Broadband Tech > Security > Security > HJT log -still can't get rid of BHOs and popups

HJT log -still can't get rid of BHOs and popups

said by valkyrie5:

---

Hi, all:
5) 23 instances of CoolWebSearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search page = res://C:\WINDOWS\system32\dgdvh.dll/sp.html#37049

O4 - HKLM\..\RunOnce: [addix.exe] C:\WINDOWS\system32\addix.exe
O4 - HKLM\..\RunOnce: [ipbz.exe] C:\WINDOWS\system32\ipbz.exe

---

reply to valkyrie5
Try the analysis here. Just C&P your HJT log and hit analyse.

»hijackthis.de/index.php?langselect=english
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.

reply to valkyrie5
If you think you have a virus or trojan, you could run this free AV. It does not have to be installed:just run.

Before you run it, disable "autoprotect" in NAV

Forgot to add the link, which is

»www.mwti.net/antivirus/free_utilities.asp

reply to John2g

said by John2g:

---

Try the analysis here. Just C&P your HJT log and hit analyse.

»hijackthis.de/index.php?langselect=english

---

said by joepwpb:

---

John2g,

I like that analysis page!! It sure lightens the load for those on the Security forums that help with HJT logs.

Joe P

---

reply to joepwpb
Val:

If you do a Google search for "CWS" and "res://C" you'll get a list of other discussions and a bunch of proposed removal steps for this variant. There were too many to post here and they are definitely use-at-your-own risk...the big problem is that the .dll and supporting characters are all randomly named by CWS.

»russelltexas.com/malware/newexpl···pair.htm
--
"We cannot live in a grievance-based society any longer. Our best individual efforts will, in time, result in the improvement of the whole. Complaining is not productive."

reply to John2g
John2g,

I noticed two strange files in the HJT log which produced nothing when searched through Google:

addix.exe
ntzd.exe

Any thoughts on these files??

Joe P

reply to valkyrie5
This tool claims to remove this CWS variant

»www.hsremove.com/

reply to joepwpb

said by joepwpb:

---

John2g,

I noticed two strange files in the HJT log which produced nothing when searched through Google:

addix.exe
ntzd.exe

Any thoughts on these files??

Joe P

---

reply to valkyrie5
Wow, great suggestions from everyone. Kudos to John2g for the excellent HijackThis analysis page and to rds24a for the CWS variant removal page. I'll be trying the free AV as well.

Thanks to all.

reply to valkyrie5
Another thought. Have you tried System Restore?

»camtech2000.net/Pages/System_Restore.htm
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.

reply to valkyrie5
I would be cautious about recommending that HJT log online review to anyone.

I ran about 20 HJT logs through it that I had resolved in Tom Koyote, from basic to difficult, and I received false/positives, poor information like "fix this" and bad information. "Fix This" is easy to say but they do not supply direction on how to fix it and some people will just have HJT fix it and could cause serious harm to their system. This is especially true with the 010 LSP lines. The direction given was "Have HJT fix this" which we know in many cases means bye-bye to your internet connection.

Tools like this while informative to the user can give a false sense of security that they can resolve their issue. All I can say is an old phrase "a little bit of knowledge is dangerous" and I think this tool will cause more harm than good for the uneducated in the review of HJT logs.

Ok off the soap box :P.
--
The next best thing to being smart is being able to quote someone who is.

said by siggyx:

---

I would be cautious about recommending that HJT log online review to anyone.

---

reply to John2g
Haven't run system restore but I'll look into it before making any HijackThis changes.

reply to valkyrie5
I didn't miss that. I have all the tools at hand to review logs and and these still are not 100% accurate and never will be.

As a tool to start to learn how their systems works and inspiring someone to join one of the help groups that would be a good thing but a HJT log is the last resort after running all the tools. Many of the people are desparate at the point that they are running HJT logs and desparate people take desparate actions, a recipe for disaster.

This will encourage people, in my mind, to go for the quick fix and this is where the danger lies because they don't have the knowledge needed to apply the quick fix.

I guess my point is that the site does not in anyway assist someone with the accurate removal of anything. It gives a false sense that the log can be managed by the person with the information that is supplied with the review. As I said I recieved many false/positives and some flat out BAD information from it.

Since we are talking in metaphors lol it's not a case of "sort the wheat from the chaff" but "throwing the baby out with the bath water".
--
The next best thing to being smart is being able to quote someone who is.

We will have to agree to disagree.

reply to valkyrie5
Please download AboutBuster from here and unzip it to your desktop but don't run it yet: www.downloads.subratam.org/AboutBuster.. »www.downloads.subratam.org/AboutBuster.zip

Please also download and install Ad-Aware from here if you haven't already: »www.lavasoftusa.com/software/adaware/ Once installed or if you already had it installed, while online start Ad-Aware, click on the "Check for Updates Now" link at the bottom right, then click "Connect". After it updates, click "Finish". Close Ad-Aware.

Follow the instructions here to enable viewing of hidden/system files: »www.xtra.co.nz/help/0,,4155-1916458,00.html

Next, go to Start->Run and type Services.msc then click ok. On the screen that comes up, scroll down to the service called "Network Security Service" and double-click on it. On the next screen, click the stop button, then in the Startup Type drop-down, change it to Disabled and click Apply then Ok.

Please print out the remainder of these directions, as you'll have to proceed in Safe mode and won't want to open IE again until they're complete.

Reboot to Safe Mode. Tap f8 while bios loads

In Safe Mode, scan with Hijack This, put checks next to all of these entries and then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search page = res://C:\WINDOWS\system32\dgdvh.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dgdvh.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dgdvh.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dgdvh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgdvh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dgdvh.dll/index.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EF8BB02A-9D77-7F04-941C-7146169FD55A} - C:\WINDOWS\system32\atlcm.dll

O4 - HKLM\..\Run: [ntzd.exe] C:\WINDOWS\system32\ntzd.exe
O4 - HKLM\..\RunOnce: [addix.exe] C:\WINDOWS\system32\addix.exe
O4 - HKLM\..\RunOnce: [ipbz.exe] C:\WINDOWS\system32\ipbz.exe

Next, still in Safe-Mode, delete any of the following files that are present:

C:\WINDOWS\system32\atlcm.dll
C:\WINDOWS\system32\ntzd.exe
C:\WINDOWS\system32\addix.exe
C:\WINDOWS\system32\ipbz.exe

Double click the AboutBuster.exe file that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report it creates (copy and paste it into notepad or wordpad and save as a .txt file).

Finally, still in Safe Mode, scan with Ad-Aware and let it remove anything it finds.

Reboot to normal mode, the do an online virus scan and let it fix what it finds.

Trend Micro »housecall.trendmicro.com/

Then rescan with Hijack This and post a new log here along with the log you saved from AboutBuster.
--
The next best thing to being smart is being able to quote someone who is.

reply to valkyrie5
I don't see any significant differences between the automatic analysis and yours.

»hijackthis.de/logfiles/3bfa62ef6···562.html

What the automatic analyser doesn't know is that this CWS infection cannot be removed by HJT.

reply to valkyrie5
I was not talking about this log in particular. As I stated I ran 20 or so HJT logs through it last night. That is what my comments are based upon.
--
The next best thing to being smart is being able to quote someone who is.