Tried without success to remove coolwebsearch, clickspring and purityscan objects using spyware and adware programs. Please review scan from hijack this and provide some help? Thanks


C:\WINNT\System32\wcpsvsu.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINNT\System32\CbjIdr.exe
C:\WINNT\System32\Bcn4.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KH6FS52V\hijackthis[1].exe
C:\WINNT\System32\spool\DRIVERS\W32X86\LXBBPSWX.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\LXBBJSWX.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OGsKbV] C:\documents and settings\owner\local settings\temp\OGsKbV.exe
O4 - HKLM\..\Run: [sLV] C:\documents and settings\owner\local settings\temp\sLV.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [x35Q34T] htpmf12n.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\NgiOUeB0.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [downloader.exe] C:\downloader.exe
O4 - HKCU\..\Run: [WINT] C:\WINNT\System32\wcpsvsu.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/c...ontent/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zone.msn.com/bingame/zuma/defau...aploader_v5.cab

Hi and welcome to SAF....

Let's do this.....

Clean out the crap from surfing, spyware, etc in your temp folders and so on first. We don'tr need to be scanning them. Quick way is to use FreeHistoryEraser.

Run CoolWebShredder.

That Purityscan is a scam and one helluva lot of trouble.

Fix the following in HJT:

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OGsKbV] C:\documents and settings\owner\local settings\temp\OGsKbV.exe
O4 - HKLM\..\Run: [sLV] C:\documents and settings\owner\local settings\temp\sLV.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [x35Q34T] htpmf12n.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\NgiOUeB0.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [downloader.exe] C:\downloader.exe
O4 - HKCU\..\Run: [WINT] C:\WINNT\System32\wcpsvsu.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe

Search your system for Purityscan.exe. If you find it, delete it.

In Start>Run>type msconfig>click Ok>Startup tab>uncheck the following. These files do not need to start with the system:

WkUFind.exe (Microsoft Works)
GWREMIND.EXE (Greetings Workshop)
TkBellExe/realsched.exe (RealOne Player)
qttask.exe (Quicktime)
msmsgs.exe (Messenger)
mnyexpr.exe (Microsoft Money) if you don't use this, go to Add/Remove in Control Panel and uninstall it.

Restart, post another HJT scan.

I would also like you to go to the top of this page to the 'Virus Info' tab and use the free online scanner courtesy of TrendMicro, makers of PC-cillin antivirus.

Thanks and here is the HJT scan after completing your instructions:

Logfile of HijackThis v1.97.7
Scan saved at 9:11:57 PM, on 5/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\cnegman.exe
C:\WINNT\System32\Bcn4.exe
C:\WINNT\System32\Pahh.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H0W75TS9\HijackThis[1].exe

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [x35Q34T] cnegman.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\NgiOUeB0.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/c...ontent/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zone.msn.com/bingame/zuma/defau...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31B147F0-B52C-4580-BB37-2B0858BB4273}: NameServer = 205.188.146.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{31B147F0-B52C-4580-BB37-2B0858BB4273}: NameServer = 205.188.146.146

Thanks for the help Interceptor!

Not a problem. Hope I didn't miss anything.

Actually, I don't know what these entries are. I know I had you fix the last one....should try that one again. Do you know what cnegman.exe is?


C:\WINNT\System32\cnegman.exe
O4 - HKLM\..\Run: [x35Q34T] cnegman.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\NgiOUeB0.exe

Interceptor,

I ran a Ad-aware 6.o scan immediately following your recommendations and the following is the scan results:

ArchiveData(auto-quarantine- 09-05-2004 21-29-15.bckp)
======================================================

CLICKSPRING
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : Software\PurityScan
obj[1]=RegKey : SOFTWARE\ClickSpring

PEOPLEONPAGE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[2]=RegKey : SOFTWARE\Envolo
obj[3]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate
obj[4]=RegKey : Apropos.Client
obj[5]=RegKey : Apropos.Client.1.1
obj[6]=RegKey : CLSID\{A4A58A2C-B039-432B-8BC1-DCA7AC0757DC}
obj[7]=RegKey : SOFTWARE\Apropos
obj[8]=RegKey : Interface\{A1558B18-F76C-40FE-B358-9E47449F3CFE}
obj[9]=RegKey : SOFTWARE\AutoLoader
obj[10]=RegKey : CLSID\{A2872B10-39F2-42DF-9335-7DD38CF75255}
obj[11]=RegKey : Interface\{A2872B10-39F2-42DF-9335-7DD38CF75255}
obj[12]=RegKey : Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}
obj[13]=Folder : c:\program files\AutoUpdate
obj[14]=Folder : c:\docume~1\owner\locals~1\temp\AutoUpdate0
obj[16]=File : c:\winnt\system32\auto_update_uninstall.exe
obj[17]=File : c:\winnt\system32\auto_update_uninstall.log
obj[18]=File : c:\program files\autoupdate\autoupdate.exe
obj[19]=File : c:\program files\autoupdate\libexpat.dll
obj[20]=File : c:\docume~1\owner\locals~1\temp\auf0.exe

TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[15]=File : c:\documents and settings\owner\cookies\owner@0[2].txt

Thanks again.....

That's the Peper trojan:

[2SWZKN82R5K47C] C:\WINNT\System32\NgiOUeB0.exe

The signature is the 14-character random startup. It's downloading these two:

C:\WINNT\System32\Bcn4.exe
C:\WINNT\System32\Pahh.exe

The downloaded file names are random too.

samson...you need to run a dedicated uninstaller. Try this one:

http://www.zerosrealm.com/downloads/uninst.exe

Save it to the desktop and run it from there. You must be online for this to work. Reboot after done (it only takes a few seconds) and run HJT again. Post another log.

This one is going to be a problem:

O4 - HKLM\..\Run: [x35Q34T] cnegman.exe

The problem is it's a morpher. Look at the first log:

O4 - HKLM\..\Run: [x35Q34T] htpmf12n.exe

Please use the free virus scan listed under Virus Info at the top of this page. Let us know what it reports.

Hm...I told him to do that already. Samson..didn't you do the virus scan??? If you don't do what we advise, then the time we spend is not only wasted but your problem isn't fixed.

I did run the virus scan housecall and deleted scanned items. Reran again this morning and got Troj Startpage.S file location C:\WINNT\system32\ppolbc.dll

Also ran HJT again and I am posting the saved scan below.

Logfile of HijackThis v1.97.7
Scan saved at 9:53:16 AM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\lexpps.exe
C:\Program Files\Free History Eraser\HistoryEraser.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/c...ontent/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zone.msn.com/bingame/zuma/defau...aploader_v5.cab


When I ran the virus scan it said that the file could not be deleted because the system was in use.

Thanks

HKED,

Could not load the uninstaler from zerorealm.com. Any further suggestions?

samson...have you edited that log? It looks clean.

Sometimes the Peper installer appears not to work - it just flashes by. If it hadn't worked, the Peper startup would still show on your log.

If you haven't edited the log, you're looking good.

However you disabled Norton's startup, re-enable it. It should be running always (I see it is, but you must be starting it manually). If you have a problem with a malware file that Windows reports as being in use, try running Norton in Safe Mode:

Starting your computer in Safe mode

HKED,

Here are the results from this morning! I ran a HJT scan again this morning as well as a Housecall virus scan. The virus scan showed two infected files:

1. TrojStartpage.S C:\Documents and Settings\Owner\Desktop\Backup-20040512-065437-287.dll

2. TrojStartpage.S C:WINNT\System 32\jndfpbh.dll


I attempted to delete them and got rid of the Documents and Settings file but could not delete the WINNT file because it gave an error code saying Can't delete currently in use.

Below you will find the HJT scan with the R1 and RO files back in list after IE startup. This is a tough problem! I suspect all the R1 and R0 as well as the 02 files as the infected files?




Logfile of HijackThis v1.97.7
Scan saved at 7:38:00 AM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\lexpps.exe
C:\Program Files\Free History Eraser\HistoryEraser.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\WINNT\system32\IEHost.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {95540168-9E58-45F4-AE22-205FDCD52816} - C:\WINNT\System32\jndfpbh.dll
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/c...ontent/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zone.msn.com/bingame/zuma/defau...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31B147F0-B52C-4580-BB37-2B0858BB4273}: NameServer = 205.188.146.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{31B147F0-B52C-4580-BB37-2B0858BB4273}: NameServer = 205.188.146.146

HKED,

PS............. When I use HJT to fix the files my desktop gets populated with backup files for all items that were deleted. I have been just deleting these.

I never bother. If you want, go into the Config and you'll see where you can stop the backups.

These have to go. Maybe in Safe Mode and turning everything else off. You can also try APM to get a handle on that file:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jndfpbh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {95540168-9E58-45F4-AE22-205FDCD52816} - C:\WINNT\System32\jndfpbh.dll

Good Morning,

Thanks to both Interceptor and HKED for all your help.

I finally found the file and successfully deleted it. As of this morning all scans are clean and there doesn't appear to be any trace of the problem left. This was certainly a tough problem but your recommendations proved to be an immeasureable help in getting to the root of the problem. Thanks again!

Well so much for thinking I had this thing beat! Please see the scan from my Ad-aware scan this evening below. The last part of the scan reveals registry scan infection with CoolWebSearch objects. I will try to use CWS shredder to see if I can delete. Any further thoughts?



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, May 14, 2004 5:18:51 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R298 20.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


5-14-2004 5:18:51 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-14-2004 1:04:32 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 5-14-2004 1:04:33 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 5-14-2004 1:04:34 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 8/29/2002 1:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 5-14-2004 1:04:34 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 8/29/2002 1:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 5-14-2004 1:04:35 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 8/29/2002 1:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 5-14-2004 1:04:35 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 8/29/2002 1:00:00 PM

#:7 [lexbces.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 5-14-2004 1:04:37 AM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 7.4
ProductVersion : 7.4
Copyright : © 1993 - 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 6/25/2002 2:13:39 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 6/25/2002 2:13:39 AM

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 5-14-2004 1:04:38 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 8/29/2002 1:00:00 PM

#:9 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ThreadCreationTime : 5-14-2004 1:04:38 AM
BasePriority : Normal
FileSize : 1376 KB
FileVersion : 1,0,24,9
ProductVersion : 1,0,24,9
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 5/8/2004 9:24:59 PM
Last accessed : 5/14/2004 9:17:36 PM
Last modified : 4/8/2004 1:17:46 PM

#:10 [cdac11ba.exe]
FilePath : C:\WINNT\System32\drivers\
ThreadCreationTime : 5-14-2004 1:04:39 AM
BasePriority : Normal
FileSize : 51 KB
FileVersion : 4.16.050
ProductVersion : 4.16.050 Windows NT 2002/04/24
Copyright : Copyright © 1998-2002 Macrovision Corp.
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
OriginalFilename : CDANTSRV.EXE
ProductName : SafeCast Windows NT
Created on : 4/10/2003 1:23:16 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 4/10/2003 1:23:16 AM

#:11 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 5-14-2004 1:04:39 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 5/13/2004 7:05:07 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 2/27/2002 3:29:26 PM

#:12 [nmssvc.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 5-14-2004 1:04:39 AM
BasePriority : Normal
FileSize : 1092 KB
FileVersion : 2.2.9.0
ProductVersion : 2.2.9.0
Copyright : Copyright
CompanyName : Intel Corporation
FileDescription : NMS Module
InternalName : NMS Module
ProductName : NMS
Created on : 12/12/2002 2:54:14 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 5/3/2002 6:36:24 PM

#:13 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 5-14-2004 1:04:39 AM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 15.03.0.36
ProductVersion : 15.03.0.36
Copyright : Copyright © 2002 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 5/13/2004 7:06:33 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 2/5/2002 10:03:00 AM

#:14 [nvsvc32.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 5-14-2004 1:04:39 AM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 6.13.10.3082
ProductVersion : 6.13.10.3082
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 30.82
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 30.82
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 7/16/2002 6:16:00 PM

#:15 [prismxl.sys]
FilePath : C:\Program Files\Common Files\Lanovation\PrismXL\
ThreadCreationTime : 5-14-2004 1:04:40 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 4.10
ProductVersion : 4.10
Copyright : Copyright
CompanyName : Lanovation
FileDescription : PrismXL Service
InternalName : PrismXL Service
OriginalFilename : PrismXL.sys
ProductName : PrismXL Software Family
Created on : 12/12/2002 1:53:29 AM
Last accessed : 5/14/2004 9:18:52 PM
Last modified : 5/8/2004 1:20:18 PM

#:16 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~2\SPEEDD~1\
ThreadCreationTime : 5-14-2004 1:04:41 AM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 6.03.0.36
ProductVersion : 6.03.0.36
Copyright : Copyright © 2002
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
OriginalFilename : NOPDB.dll
ProductName : Norton Speed Disk
Created on : 5/13/2004 7:05:31 AM
Last accessed : 5/14/2004 9:18:52 PM
Last modified : 1/30/2002 10:00:00 AM

#:17 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 5-14-2004 1:04:42 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:51 PM
Last modified : 8/29/2002 1:00:00 PM

#:18 [wanmpsvc.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 5-14-2004 1:04:42 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 9, 0, 0, 0
ProductVersion : 9, 0, 0, 0
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 5/8/2004 9:25:05 PM
Last accessed : 5/14/2004 9:18:52 PM
Last modified : 8/27/2003 2:27:44 PM

#:19 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 5-14-2004 3:26:34 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/14/2004 9:18:52 PM
Last modified : 8/29/2002 1:00:00 PM

#:20 [navapw32.exe]
FilePath : C:\PROGRA~1\NORTON~2\NORTON~1\
ThreadCreationTime : 5-14-2004 3:26:39 PM
BasePriority : Normal
FileSize : 73 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
OriginalFilename : NAVAPW32.EXE
ProductName : Norton AntiVirus
Created on : 5/13/2004 7:05:07 AM
Last accessed : 5/14/2004 9:18:52 PM
Last modified : 2/27/2002 3:27:58 PM

#:21 [lexpps.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 5-14-2004 3:26:39 PM
BasePriority : Normal
FileSize : 170 KB
FileVersion : 7.4
ProductVersion : 7.4
Copyright : © 1993 - 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 6/25/2002 2:10:04 AM
Last accessed : 5/14/2004 9:18:52 PM
Last modified : 6/25/2002 2:10:04 AM

#:22 [wuauclt.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 5-14-2004 3:26:50 PM
BasePriority : Normal
FileSize : 145 KB
FileVersion : 5.4.3790.20 built by: lab04_n
ProductVersion : 5.4.3790.20
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 9/3/2002 6:28:35 PM
Last accessed : 5/14/2004 9:18:52 PM
Last modified : 2/10/2004 1:09:02 AM

#:23 [waol.exe]
FilePath : C:\Program Files\America Online 9.0a\
ThreadCreationTime : 5-14-2004 9:15:24 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 9.00.000
ProductVersion : 9.00.000
Copyright : Copyright © America Online, Inc. 1999 - 2003
CompanyName : America Online, Inc.
FileDescription : AOL
InternalName : WAOL
ProductName : America Online
Created on : 5/9/2004 12:54:50 PM
Last accessed : 5/14/2004 9:15:24 PM
Last modified : 9/24/2003 3:42:20 PM

#:24 [shellmon.exe]
FilePath : C:\Program Files\America Online 9.0a\
ThreadCreationTime : 5-14-2004 9:15:27 PM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 9.00.000
ProductVersion : 9.00.000
Copyright : Copyright © America Online, Inc. 1999 - 2003
CompanyName : America Online, Inc.
FileDescription : setupdb
InternalName : setupdb
ProductName : America Online
Created on : 5/9/2004 12:54:50 PM
Last accessed : 5/14/2004 9:15:27 PM
Last modified : 9/24/2003 3:42:14 PM

#:25 [aolwbspd.exe]
FilePath : C:\Program Files\America Online 9.0a\
ThreadCreationTime : 5-14-2004 9:15:33 PM
BasePriority : Normal
FileSize : 456 KB
FileVersion : 1, 0, 3, 0
ProductVersion : [.1-10] On Tue 08/12/2003 15:50:33.85
Copyright : Copyright
CompanyName : America Online Inc
FileDescription : AOL TopSpeed™
InternalName : AOL TopSpeed™
OriginalFilename : aolwbspd.exe
ProductName : AOL TopSpeed™
Created on : 5/9/2004 12:54:54 PM
Last accessed : 5/14/2004 9:15:33 PM
Last modified : 9/24/2003 3:41:20 PM

#:26 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-14-2004 9:18:42 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/9/2004 11:52:29 AM
Last accessed : 5/14/2004 9:18:43 PM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 3


5:21:45 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:02:53:813
Objects scanned :48551
Objects identified :3
Objects ignored :0
New objects :3

Hi samson...I fear you have the CWS variant with the invisible startup. Pure evil.

Download Registrar Lite from here:

http://www.resplendence.com/reglite

Install and run it. Copy/paste the following into Reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Click on Go, then find the "Appinit_Dlls" value in the righthand side panel, double-click on it, then copy and post what's in the following fields:

Size:

Value:

If there's a path to a DLL in the value box, we have a lot of work ahead.

As you suspected the following is the information from the Registrar Lite data


Size: 28

Value: C:\WINNT\System32\lognh.dll

Looks like a lot of work still ahead!

Thanks.............

OK, lognh.dll is the baddie. You need another program. Get Winfile from here:

http://www10.brinkster.com/expl0iter/freea...last/pvtool.htm

Save it to the desktop.

Also need to know if your file system is FAT32 or NTFS. Right-click on the C: drive and select Properties. You'll see it listed there.

Now we need to make lognh.dll visible.

Run Reglite again and copy and paste the below line in Reglite's address bar and hit Go.:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Next, rightclick on the Windows folder (highlighted as a blue or purple folder in the left hand pane of Reglite) and rename it to NotWindows

Doubleclick "AppInit_DLLs" again and clear the data value:

C:\WINDOWS\System32\lognh.dll

Delete that line.

Click on Apply and then OK

Rename the NotWindows folder back to its original name Windows and reboot your PC.

After restarting, try to locate the lognh.dll in the System32 folder but don't attempt to delete it yet.

Go to your root drive: C:\ and create a new folder. Name it: "Junk"

Unzip and run the 'Winfile' program that you previously downloaded. Expand and navigate to the System32 folder. You need to navigate by double-clicking to expand.

When System32 folder is open, click File Menu > Select files. Copy and paste to the box: lognh.dll and click on Select. Find and highlight that file. Next go to the Security Menu > Permissions and tell us what is listed there for that file. Also check the 'Owner' tab and post back what you see.

Lastly, go to File > Move. In the From box, copy and paste:

C:\WINDOWS\System32\lognh.dll

In the To box, copy and paste:

C:\Junk\lognh.dll

And hit OK. Close Winfile and check in C:\Junk to make sure that the file is there. Post back the requested information and let us know how you got on.

Note:

If the drive is NTFS - all security permissions will be lost after renaming to "notwindows"

So still using WinFile, use the security tab on the file and take ownership. Change the 'whatever' to 'you' (userName) > with Admin rights-> Full control.

Looks like I'd better bone up on some things, eh Ed? It's very frustrating.

John...it's impossible. It's confirmed as a rootkit hijack now - the reason it keeps reappearing after a few days or rebooting is because the file has root level access and is impossible to get rid of without an access level higher, root being the highest level (I read this on another forum). There's a new 'super-invisible' startup now at rootkit level that has all the developers stumped. There is no fix. I know freatlast, Unzy, Mosaic1 et al are working round the clock to even locate the hijacker file name, making BAT and REG files on the fly. But it's not working. The CWS scumbags are reading the forums, particularly ComputerCops where all the heavyweights hang out, and releasing subtle variations to confuse them further.

It's turned into a game - very much a good versus evil scenario. And CWS is now very evil indeed. If the best in the business can't deal with it, the only solution is to backup and format. There are now week+ long threads on various sites, and an awful lot of energy being expended only to go continually round in circles. Sheesh...this stuff used to be easy when you knew what you were dealing with. Now we don't even understand what we're dealing with. And when we do understand, they come up with a new one.

HKED,

I successfully got to the point in your instructions where I named and then renamed the Windows file and rebooted the PC.

I'm having trouble figuring out your instructions from there.

I did manaage to get to the System 32 folder and saw the baddie file and did not delete it.

Your next instruction was to go to the root drive and I am lost on how to get there to create the new folder "junk".

Could you offer some further help on how to go from there?

Thanks again............

HKED,

I followed your instructions up to and including renaming the windows folder back to windows.

After rebooting the PC, I located the System 32 folder and saw the lognh.dll file and did not delete it.

I am confused about the root file? Where is it and how do I locate it to create the new junk folder?

I can find everything else except how to get to the root drive....

Thank you.....

HKED,

Well I think I finally figured it out:

File system=NTFS

Permissions= Everyone Special Access

File name C:\Winnt\system32\Junk\lognh.dll

Owner= (Our name)

The lognh.dll file is now in the Junk file!

Sorry for the problem with the root drive lingo..........

No worries, samson. Root drive is normally C:, but others may have it as D: or whatever. It's where Windows starts from.

Next step:

Go ahead and try to delete the file now. If you cannot delete it, try deleting the entire Junk folder folder and if you still cannot delete it, try renaming it a couple of time to a different file name and extension. You can do it all in Winfile. See example below:

rename lognh.dll to bleh.txt
rename bleh.txt to badfile.111
And so on until it deletes.

Next, go here:

http://www.spywareinfo.com/~merijn/downloads.html

Download and run CWShredder (close IE first and click on Fix). It should remove any remnants. Reboot afterwards.

Finally, download the latest version of Ad-Aware from here:

http://www.lavasoftusa.com/software/adaware/

(If you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

After installing AAW, and before running the program, you must FIRST update the reference file following these instructions (and you must always do this before you run the program at any later date).

Do the following:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

Check: "Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all"

Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Run Hijack This again and post back a new log. With a bit of luck we will have got rid of it. But it is very persistent and there's no guarantee of success even with this complicated removal method.

(Much of what I've posted was written by Microsoft MVP and SAF member, AnnMarie. If this works, kudos go to her, not me).

HKED,

The problem is bigger than we thought! Tried to delete the the infected file after renaming the file mutiple times but to no avail.

I always get a message that permission to delete is denied or file is in use after every attempt.

Looks like I am going to have to clean the system and start from scratch!

Hi samson...

QUOTE

The problem is bigger than we thought!

I always knew a format was a distinct possibility, much as I hate advising it. As stated in an earlier post, this thing is pure evil. Some of the best anti-malware developers have been working on this for a while now with no results.

Try booting to safe mode and see if you can rename/delete there.

There are other steps we can try if it won't delete in safe mode, but I fear we'll be chasing our tails. I haven't seen a fix for this yet.

Post another HJT log so we can at least see where we're at.

You might try this program to delete the file. It is supposed to work pretty good on deleting some that just won't go.

QUOTE

MoveOnBoot allows you to copy, move or delete files on the next system boot. This comes in very handy, if you need to replace or delete files which are locked by other applications, loaded into memory or cannot be changed until next system boot. You could manually enter a line to the wininit files, but using MoveOnBoot is much simpler, since the program can be integrated into shell - it creates the "Copy/Move/Delete on boot" context menu item.

You can GET IT HERE

KENNETH

HKED and Kennethr

Tried unsuccessfully to delete or rename in safe mode. There was no change and I could not access the file to delete.

Tried Move on Boot and was successful at moving the file to Move on Boot and then deleted the program. It no longer appears in the Winfile and here is the most recent HJT scan.



Logfile of HijackThis v1.97.7
Scan saved at 7:12:27 AM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.zone.msn.com/bingame/zuma/defau...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31B147F0-B52C-4580-BB37-2B0858BB4273}: NameServer = 205.188.146.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{31B147F0-B52C-4580-BB37-2B0858BB4273}: NameServer = 205.188.146.146

HKED and kennethr,

Once again fooled into thinking that this was a solution. I found that the files were simply moved into the program files under GiPo@ utilities and sure enough when opened the files are still there. I ran a Ad-aware scan and the following showed up as a scanned object: C:\Documents and Settings\owner\cookies\owner@atdmt[2].txt I quarantined the file and deleted it.

I am spent!

I'm spent too, samson! You now realise that this alien lifeform is a close to invisible entity, morphing into something else as it toys with you.

MoveOnBoot sounds similar to TheKillBox that is usually a part of the process of cleaning.

But someone will work it out in the end. It's doing my head in just trying to keep up with developments.

Your HJT log looks clean as a whistle, but something lurks.

You could consider using another browser and just sitting tight until a fix comes along. I like Firefox 0.8.

Danged scumbags that create this crap!!

samson, if/when you find an answer to this, please let us know.

kenneth

HKED and kenneth,

I found the problem! This is one mean piece of crap! I discovered that this nasty thing got into my owner permissions and changed the settings from full control to special access with an inability to delete files.

After editing the permissions on the owner file, I was able to successfully delete the JUNK files and eradicate them from the system. All systems look good and I took your advice HKED on the ad-aware instructions and tweaked the engines and found some data miners and removed them and rebooted and reran the scan and everything appears clean. I ran CWshredder and everything is clean there also.

The HJT scan has not changed and it looks clean!

Hope this might help in lending some insight to others.

I will let you know if the system remains clean or if other problems present themselves.

Thanks to all for the great insight and help with this frustrating variant!

Samson

Cool, samson...glad you worked it out.

You may have noticed I asked about your system's file system in a previous post and posted what to do about permissions within Winfile if the file system is NTFS.

Aaahhhh...this is a good feeling. I didn't really understand this bugger when we started on this, so I had a lot of learning to do. I think I'm getting a handle on it (although I'm sure CWS will come up with even more evil variants ). This is the first time I've kicked this sucker's butt.

Thanks for the help Kenneth. You kicked in with a couple of things that got me thinking straight again. Sometimes, that's all that's needed.

Samson...lock down that system of yours - SSD, Ad-Aware, SpywareBlaster and the Hosts file available here (just have it replace your existing one). Update Norton regularly and get a firewall. I'm using PC-cillin AV and firewall because it came with my new motherboard drivers disk, but I've used the free Sygate Personal Firewall before and was very happy with it.

And keep installing all recommended Windows updates.

Safe surfing.

Hi HKEd. I've also downloaded the Host's file you mentioned to Samson but I'm unable to open it. It's probably rudimentary. Can you please give me a clue? Merci.

De rien, livinglavidaloca. You should really have started another topic. The likelihood of me revisiting a pinned thread that had been solved is slim.

Can't you unzip the file? Look for WinZip if you don't have an unzipper. It's a trial version, but as far as I know, it doesn't expire. Unzip Hosts.zip and copy/paste the Hosts file to the location advised in the article for your operating system. It will ask you if you want to overwrite the existing Hosts file. Answer Yes.