Can somone help me please. My dumb friend was downloading stupid things on my computer yesterday and then got it infected with a coolwwwsearch spyware I've tried using several spyware programs one of them is spybot search & destroy but the damn! spyware keeps coming back later after I just removed it, does anyone know any good free software for removing this problem permanetly or any soulutions.

I moved your thread to a more appropriate forum...

The usual antispyware programs cannot fix a CWS infection... You can try running an online virus scan and see if that helps... You can also use CWShredder, but I would not do that until we can figure out what kind of CWS you have... We need to see a HijackThis scan to find out what is going on in your system... Download it from the link below and follow the instructions to produce a log...

To run HJT, extract it to a permanent folder such as one
you create like C:\HJT. Close all open windows and
browsers and make sure that all programs are enabled if
you use msconfig. Run it and Scan, then Save the log.
When the log window appears, Right click to Copy it, open
your browser and come here to Paste the entire log. Do
not make any changes until it is checked since most items
are either benign or essential to the computer.

http://www.subratam.org/?page=removal

sorry about that posting on the wrong thread, Ive just scaned it with Hijackthis and here is the log file.

Logfile of HijackThis v1.99.1
Scan saved at 7:45:53 PM, on 4/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Games\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\cmd32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\intfsdffdsronsad.exe
C:\Program Files\Games\winrar\WinRAR.exe
C:\DOCUME~1\GETOUT~1\LOCALS~1\Temp\Rar$EX00.662\Hi jackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\AVG\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Name - {59F3F976-C232-4097-8312-6D67E1ADC16B} - C:\WINDOWS\System32\mskar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Games\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08821A72-C098-40E5-AC3B-53EBAFC0157B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{08821A72-C098-40E5-AC3B-53EBAFC0157B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{08821A72-C098-40E5-AC3B-53EBAFC0157B}: NameServer = 69.50.176.197,195.225.176.31
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Okay, this is a nasty one... Please do this:


Prepare CWShredder:

Download CWShredder (http://www.intermute.com/spysubtract/cwshredder_download.html).
Save it to your desktop.
Do not run it yet. We will run it later.

Run Symantec's BackDoor Removal Tool:

Download the Backdoor.Agent.B Removal Tool (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html) from Symantec.
Follow Symantec's instructions for how to run it.
Be sure to save the log file. I will need to see it later.
Restart your computer.

Run CWShredder. Be sure to click Fix as opposed to Scan Only. It should find some things and remove them.
Restart your computer once more.
Post the log Symantec's tool gave you.


Then move HJT to a permanent folder so that it is not accidentally deleted as we clean this up... Open an HJT scan and put checks by:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\AVG\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Name - {59F3F976-C232-4097-8312-6D67E1ADC16B} - C:\WINDOWS\System32\mskar.dll (file missing)
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

I am pretty sure that these are part of the infection, but I was not able to verify that... I suggest fixing them and then if you have problems with your internet connection please use the HJT backup to restore them...

O17 - HKLM\System\CCS\Services\Tcpip\..\{08821A72-C098-40E5-AC3B-53EBAFC0157B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{08821A72-C098-40E5-AC3B-53EBAFC0157B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{08821A72-C098-40E5-AC3B-53EBAFC0157B}: NameServer = 69.50.176.197,195.225.176.31

These look suspicious and the O16s are restored if you visit the site in question again, so I suggest fixing them too....

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/insta.../sinstaller.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility....ckerutility.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Then close all open windows except HJT and click Fix Checked...

Using HJT, go to Config and then to Misc Tools and use the "delete on reboot" option to enter the whole location and file for each of these... Click through to close HJT and reboot... Please note if you are still having any problems when you post back and post the log noted earlier....

C:\WINDOWS\System32\intfsdffdsronsad.exe
C:\WINDOWS\System32\cmd32.exe internat.dll
c:\wp.exe

Hi, I finally had the time to do them things you told me and thank you for spending the time to help me out. Okay I did all the things you told me it finally stoped all the programs that were running on the task manager, but Im still having problems with unable to set a homepage on my internet explorer still shows up as blank, and I cant change the background on my computer all of the settings under properties are missing I am also receving this error message something about c:/lininstaller.exe that keeps poping up. I ran the Backdoor.Agent.B Removal Tool but it never gave me a saved log.

Please reboot and post a fresh HJT log... Without seeing one, I can't tell you what to do next... That file you referred to is almost certainly bad... It would be a good idea to say exactly what the error message you are getting is... I am blind without information...

Logfile of HijackThis v1.99.1
Scan saved at 8:32:57 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Games\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\hijackthis\hijackthis\HijackThis.ex e

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Games\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AbsolutePoker.net - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.net - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra button: Microsoft AntiSpyware helper - {DBE2E183-1F0D-439B-9F9F-61A7396CB79D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DBE2E183-1F0D-439B-9F9F-61A7396CB79D} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Your log is looking clean... I suggest running another scan to see if it shows anything...

Try running an MWavScan... It will produce a log in the lower right hand corner and you will need to use Ctrl-C to copy the bottom part of it that has the bad items and then paste it here for review....

http://www.mwti.net/antivirus/free_utilities.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

just read your message and I had a virus and spyware come up and I lost my homepage on saturday, I have windows xp and with service pack 2 there is a free program for spyware called Microsoft Anti-Spyware, so I did a scan with this and it asked me to block or not so I said yes, you can get this free program at microsoft.com, 1 year ago I couldn,t get rid of this page called blank and it was causing phony pop ups too but I had to get a wipe and reload to get rid of it, this is all called hi jack, I recommand that you go to www.microsoft.com and download anti spyware beta 1 its called, its free

darmitage1215,
Budfred is the expert and is already helping the member, this is not something that one program fixes, just read the thread so far.

I Just Had The Same Problem And Was Just Trying To Help So Take A Pill!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!

one program just fixed mine, microsoft anti spyware program beta 1 www.microsoft.com, so guess your wrong!

darmitage1215,

Unless something has changed in a major way recently, MS Antispyware cannot fix this infection, but it may be able to mask it so that you don't know that you have it anymore... I suggest that you open another thread and post an HJT log to make sure it is clean...

This is weird a few days ago I ran avg virus scanner and it said that the system was clean and now that I ran mwti it found 28 viruses :( I guess avg isnt really a good program to use but anyways here are the viruses.

File C:\WINDOWS\System32\hdhch.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cmd32.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dosxpd.exe infected by "not-a-virus:AdWare.Msnagent.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fixmapirs.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdasg.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdbfc.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdbnm.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdcah.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdflv.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdhch.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdnnv.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdoum.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdqkp.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdqti.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdrgl.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdtqr.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdygv.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdynk.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdzna.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\intfsdffdsronsad.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\izxczxcr.exe infected by "Trojan-Downloader.Win32.Delf.lf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\izxxzdsafsafczxcr.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \CNHZM2RP\1[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \CNHZM2RP\msits[1].exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \OPAJ89MJ\open[1].exe infected by "Trojan-Downloader.Win32.Small.acw" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \OPAJ89MJ\style[1].css infected by "Trojan-Downloader.Win32.Small.acw" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \OPAJ89MJ\style[2].css infected by "Trojan-Downloader.Win32.Small.acw" Virus. Action Taken: No Action Taken.

It is not so much that AVG is bad, it is that no one program covers it all...

Try this now... Run an online virus scan... You can use Housecall from my signature or go with Panda online... I wouldn't bother with the BitDefender...

Download CCleaner:

http://www.ccleaner.com/

Then download KillBox:

http://www.downloads.subratam.org/KillBox.zip

Boot to Safe Mode... Run CCleaner to clean out Temp folders and then set KillBox up and use it to kill any of these that are left... Use the Rename and delete on reboot options:

C:\WINDOWS\System32\hdhch.dll
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\System32\dosxpd.exe
C:\WINDOWS\System32\fixmapirs.exe
C:\WINDOWS\System32\hdasg.dll
C:\WINDOWS\System32\hdbfc.dll
C:\WINDOWS\System32\hdbnm.dll
C:\WINDOWS\System32\hdcah.dll
C:\WINDOWS\System32\hdflv.dll
C:\WINDOWS\System32\hdnnv.dll
C:\WINDOWS\System32\hdoum.dll
C:\WINDOWS\System32\hdqkp.dll
C:\WINDOWS\System32\hdqti.dll
C:\WINDOWS\System32\hdrgl.dll
C:\WINDOWS\System32\hdtqr.dll
C:\WINDOWS\System32\hdygv.dll
C:\WINDOWS\System32\hdynk.dll
C:\WINDOWS\System32\hdzna.dll
C:\WINDOWS\System32\intfsdffdsronsad.exe
C:\WINDOWS\System32\izxczxcr.exe
C:\WINDOWS\System32\izxxzdsafsafczxcr.exe
C:\WINDOWS\System32\wldr.dll
C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \CNHZM2RP\1[1].htm
C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \CNHZM2RP\msits[1].exe
C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \OPAJ89MJ\open[1].exe
C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \OPAJ89MJ\style[1].css
C:\DOCUME~1\GETOUT~1\LOCALS~1\TEMPOR~1\Content.IE5 \OPAJ89MJ\style[2].css

Reboot to normal mode... Post another MWavScan... It might be good to post another HJT scan too...

Heres the Mwavscan

File C:\WINDOWS\System32\hdfsq.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\intfsdffdsronsad.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:51 AM, on 5/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Games\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\hijackthis\hijackthis\HijackThis.ex e

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Games\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AbsolutePoker.net - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.net - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra button: Microsoft AntiSpyware helper - {DBE2E183-1F0D-439B-9F9F-61A7396CB79D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DBE2E183-1F0D-439B-9F9F-61A7396CB79D} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Try to KillBox these again:

C:\WINDOWS\System32\hdfsq.dll
C:\WINDOWS\System32\intfsdffdsronsad.exe

Throw every combination of deletion techniques at them until the log comes up clean... If it doesn't, we will need to look for another attack...

Hey,

I was able to delete C:\WINDOWS\System32\hdfsq.dll and
C:\WINDOWS\System32\intfsdffdsronsad.exe
with killbox, but when I rebooted my comp I ran the mwavscan again and it found a new problem :mad:

C:\WINDOWS\System32\hdvrv.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.

I tried using killbox on this new virus several times but a message saying pendingfilerenameoperations registry data has been removed by external message, Im not sure what that means but the stupid virus is still here :(

Did you try it in Safe Mode?? If not do so... Also, if you have MS Antispyware resident protection turned on, turn it off so it doesn't block the fix:

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

last saturday I was in a site and my avg anti virus came up and said I had a virus and then www. blank took over my homepage which was spyware, my avg anti virus protector took care of the virus and then I ran cw shredder but it didn,t help, so I ran microsoft anti spyware doing a scan and then it asked me to block this spyware and it cleaned it all up, coolwwwsearch and ww.blank are all the same thing as far as I know, they are both listed in cw shredder and pretty sure they are both spyware infection but wipe and reload will for sure cure the problem I had to do this last summer because no program would remove this www. blank off my computer, sometimes it will and other time it won,t

darmitage1215,

That may have been your experience, but as you can see in this thread, it didn't work here... As I said before, it may not have worked as well for you as you think, so I suggest you post a log in your own thread to check for any other issues... Your choice...

Hey,

Ya I made sure that I ran killbox in safe mode. Nope I dont have MS Antispyware resident protection turned on, Im not even sure if I have the program atleast I dont think so.

Sorry, I got tricked by one of the worst infections in your log... Please open an HJT fix and put checks by:

O9 - Extra button: Microsoft AntiSpyware helper - {DBE2E183-1F0D-439B-9F9F-61A7396CB79D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DBE2E183-1F0D-439B-9F9F-61A7396CB79D} - (no file) (HKCU)

Then close all open windows except HJT and click Fix checked...

Reboot and post a fresh HJT and MWavScan... We may need to go to another fix if we haven't already killed that infection...

Still no luck everytime I use killbox on one of these infections a few mins later a new one reappears. Heres the mwav scan.

File C:\WINDOWS\System32\hdgeu.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdgeu.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdnjm.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hdvmu.dll infected by "HackTool.Win32.Hidd.h" Virus. Action Taken: No Action Taken.


Logfile of HijackThis v1.99.1
Scan saved at 1:53:51 PM, on 5/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Games\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\hijackthis\hijackthis\HijackThis.ex e

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Games\ZoneAlarm\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AbsolutePoker.net - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.net - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Okay, try this... Boot to Safe Mode... run MWavScan and then Killbox whatever it finds in the bad list... Try to kill them without a reboot and then enter them again with a reboot... See if they have returned when you have rebooted... If they have, we will need to find another way to see if we can find the source since it is not showing up in the log....

If they do reappear, try running an Ewido scan in Safe Mode and see if that will do it... Be sure to update it prior to going to Safe Mode...

http://www.ewido.net/en/

Also, try one of these to see if we can find the source:

Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.

To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....

Hey,

I got some good news and some really bad news, I ran ewido and I think it has finally gotten ride of all the spyware because now when I run mwav scan it comes up clean yes.... :) .Now the bad news is when I ran sysinterals a few mins later after it was scanning it set off my avg anti-virus and ending up finding 37 virus, I deleted all the files with avg but I dont think I got all of them cause when I rebooted the computer this software with no name keeps poping up telling me to install hardware wizard I cant seem to close or cancel it, oh ya I will post a log of sysinterals later for some reason the log I saved came up blank.

I am afraid that I don't understand most of your post... Could you explain it a little more thoroughly please??

My avg discovered 37 viruses when sysinternals was scanning through my pc I was able to delete them all, but I think avg might of missed some hidden bugs because now theres a message that keeps poping up asking me if I want to install this hardware
,I'd click cancel but a few seconds later it would ask me again.

If AVG reported viruses while RootKitRevealer was running, it is possible that it just found the definitions that RootKitRevealer was using to scan with... Without the logs to review, I don't really know what happened... Do you know what hardware is trying to be installed??

If you can't post a RootKitRevealer log, post another MWavScan so we can see if that is clean now...

MwavScan is finally clean no infections found, I dunno if I might be running RootKitRevealer wrong or what but everytime its complete scanning and I click save the log always shows up blank. I dont know what hardware it is because it always shows up with my icons under the name HQY and I believe its running under rundll32.exe on the task manager, this is what it also saids when its asking me if I want to install, Welcome to found new hardware wizard, this wizard helps you install HQY and it also saids if your hardware came with an installation cd or floppy disk, insert it now.

Should I just install the hardware and see what it does?

Should I just install the hardware and see what it does?I wouldn't, it could be malware using that route to get installed... Go to My Computer, right click and select Properties... Look in Hardware Devices and see if anything is reported to be off, this would be with a ! or ?, in yellow I believe... Unless you accidentally deleted a driver for something, I can't think of what might have caused this... Even then, it should only show up when you reboot... Is everything working okay??

If the RootKitRevealer scan is empty it probably means you don't have a RootKit...

Budfred, were on earth did you learn how to read those logs?

I was trained in the Classroom at Tom Coyote and the Boot Camp at SpywareInfo... There are quite a few other schools on the web now, but they were the first two... I am still quite involved in Boot Camp and somewhat in the Classroom... You need to stay up to date to deal with this stuff...

Samm253,

What is the status of your system now??

Everything seems to be working fine. Ok I went to Device Manager and under the catergory, other devices has a ? in yellow, I clicked on that and it shows that hardware HQY with the !? in yellow should I try disabling it so it would leave me alone?

I would check Properties to see if you can figure out what it is or post in Core Hardware here to see if anyone recognizes it before installing it.... It is odd that it is suddenly demanding to be reinstalled and I don't recognize what it might be, but if it is legit, you probably will eventually want it installed... Also, check out your hardware devices and see if any of them are not working properly...

Here is my prevention speech to help you stay clean:

This is a good time to set up protection against further
attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a
good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads.
All of these have good free versions available... be very
cautious about any security software that advertises in
popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....

http://www.computercops.biz/postlite7736-.html