Once again, some guy at work has had his computer gangbanged by spyware/adware. I have a hijackthis log, but I'm not sure how much good it will do. There's some wierd "[randomshit].dll missing" that pops up randomly when Windows starts. Also, his Internet Explorer keeps having his default page being set to "about:blank" - I've heard of this one, but I'm not sure how to fix it. Anyway, here's the log: Logfile of HijackThis v1.98.2 Scan saved at 3:46:38 PM, on 5/11/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\myCIO\Agent\myAgtSvc.Exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINNT\system32\regsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\myCIO\VScan\McShield.exe f:\auditwiz\data\scanner\Scan32.exe C:\WINNT\Explorer.EXE C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe C:\WINNT\system32\NWTRAY.EXE C:\WINNT\system32\crqp32.exe C:\Program Files\Common Files\Cyco Shared\AMWFASTL.EXE C:\WINNT\javaxl.exe \Nbp411_ii\sys\APPS\office97\Office\OSA.EXE I:\PUBLIC\GRPWISE\CLIENT\WIN32\NOTIFY.EXE C:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ikcxa.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ikcxa.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\ikcxa.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ikcxa.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\ikcxa.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1D59557E-78A1-4B06-61F6-4C715E36BD26} - C:\WINNT\addgi32.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [crqp32.exe] C:\WINNT\system32\crqp32.exe O4 - HKLM\..\RunOnce: [javaxl.exe] C:\WINNT\javaxl.exe O4 - Global Startup: AM-WorkFlow Fast Load.lnk = C:\Program Files\Common Files\Cyco Shared\AMWFASTL.EXE O4 - Global Startup: Office Startup.lnk = APPS\office97\Office\OSA.EXE O4 - Global Startup: Microsoft Find Fast.lnk = APPS\office97\Office\FINDFAST.EXE O4 - Global Startup: GroupWise Notify.lnk = PUBLIC\GRPWISE\CLIENT\WIN32\NOTIFY.EXE O17 - HKLM\System\CCS\Services\Tcpip\..\{D9DFE90A-256A-45BA-A259-7CBF8CAD6734}: NameServer = 205.244.200.3,205.244.112.20 O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.0.201.dll
Okay, from what I can see it's either CoolWebSearch or HomeSearch Assistant, which are pretty nasty cases of spyware. All the entries R1 -HKCU and R1- HKLM are spyware related for sure, and I'm suspicious of some others (javaxl.exe in running processes, and the URLSearchHook and BHO addgi32.dll) as well. I have a tool that can remove CWS, but HSA is another story. Have you tried running Spybot S&D or Ad Aware SE?
Oh... i hate those search bars.... CWS can remove some of them, but i think formating is the way to go, and dont let him visit more pr0n sites
format, re-install windows and add a parental control (and/or stop is reproduction system to create a sudent huge to play with his toy with his hands by any mean possible (this can include mass destruction) (that's more radiccal though)) to is pc. problem solved.
Stuff highlighted needs to be removed. Then run Ad-aware, then Spybot, then whatever else you feel like, then restart and see if you're good. Incidentally PRONoMGR.exe is an intel program, it's ok, but it does make me think "pr0n-o-manager". Maybe I've spent too long on the internet.
Yeah, what Alchy said. I'm still suspicious about that "javaxl" file, there's like two variants of CWS or something similar that use a JavaXX name. I guess once you clean what Alchy said through HT, and run Spybot and Ad Aware, we'll know whether it's a legitimate process or not. Good luck, dude.
I was really close to stopping the "PRONoMGR.exe", so I guess I'm glad I didn't . Formatting isn't an option, so if this doesn't work I guess I have to tell the guy he's fucked. Thanks guys. I'll see if this works and give you an update.
Alrighty then. If it keeps working wrong, run the tests again, and we'll know what's causing the trouble so we can offer another solution.
It seemed to have worked. The error message didn't appear after a reboot. I told the guy to give me another call if they reappeared. Thanks again.
The guys above have things pretty well in hand, but I'd recommend installing and running CWShredder, which is a malicious software removal tool specifically for the CoolWebSearch family of malware.
I've used CWShredder before, I think. It's floating around somewhere on the network. I might go back today and run it. Thanks for the suggestions .
TBH I don't think CWShredder is that important any more, I'm fairly confident that ad-aware/spybot etc should have figured out how to get rid of CWS hacks by now. I can't say for sure because it's been a year or so since I last saw any CWS variant.
InterMute CWShredder sees updates every month or two... It's no longer Merijin's project, it belongs to InterMute now and the current build 2.14 is probably due for a few additions any time now. ~Krelian P.S.: Too bad I arrived on the scene late, I'd have loved to help! It is my job and all...
