Nasty CWS I cant rid of....

Well since we opened a new office, and even though I warned users (I am not really IT, I just happen to remember my password so I am now IT by deafult) about against surfing the net until Anti-virus and the Firewall were installed, one of the users still got hit with a nasty verison of CWS. So after battling it for the better part of a month, I thought I would turn to the experts.

Here are the details:
OS: Windows 2000
CWS Shredder scans find: CWS.Bootconf and later CWS.Searchx
HJT: Ran repeatedly to clear the RegKeys and DLLs, but it keeps coming back
Adaware: Continously finds VX2 and CWS DLLs and tracking cookies
BHOs: Wintools and Ibis toolbars keep installing themselves

I have ran CWS Shredder and HJT for the third time today. Can anyone give me a hand with this? I am about to kill the end user and I lack the money for posting bail. What logs would you want to see? Any help would be greatly appreciated.

 

I'd say step #1 (or if you want to club the user to his/her knees first then step #2) would be to make sure you have HJT version 1.98, run it, and paste the log file here.

 

Thanks for the help. I knew I should have started at the knees instead of jamming his head in the copier. Well before the police show up, here is the log:

Logfile of HijackThis v1.98.0
Scan saved at 4:54:53 PM, on 7/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\crcvpn\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\ACT\act.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {5FFF973B-792C-4CF6-B939-674B46F4A4C6} - C:\WINNT\system32\aaaoei.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: PartMiner VPN Client.lnk = C:\crcvpn\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRC_Domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRC_Domain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CRC_Domain
O18 - Filter: text/html - {A6570224-50E6-40ED-B111-5CA139079702} - C:\WINNT\system32\aaaoei.dll
O18 - Filter: text/plain - {A6570224-50E6-40ED-B111-5CA139079702} - C:\WINNT\system32\aaaoei.dll

 

Welcome to WindowsBBS psuedo IT

Make sure you have the current version of CWShredder, v1.59.1

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {5FFF973B-792C-4CF6-B939-674B46F4A4C6} - C:\WINNT\system32\aaaoei.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O18 - Filter: text/html - {A6570224-50E6-40ED-B111-5CA139079702} - C:\WINNT\system32\aaaoei.dll
O18 - Filter: text/plain - {A6570224-50E6-40ED-B111-5CA139079702} - C:\WINNT\system32\aaaoei.dll


Open CWShredder, with ALL other windows closed, click fix.

Reboot to safe mode. Show hidden files and folders.

Open C:\Program Files\Common files and delete the folder WinTools.
Open C:\WINNT\system32 and delete the file internat.exe.
Open C:\WINNT\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Reboot back into windows. Scan again with HJT and if any of those R1's and R0's are back, (file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html) download and install :

"FINDnFIX.exe" from
http://freeatlast100.100free.com/FINDnFIX.exe or
http://downloads.subratam.org/FINDnFIX.exe

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results in your next post.

Scan the PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

FindNFix question...

edit note: merged this post with the main thread. - Newt

I was trying to follow instructions yesterday left in my other post (between arguements with the ISP so called technicians regarding no access). In that post it said to log in under safe mode, delete this and that, run HJT and if there were any R0 or R1a, to download and run FindNFix (which is difficult, at best, without an ISP connection) Well the good news is, the connection is back up and I downloaded FindNFix.exe to the computer with the problem.

The question is, how long does this normally take to get the end log? Not that I am complaining about watching a screen for a few hours and getting paid for it, but people who sign my paycheck tend to have a different opinion.

 

Well, I didn't realize you had no internet on the affected machine. Kudos to you for fixing that! It's been a while since I ran that program to test it, and don't really remember how long it took, but it seems like I got through a 50Gb partition in about 20 min. I've asked someone who recently ran it to post in.

 

Thanks for the help Dave. It took a little longer than I realized to get back to the board to check updates. Once I know the approximate time frame it will take to get everything run, I can plan my overtime accordingly. Thanks again for the help.

 

The FindnFix program takes 3 steps to complete. If you are on a time frame I suggest you search around a bit to see what to do so you can complete it all in one setting.

 

I am not sure the FindNFix is working. I doubleclick the !LOG!.BAT file, and after a small command screens comes up, it starts a search. The search runs about 30 seconds, says ok the sits on the following prompt:

C:\WINNT\SYSTEM32\ REND.DLL

It just sits there and spikes my memory to 100% usage. Is there any chance I have a bad download?

 

Well, I don't know why it would hang there, but as it turns out, the author of FindnFix has pulled the program and asked that it's use be stopped anyway. We'll have to do this another way. Is the machine still infected? Post a new log so we can see where we're at.

 

Well I guess that solves my problem with FindnFix. The PC is still infected, I will post another HJT log and AdAware log (if you want) tomorrow morning. Thanks again for the help.

 

Yes.

 

FYI
Norton Anti Virus 2004 has been doing a pretty good job of tracking down those Adware trojans for me.
It won't always get rid of them but it will tell you where they are and you can manually delete them.
I didn't know Symantec was addressing spyware and Malware but apparently they are in 2004 version.

 

Figures it would be 2004 for Symantec to get on board. I just hope they can send a patch for the rest of us already using it.

Here is the latest and greatest HJT log. I pretty much figured what I have to delete to temporarily fix this, the R0's and R1's, as well as a few DLL files. Any ideas how to fix this permanently? (Anyone want to contribute to bail money once I kill the user for making my life hell?).

Logfile of HijackThis v1.98.0
Scan saved at 8:07:32 AM, on 7/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\crcvpn\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ACT\act.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EED09F9C-B871-4151-8257-5BB80B10A4FB} - C:\WINNT\system32\klaok.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: PartMiner VPN Client.lnk = C:\crcvpn\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRC_Domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRC_Domain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CRC_Domain
O18 - Filter: text/html - {DCE4E7C7-F2E8-459F-ACD8-73A9A8C1CC00} - C:\WINNT\system32\klaok.dll
O18 - Filter: text/plain - {DCE4E7C7-F2E8-459F-ACD8-73A9A8C1CC00} - C:\WINNT\system32\klaok.dll

 

Here is the AdAware log file.

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Wednesday, July 21, 2004 8:12:48 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R333 18.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R333 18.07.2004
Internal build : 265
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1314436 Bytes
Signature data size : 1293449 Bytes
Reference data size : 20923 Bytes
Signatures total : 28676
Target categories : 10
Target families : 526

7-21-2004 8:12:48 AM - Scan started. (Custom mode)
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank "

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank "

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html "


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 8
Objects found so far: 8


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Tracking Cookie Object recognized!
Type : File
Data : administrator@advertising[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 7/20/2004 8:55:42 PM
Last accessed : 7/21/2004 12:13:36 PM
Last modified : 7/20/2004 8:57:13 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@atdmt[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 7/21/2004 11:59:27 AM
Last accessed : 7/21/2004 11:59:27 AM
Last modified : 7/21/2004 11:59:27 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 7/20/2004 8:55:41 PM
Last accessed : 7/21/2004 12:04:04 PM
Last modified : 7/20/2004 8:57:13 PM

Tracking Cookie Object recognized!
Type : File
Data : administrator@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 7/21/2004 11:59:52 AM
Last accessed : 7/21/2004 11:59:52 AM
Last modified : 7/21/2004 11:59:52 AM

Tracking Cookie Object recognized!
Type : File
Data : administrator@servedby.advertising[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 7/20/2004 8:57:13 PM
Last accessed : 7/21/2004 12:13:36 PM
Last modified : 7/20/2004 8:57:13 PM

VX2 Object recognized!
Type : File
Data : ayaamon.dll
Category : Data Miner
Comment :
Object : C:\WINNT\SYSTEM32\
FileSize : 313 KB
Created on : 7/6/2004 12:08:02 PM
Last accessed : 7/21/2004 12:15:54 PM
Last modified : 7/6/2004 12:08:02 PM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 14

Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
25 entries scanned.
New objects :0
Objects found so far: 14

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 14

8:16:48 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:04:00:47
Objects scanned :78317
Objects identified :14
Objects ignored :0
New objects :14

 

Download and install Reglite. Open and copy/paste the following string in the address window then click go. (your path and key name in the following instructions may be WINNT rather than Windows)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Double click on the AppInit_DLLs entry to open a "Data Editor" properties window. If the Value line contains a .dll filename, make note of it. Then in the left pane, click the Windows folder (highlighted purple), then click edit on the toolbar. Select rename and type Notwindows, then hit enter. Click the AppInit_DLLs entry again and clear the value containing the .dll and OK it. Rename the Notwindows folder back to its original name "Windows ". Check the AppInit_DLLs entry again to make sure the value is blank.

Restart your computer in safe mode.

Create a dummy folder (e.g. C:\junk). Open C:\WINNT\System32, locate the file noted, right click and choose properties, then clear the read only box if checked and OK. Right click again and cut, then paste it into the junk folder. Then take ownership of the file, if applicable. Now right click the junk folder itself and select properties. Go to the security tab and click the advanced button. Check the box to reset permissions on all child objects, if applicable. Hit apply and OK. Now delete the folder.

Run CWShredder then Ad-aware again. Delete all Ad-aware finds.

Open C:\Windows(WINNT)\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup.

Reboot back into windows and download VX2Finder from this link:

http://download.broadbandmedic.com/VX2Finder(126).exe

Open Vx2Finder and click on the click to find VX2.BetterInternet button. Then click make log.

Copy and paste the contents of the log into your next reply here along with a new HJT log.

 

Well Dave, I followed your instructions, but came across the problem. I was unable to cut and paste the DLL file listed under the Registrar Lite value. Everytime I attempted to make any changes to the file, it came me an error stating that Windows was currently using the file and changes could not be made (insert various 4 letter words here).

Any ideas to get around this so I can complete your instructions? Thanks again for all of your help. (You can count on my Finance Dept getting a request for subscription once this gets cleaned up).

 

If I understand what you've stated correctly, you misunderstood my directions. The only thing you copy/paste is the registry path to the Windows (WINNT) key containing the AppInit entry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs **note: you may need to change the windows value to WINNT

After finding the AppInit value, with a dll filename, close the 'Data Editor' window and click the Windows (WINNT) folder in the left pane (should be purple). Click edit on the toolbar and select rename. Rename the folder NotWindows (NotWINNT), or something. This effectively takes it out of use. Now double click the AppInit_dlls entry again to reopen the Data Editor, highlight the value and backspace to remove. Close the Editor and rename the NotWindows (NotWINNT) folder back to Windows (WINNT). Now check the Appinit_dlls entry again to be sure the value is empty. Close Reglite and reboot to safe mode to delete the file found in the AppInit value.

That's good to hear.