VX2 and CoolWebSearch

I did the usual Spybot, CWShredder, and Ad-Aware but these pests keep returning on reboot. I looked at the Hijack This log and tried to remove items but I could not find the problem. Here is the log. Thanks for any help:

Logfile of HijackThis v1.99.0
Scan saved at 9:31:23 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wdnpsvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ppRemoteService.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Franklin Covey\Planner\Palm\HOTSYNC.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/cwn/Integrated%20TAXPL/Documents/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fnw.fmr.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fiisfls.fmr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE 6.0 SP1 (FID r2.0)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.fmr.com:800/wpad.dat
O4 - HKLM\..\Run: [HKCU] C:\WINDOWS\system32\cmd.exe /C Start "HKCU Updates" /MIN "C:\Program Files\current profile updates\hkcu.exe"
O4 - HKLM\..\Run: [LockWS] LockWS.exe
O4 - HKLM\..\Run: [CheckRights] C:\Program Files\Fidelity\Security Configuration\chkrights.exe
O4 - HKLM\..\Run: [SystemVBS] C:\WINDOWS\System.VBS
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CgaHelper] C:\PROGRA~1\CYBERG~1\cgahelp.exe -check
O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check
O4 - HKLM\..\Run: [TOA_Runs] C:\WINDOWS\RVpnc.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\kyvuuw.exe
O4 - HKCU\..\Run: [Sametime Connect] C:\Program Files\Lotus\Sametime Client\Connect.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GetName.bat.lnk = C:\Infrtool\GetName.bat
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: nykggh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://fnw.fmr.com/
O15 - Trusted Zone: *.bostoncoach.com
O15 - Trusted Zone: *.fid-intl.com
O15 - Trusted Zone: *.fidelity.ca
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: *.fidelityinv.com
O15 - Trusted Zone: *.fmr.com
O15 - Trusted Zone: *.fmrco.com
O15 - Trusted Zone: *.maxxess.com
O15 - Trusted Zone: *.veritude.com
O15 - Trusted Zone: *.bostoncoach.com (HKLM)
O15 - Trusted Zone: *.fid-intl.com (HKLM)
O15 - Trusted Zone: *.fidelity.ca (HKLM)
O15 - Trusted Zone: *.fidelity.com (HKLM)
O15 - Trusted Zone: *.fidelityinv.com (HKLM)
O15 - Trusted Zone: *.fmr.com (HKLM)
O15 - Trusted Zone: *.fmrco.com (HKLM)
O15 - Trusted Zone: *.maxxess.com (HKLM)
O15 - Trusted Zone: *.veritude.com (HKLM)
O16 - DPF: JavaConnect - file://C:\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST20 - http://sametime.fmr....gRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\SISD\STMeetingRoomClient.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://fiscmmk650win...ntBootstrap.cab
O16 - DPF: {396A77D2-EDFD-423E-B695-FDA81675BA10} - http://pchealthcente...ealthClient.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installsh...ll/iftwclix.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://fcreweb.fmr.com/mgaxctrl.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://antivirus.fmr.../CGAgentATL.dll
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://fiisfls.fmr.c...tivexviewer.cab
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - http://dfpcmsbos02.f...es/vmi660ie.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://access0.fide...mr.com,CT=java
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - http://10.41.29.55/d...rk/iedpwenu.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\Software\..\Telephony: DomainName = fmr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FE69FFD-B0A4-4212-B41F-C25C5EC32F0C}: NameServer = 172.25.10.15,172.26.5.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{4FE69FFD-B0A4-4212-B41F-C25C5EC32F0C}: NameServer = 172.25.10.15,172.26.5.82
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{4FE69FFD-B0A4-4212-B41F-C25C5EC32F0C}: NameServer = 172.25.10.15,172.26.5.82
O23 - Service: Altiris Agent - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberGatekeeper Agent - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Fidelity Workstation Configuration Service - Fidelity Investments - C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
O23 - Service: IBM Agent Controller - ECLIPSE - C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Rational ClearQuest Mail Service - Unknown - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\WINDOWS\system32\ppRemoteService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: RUMBA AS/400 Shared Folders - NetManage Incorporated - C:\WINDOWS\System32\wdnpsvc.exe

#1
WillamWallace95

Posted 27 January 2005 - 08:34 PM

Advertisements

#2
admin

Posted 28 January 2005 - 07:29 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us