Need some help removing CWS

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Chaos_2004, Jun 26, 2004.

  1. Chaos_2004

    Chaos_2004 Private E-2

    This is my first time posting here. I have been reading a bunch of different theads and I just cant seem to kick this thing. I Have ran Ad aware Hijack this Spyblaster About buster Spysweeper and the damn thing keeps coming back everytime I open IE. I am kind of a newbie when it come to computers so I was hoping someone with a little more know how could help me . Here is my latest hijack log
    Thanks
    Chaos

    Logfile of HijackThis v1.97.7Scan saved at 12:15:51 PM, on 6/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\EarthLink 5.0\ConMgr.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\atlrs.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Keenan LeBaron\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rdqls.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rdqls.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rdqls.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rdqls.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rdqls.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rdqls.dll/sp.html#96676
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5677AA14-4828-04F9-BE46-9B83A0F0652F} - C:\WINDOWS\system32\sdkph.dll
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [atlrs.exe] C:\WINDOWS\atlrs.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [sdkyq32.exe] C:\WINDOWS\system32\sdkyq32.exe
    O4 - HKLM\..\RunOnce: [ieio.exe] C:\WINDOWS\ieio.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
     
    Chaos_2004, Jun 26, 2004
    #1
  2. Astroman

    Astroman Private E-2

    Try downloading Spybot S&D and CWShredder both found on the main page under Spyware tools
     
    Astroman, Jun 26, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That will not fix it. Follow the procedures in the following thread: http://www.majorgeeks.com/vb/showthread.php?t=35165

    Obviously your files names may be different but the procedure is the same. For example right now your log shows the below items which are part of the problem. They all need to be fixed at the appropriate time as shown in the link above. One of the most important steps is getting Network Security Service shut down and noting the file it is trying to run.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rdqls.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rdqls.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rdqls.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rdqls.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rdqls.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rdqls.dll/sp.html#96676

    O2 - BHO: (no name) - {5677AA14-4828-04F9-BE46-9B83A0F0652F} - C:\WINDOWS\system32\sdkph.dll
    O4 - HKLM\..\Run: [atlrs.exe] C:\WINDOWS\atlrs.exe
    O4 - HKLM\..\RunOnce: [sdkyq32.exe] C:\WINDOWS\system32\sdkyq32.exe
    O4 - HKLM\..\RunOnce: [ieio.exe] C:\WINDOWS\ieio.exe
     
    chaslang, Jun 26, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds