[johanvd]

I search for help on the Trojan-spy.HTML.smitfraud.c and this is my hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 21:18:36, on 8/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\explorer.exe
C:\WINXP\System32\SMSSU.EXE
C:\WINXP\System32\Tmntsrv32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINXP\System32\SMSSU.EXE
C:\WINXP\System32\Tmntsrv32.EXE
C:\Program Files\Outlook Express\Msimn.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Bluetooth\BTNtService.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Johan\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINXP\xmllib.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\Johan\LOCALS~1\Temp\9C.tmp" /m
O4 - HKLM\..\Run: [smalfd] C:\WINXP\System32\tedxlz.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SMSSU] C:\WINXP\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINXP\System32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Win32res] C:\WINXP\win32res.exe
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Bluetooth\BTNtService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe

Hopefully, someone can help ? Any support is greatly appreciated. Thank you in advance !

Greetings from Belgium,
Johan Van Driessche

[Advertisements]

Hi johanvd and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.



Excal

[Excal]

Hi johanvd and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.



Excal

[johanvd]

Hi Excal, thank you for helping !

Followed every step of the procedure "You Must Read This Before Posting A Hijackthis Log" but can't get rid of this virus CWS_analyzeIE (found by Spy Sweeper).

Please find my Hijackthislog below :

Logfile of HijackThis v1.99.1
Scan saved at 11:55:33, on 14/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bluetooth\BTNtService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\CoolWWWsearch\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123770895973
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123770876535
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Bluetooth\BTNtService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


This is the log file of Spy Sweeper with the virus traces cws_analyzeie ;

********
11:41: |··· Start of Session, zondag 14 augustus 2005 ···|
11:41: Spy Sweeper started
11:41: Sweep initiated using definitions version 516
11:41: Starting Memory Sweep
11:43: Memory Sweep Complete, Elapsed Time: 00:01:53
11:43: Starting Registry Sweep
11:43: Found Adware: cws_analyzeie
11:43: HKU\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run\ || smssu (ID = 116936)
11:43: HKU\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run\ || tmntsrv32 (ID = 116939)
11:43: Registry Sweep Complete, Elapsed Time:00:00:06
11:43: Starting Cookie Sweep
11:43: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:43: Starting File Sweep
11:43: File Sweep Complete, Elapsed Time: 00:00:19
11:43: Full Sweep has completed. Elapsed time 00:02:20
11:43: Traces Found: 2
11:43: Removal process initiated
11:43: Quarantining All Traces: cws_analyzeie
11:43: Removal process completed. Elapsed time 00:00:01
********


According to Webroot statistics, this virus CWS_AnalyzeIE ranks fourth place in Webroot Spy audit results :

> Here is the break down from the most recent Webroot Spy Audit results. Out of 1.49 million machines:

> CoolWWW -- 227,513
> CWS AboutBlank -- 187,246
> CWS sp.html hijack -- 7,439
> CWS_AnalyzeIE -- 7,569
> CWS_Cassandra -- 6,860
> CWS_Directwebsearch Hijacker -- 9,904
> CWS_Ehttp Hijacker -- 16,978
> CWS_Hputi -- 9,130
> CWS_iesprt -- 5,616
> CWS_mailhook -- 5,203
> CWS_NS3 -- 167,897
> CWS_NS3 Hijacker -- 57,123
> CWS_xplugin -- 9,732

> Total CWS -- 718,210


I've not been able to find the traces Spy Sweeper is reporting by using Regedit. Also if I'm running safe mode, Spy Sweeper finds the virus but can't remove it as every time I run Spy Sweeper, it report the same back.

I hope you could help
Thanks !

Regards,
Johan

[Excal]

Try running this:

Run this online virus scan: ActiveScan - Please save and post the results from the scan!


it gives the actualy Registry entry when found.


also it just might be a random key left behind by the adware.

I think it would serve you well to clean your registry!

• Please dowload: RegSeeker.
• Click on "Clean The Registry" in the left panel.
• Check all boxes (make sure the backup box in the lower left corner is selected!).
• After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
• Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!

[johanvd]

Hi Excal,

I followed your recommendations and please find the Activescan report below -

Incident Status Location

Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\k0ime0xr.default\Cache\E044217Bd01[Process.exe]

The RegSeeker program has removed all obsolete or unused entries but with no luck.
Spy Sweeper still finds the traces of CWS_AnalyzeIE in the registry.
I tried to locate this traces with RegSeeker but the entry itself does not exist
HKU\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run\ || smssu (ID = 116936)
HKU\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run\ || tmntsrv32 (ID = 116939)

If I can do anything more, please let me know.

Looking forward to hearing from you.

Regards,
Johan

[Excal]

download next tool to your desktop:

http://users.pandora...patchy/FixO.exe

Doubleclick FixO.exe and choose install.
This will create a new folder on your desktop called FixO
Open the folder and doubleclick FixO.bat

It will generate a log afterwards. Copy and paste the contents of that log together with a new hijackthislog.

[johanvd]

Hi Excal,

I downloaded this program before and back then, it found a virus and removed it.

This is the content of the fresh new log -

running from ---
C:\Program Files\CoolWWWsearch\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
existing bad files:
-----------------------------------------------------


existing important bad keys:
-----------------------------------------------------


Merging Registry----------


Deleting Files-------------


Searching for files not deleted:
-----------------------------------------------------


Searching for keys not deleted:
-----------------------------------------------------


Please find the new Hijackthislog below -

Logfile of HijackThis v1.99.1
Scan saved at 19:59:32, on 15/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bluetooth\BTNtService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\CoolWWWsearch\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123770895973
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123770876535
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Bluetooth\BTNtService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Looking forward to your reply.

Thank you,
Johan

[Excal]

You still getting those entries. If so can you tell me exactly what they are and all the info you have on them so we can get you taken care of


Thanks,



Excal

[johanvd]

Hi Excal,

Okay, I runned Spy Sweeper and this is the online information from Webroot regarding CWS_AnalyzeIE ;

ADWARE Description:

Name:

CWS_AnalyzeIE

Author:

Category: Adware

Threat Assessment: Medium

Description:

CWS_AnalyzeIE has the ability to hijack your Web searches, home page, and Internet Explorer settings.

Characteristics:

CWS_AnalyzeIE has the ability to redirect your Web searches through its own search engine and change your default home page. This hijacker may also change your Internet Explorer settings.

Method of Infection:
x

Additional Comments:


I noticed a few days ago that Internet Explorer changes the startup page to www.google.com. First, I was not sure about this but yesterday it happened again.

This is the report from Spy Sweeper :

********
22:44: |··· Start of Session, maandag 15 augustus 2005 ···|
22:44: Spy Sweeper started
22:44: Sweep initiated using definitions version 516
22:44: Starting Memory Sweep
22:46: Memory Sweep Complete, Elapsed Time: 00:02:24
22:46: Starting Registry Sweep
22:47: Found Adware: cws_analyzeie
22:47: HKU\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run\ || smssu (ID = 116936)
22:47: HKU\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run\ || tmntsrv32 (ID = 116939)
22:47: Registry Sweep Complete, Elapsed Time:00:00:08
22:47: Starting Cookie Sweep
22:47: Found Spy Cookie: toplist cookie
22:47: johan@toplist[1].txt (ID = 3558)
22:47: Found Spy Cookie: metriweb.be cookie
22:47: johan@metriweb[1].txt (ID = 2993)
22:47: Cookie Sweep Complete, Elapsed Time: 00:00:00
22:47: Starting File Sweep
22:47: File Sweep Complete, Elapsed Time: 00:00:21
22:47: Full Sweep has completed. Elapsed time 00:02:56
22:47: Traces Found: 4
22:59: Removal process initiated
22:59: Quarantining All Traces: cws_analyzeie
22:59: Quarantining All Traces: toplist cookie
22:59: Quarantining All Traces: metriweb.be cookie
22:59: Removal process completed. Elapsed time 00:00:05
********

I did a search on this virus but most users seem to quit searching because Spy Sweeper only reports this problem and most of the time, the computer is running fine. Hope to resolve this infection

Thanks for replying so quickly.

Johan

[Excal]

Silent Runners:

• Please click this link to download Silent Runners.
• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
• Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
  
  
• NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  For some time it will look like nothing is happening. Just keep waiting.
  
• Once it's done it will create a log. A window will come up telling you when it's saved. Please post that log here

[johanvd]

Okay, done that. Here is the result -

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = (empty string)
"Hitman Pro SurfRight Helper" = ""C:\Program Files\Hitman Pro\srhelper.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Configuratiescherm-uitbreiding Beeldscherm-panning"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{30E573DD-ED36-11D4-AA7E-00902709370B}" = "HexShellExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\HexEdit\HexExt.dll" [empty string]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP\system32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
HexShellExt\(Default) = "{30E573DD-ED36-11D4-AA7E-00902709370B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\HexEdit\HexExt.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Default executables:
--------------------

.HTA: HKLM\SOFTWARE\Classes\htafile\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINDOWS\system32\mshta.exe "" "


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Johan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Johan" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Johan\Menu Start\Programma's\Opstarten
"Outlook Express" -> shortcut to: "C:\Program Files\Outlook Express\msimn.exe" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\Bluetooth\BTNtService.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINXP\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINXP\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 14 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 14 seconds.
---------- (total run time: 62 seconds)

Hopefully, this gives a clue.

Thanks,
Johan

[Excal]

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.

REGEDIT4

[HKEY_USERS\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run\]
"smssu"=-
"tmntsrv32"=-

Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Reboot. Then run another spysweeper and let me know

Thanks,



Excal

[johanvd]

Followed every step, I get a prompt "Are you sure you want to merge [file name] to the register ?".

When I click on 'Yes", it says "Could not merge [filename], error occured while trying to get access to the register".

Should I run in safe mode ?

Kind regards,
Johan

[Excal]

Please try this:

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme2.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.

REGEDIT4

[HKEY_USERS\WRSS_Profile_S-1-5-21-842925246-1606980848-854245398-500\software\microsoft\windows\currentversion\run]
"smssu"=-
"tmntsrv32"=-

reboot into safe mode


Locate fixme2.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

reboot into normal mode and runs spysweeper again.

Thanks,



Excal

[johanvd]

Hi Excal,

Problem solved

When I rebooted in safe mode, I could choose between my user name and "administrator". The account "administrator" had different entries in the registry and there I found the items 'SMSSU' and 'TMNTSRV32' with Regedit. When these items were deleted, Spy Sweeper no longer reported the 'CWS_AnalyzeIE' virus.

I really want to thank you for all your help.

Keep up the good work and have a lovely day in the US

Take care,
Johan