UNZIPPED\HIJACKTHIS\HIJ
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\W
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {F5C90925-ABBF-4475-88F5-8
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
That's great news!!
On the zip front: I tried one and it looked great but during the installation I was asked too many times to make selections concerning things about which I knew nothing! I tend to go with defaults on installations, and learn from there. This Wizard was too tough for me, so I bailed out on that one and found another that is doing the job, as is evidenced, in that the 2 downloads referrenced in these posts have been successful.
The HJT log; coming up, but first: there were 8 09 listings all faulted for "File Missing", I just wiped them out and looked for the debris and got rid of it. That explains their absence in this report, Thank you for taking an interest in this, it's not only helpful to me but I also learn something more. Thanks again Harshale
Logfile of HijackThis v1.98.1
Scan saved at 4:59:35 PM, on 8/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\ZONELABS
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\COMPAQ\CPQINET\CPQINET.
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\PROGRAM FILES\TI ADSL\BIN\WIN9X\TIDSLMON.EX
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EX
C:\WINDOWS\SYSTEM\QTTASK.E
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\PRODIGY COMMUNICATIONS\PRODIGY DSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.
C:\UNZIPPED\HIJACKTHIS\HIJ
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\W
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {F5C90925-ABBF-4475-88F5-8
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
fix these:
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
other than those your log looks good.
Just remember to run ad-aware, spybot,and CWShredder at least weekly.
I run them when I run my A/V.
Its what I do and what I tell my clients they must do.
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
other than those your log looks good.
Just remember to run ad-aware, spybot,and CWShredder at least weekly.
I run them when I run my A/V.
Its what I do and what I tell my clients they must do.
ASKER
akboss:
I've had my eye on those two R0 entries for days, mainly because at some time in the past someone had me get rid of them while cleaning up a few other items. I know not when they show up or what brings them in. They never seem to cause any problem so I've just let them ride. I'll start dumping them as soon as they show up from here on. Just out of curiosity: what are they about?, why are there always 2 of them, etc....do you have any place to refer me to in order to learn more?
As far as Ad-Aware, Spybot, SpywareBlaster, etc.....I run them daily....too much free time on my hands I guess.
Thanks, Harshale
I've had my eye on those two R0 entries for days, mainly because at some time in the past someone had me get rid of them while cleaning up a few other items. I know not when they show up or what brings them in. They never seem to cause any problem so I've just let them ride. I'll start dumping them as soon as they show up from here on. Just out of curiosity: what are they about?, why are there always 2 of them, etc....do you have any place to refer me to in order to learn more?
As far as Ad-Aware, Spybot, SpywareBlaster, etc.....I run them daily....too much free time on my hands I guess.
Thanks, Harshale
The R0's are in your registry.
>>NOTE! When working in registry ALWAYS make a backup of your registry in case of a mistake. You then can correct it by going back.<<
go to start>run>type in regedit>then ok>go to HKEY_CURRENT_USER>Software
Local Page = . Highlight it and right click and click on delete. This will remove it from your system.
Just go to HKEY_LOCAL_MACHINE to find the other one
\\\,
>>NOTE! When working in registry ALWAYS make a backup of your registry in case of a mistake. You then can correct it by going back.<<
go to start>run>type in regedit>then ok>go to HKEY_CURRENT_USER>Software
Local Page = . Highlight it and right click and click on delete. This will remove it from your system.
Just go to HKEY_LOCAL_MACHINE to find the other one
\\\,
ASKER
akboss,
Over a period of months I've run that drill some many times I've lost count. They always return at some point. When they are there, my registry scanner reports them as "Invalid Path" or some such thing, it is missing an item "blank.htm"
I did a find Files and Folders search and found the missing blank.htm at C:\Windows\System\Oobe\. I modified the registry entries at CU, LM, and a third I found at Users\.default...\....\...
Over a period of months I've run that drill some many times I've lost count. They always return at some point. When they are there, my registry scanner reports them as "Invalid Path" or some such thing, it is missing an item "blank.htm"
I did a find Files and Folders search and found the missing blank.htm at C:\Windows\System\Oobe\. I modified the registry entries at CU, LM, and a third I found at Users\.default...\....\...
Well glad we could be of help to you.
ASKER
akboss,
One last report: since my last post I Googled up "Oobe" and found it to be a bunch of garbage....I put the "blank.htm" back in C:\Windows\System, did a Find Files...etc; Named: Oobe, and deleted every thing that had 2 O's in it (well, not quite that bad), but I got rid of Oobe in one stroke. The RO entries are gone now and so is a lot of other pesty trash that has been around. All in all it's been a good day....of course this thing will strike back eventually, it always finds a way. I've named it "Hydra - Medusa", it's like dealing with a barrel full of Medusas in a swamp full of Hydras. But it beats watching the news.
Adios, and take care, and thanks to all at Experts Exchange for being there and doing the fine work which you've been doing for so very long. Sincerely, Larry Harsha
One last report: since my last post I Googled up "Oobe" and found it to be a bunch of garbage....I put the "blank.htm" back in C:\Windows\System, did a Find Files...etc; Named: Oobe, and deleted every thing that had 2 O's in it (well, not quite that bad), but I got rid of Oobe in one stroke. The RO entries are gone now and so is a lot of other pesty trash that has been around. All in all it's been a good day....of course this thing will strike back eventually, it always finds a way. I've named it "Hydra - Medusa", it's like dealing with a barrel full of Medusas in a swamp full of Hydras. But it beats watching the news.
Adios, and take care, and thanks to all at Experts Exchange for being there and doing the fine work which you've been doing for so very long. Sincerely, Larry Harsha
Well thank you for the high praise and if there are other problems dont be shy about asking. Plenty of great experts here to help.
I just took a look at your log, just be patient - you're in good hands there!
I'll follow you're progress there!
Yes, you have some "unpleasant" stuff on your computer!
One thing that you should do is upgrade HijackThis to the latest version - 1.98.2
It's available here:
http://www.subratam.org/?page=removal
Or:
http://www.zerosrealm.com/downloads/hjt.zip
Then, repost a new log file.
Also, feel free to post a log file here - there are people here who can deal with these things.
Regards...
RF