Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You don't run it until
afterwards and then only if you can't get back on the internet.
You just run it and things should work OK after it reboots your system.
Also download and install ccleaner.exe from
http://www.ccleaner.com. Don't let
it clean anything yet.
Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the Workstation NetLogon Service. Double click on it and and then set the Start Type
to Disabled. Then OK.
Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.
Run AboutBuster twice and let it Scan and shut down Explorer if it wants to.
Run HijackThis and just do a Scan only. Check then Fix
Checked the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7738D4CE-735C-6768-041D-713E7E2F8E97} - C:\WINDOWS\system32\sdkkn.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntjq32.exe (file missing)
Reboot and run AboutBuster one more time then do a new HijackTHis Scan and REPLY to this thread and paste the log.
as I was waiting for an answer I continued searching forums for an answer on my problem and found a page telling about a program called CWShredder (http://cwshredder.net/bin/CWShredder.exe) > I ran that program and it found a version of CWS called HomeSearch and removed it. Everything went back to normal. It seems that you get that virus when you try to upgrade windows XP Pro to SP2, because we did that recently on three computers in the lab and they all started to have problems afterwards. After I solved my problem with CWShredder, I ran it on the two other computers and it found the same CWS HomeSearch virus and computers seemed to be OK afterwards. Surprisingly the symptoms on the three computers were different, even if the virus seem to have been the same (on my computer I had the Dr Watson Postmortem Debugger crash when I tried to open windows explorer and I could not open IE, on another computer it was always going to some search webpages and on the third it put an image on the desktop saying that the computer was infected and when you click on it, it tells you to downlaod an anti spyware program) These problems were not solved after running Ad aware or Spybot or a regular Virus Scan (McAfee), even if they all found various things that kept coming back after being deleted, but everything is back to normal on all these computers after running CWShredder.
Here is the log for my computer:
Logfile of HijackThis v1.99.1 Scan saved at 1:55:07 PM, on 5/5/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
No problem. Glad it's gone. AboutBlank is a form of CWS but up til now CWShredder has not been up to the job. Either they improved it recently or you had an older form of the infection.
I should point out that the CWS was already on the system and is the cause of the debugger popping up when you install SP2. You did not get it from installing SP2.
It's always best to make sure the system is spyware free before trying to upgrade. Now that you have a clean system you need to get your systems updated completely.
Following is just my standard boilerplate that I send to every cleaned "client"
AntiSpyware Recommendations:
AdAware SE Personal (free version) is a good program to have.
http://www.lavasoftusa.com/software/adaware/ Another good one is Spybot Search & Destroy.
http://www.safer-networking.org/en/index.html I like its immunize feature. Both work best in Safe Mode since if running,
malware will often reinstall its files before you can reboot. Both of these also remove tracking cookies from ad companies which MicrosoftAntiSpy (also recommended:
www.microsoft.com) doesn't so don't be surprised if they come up with hundreds of tracking cookies the first time you run them. Cookies are not a big threat so you can remove them or not.
I also recommend Spyware Blaster as a preventive measure.
http://www.javacoolsoftware.com/spywareblaster.html This is another program which immunizes you against infections. Spybot puts a
long list of nasty sites in your Hosts file and tells the computer that they can
be reached at 127.0.0.1 which is itself. This effectively keeps the computer
from ever going to the sites. Blaster puts a similar list in your Restricted
Zone so that IE can't go there.
Spybot also offers download protection similar to that of AntiSpy. When you download something you have to really want to run it since both programs ask you if you are sure.
One other thing you should do: Now that the HijackThis log is clean, you can
run HijackThis again and check everything then Add Checked to Ignore List.
Repeat once since some benign things seem to be hidden and may show up on the
second scan. When you do this you can do a Scan and only new stuff will show
up. You can also configure HijackThis to run at boot and to popup if it finds
anything new so you will have an early warning of an infection. You can then
decide yourself by googling for the .exe or dll file whether this is something
you want to keep or not or you can send the new log to me. I'm totally bored at
work so I welcome all questions.
For all systems: Empty the Recycle Bin. Right click on it and select Empty the Recycle Bin. You should probably also remove the files in the Recycler folder. Do this by first right clicking on the Recycle Bin and then Properties then check Do not move files to the Recycle Bin and then Apply or OK. Now right click on Start and select Explore then find c:\Recycler. You will see one or more files with names like S-1-5-21-163033........ Highlight each and press the delete key. Then close Explorer and go back to the Recycle Bin and uncheck the Do not move files to the Recycle Bin and OK.
For XP systems: Now that your computer is running well and is clean you should toggle System Restore Off and On then make a manual Restore Point and call it something like Clean. This will do two things. It will remove any old copies of the spyware saved in the System Restore and it makes sure you have a way of returning to this nice clean state. Start, Control Panel, System, System Restore then check Turn Off System Restore then Apply then when it finishes, uncheck the box and apply. To make a manual Restore Point is a bit harder to explain but usually you do Start then there is a box called Solutions or Help and Support provided by the PC maker. One of the options is System Restore. You can always do Start, All Programs, Accessories, System Tools, System Restore to get there. Then Choose Create a Restore Point, Next, then give it a name like Clean and then Create. If you download something that causes problems you can always go back to Clean or one of your automatically created Restore Points.
There are two online AntiVirus programs that are very good (and free).
Make sure your Microsoft Autoupdates are turned on. Start, Control Panel, Automatic Updates.
One final defense is Zone Alarm. The free version does a great job of protecting your computer from outside threats and warning you that something inside wants to go to the internet. XP has a firewall too but it does not warn you about outgoing threats. No home computer should be without it.
Select Free Download and during the install decline the offer of a free trial. When something tries to go to the Internet, Zone Alarm will pop up and tell you that such and such a program wants to go to the Internet or worse act as a server. If it's something you don't know then you say Remember this and then NO and then start doing some antispyware scanning. You can turn off the XP Firewall if you install Zone Alarm.
just want to ask, can you check and let us know what version of cwshredder you ran? as RKinner has indicated, to the best of our knowledge here, CWShredder hadn't been up to the job of handling the Dr. Watson problem, which has been torturing many forum members here.
RKinner
2 Intern
•
5.9K Posts
0
May 5th, 2005 15:00
Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You don't run it until
afterwards and then only if you can't get back on the internet.
You just run it and things should work OK after it reboots your system.
it clean anything yet.
Service and Applications then Services. In the right pane scroll down and find
the Workstation NetLogon Service. Double click on it and and then set the Start Type
to Disabled. Then OK.
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.
Checked the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rhuzn.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7738D4CE-735C-6768-041D-713E7E2F8E97} - C:\WINDOWS\system32\sdkkn.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntjq32.exe (file missing)
mapipo
5 Posts
0
May 5th, 2005 16:00
Hi,
as I was waiting for an answer I continued searching forums for an answer on my problem and found a page telling about a program called CWShredder (http://cwshredder.net/bin/CWShredder.exe) > I ran that program and it found a version of CWS called HomeSearch and removed it. Everything went back to normal. It seems that you get that virus when you try to upgrade windows XP Pro to SP2, because we did that recently on three computers in the lab and they all started to have problems afterwards. After I solved my problem with CWShredder, I ran it on the two other computers and it found the same CWS HomeSearch virus and computers seemed to be OK afterwards. Surprisingly the symptoms on the three computers were different, even if the virus seem to have been the same (on my computer I had the Dr Watson Postmortem Debugger crash when I tried to open windows explorer and I could not open IE, on another computer it was always going to some search webpages and on the third it put an image on the desktop saying that the computer was infected and when you click on it, it tells you to downlaod an anti spyware program) These problems were not solved after running Ad aware or Spybot or a regular Virus Scan (McAfee), even if they all found various things that kept coming back after being deleted, but everything is back to normal on all these computers after running CWShredder.
Here is the log for my computer:
Logfile of HijackThis v1.99.1
Scan saved at 1:55:07 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Eudora\Eudora.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcb.harvard.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {214488FB-DAC3-43AD-BC93-D05BD5DF237D} (InmxInstHelper Class) - http://www.invitrogen.com/downloads/InmxInstHlpn.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE69632C-FA12-4D37-AAC3-47519D72060C}: Domain = mcb.harvard.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE69632C-FA12-4D37-AAC3-47519D72060C}: NameServer = 140.247.21.22,140.247.22.22,140.247.30.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mcb.harvard.edu,fas.harvard.edu,harvard.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mcb.harvard.edu,fas.harvard.edu,harvard.edu
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Informax\Vector NTI Suite 9\Ncbi.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
Do you think I still need to do something more?
Sorry for trying something else in the meantime, but I did not know wether someone would answer me!
Thanks a lot for taking time to help
Matthieu
RKinner
2 Intern
•
5.9K Posts
0
May 5th, 2005 18:00
http://www.lavasoftusa.com/software/adaware/
Another good one is Spybot Search & Destroy.
http://www.safer-networking.org/en/index.html
I like its immunize feature. Both work best in Safe Mode since if running,
malware will often reinstall its files before you can reboot. Both of these also remove tracking cookies from ad companies which MicrosoftAntiSpy (also recommended: www.microsoft.com) doesn't so don't be surprised if they come up with hundreds of tracking cookies the first time you run them. Cookies are not a big threat so you can remove them or not.
http://www.javacoolsoftware.com/spywareblaster.html
This is another program which immunizes you against infections. Spybot puts a
long list of nasty sites in your Hosts file and tells the computer that they can
be reached at 127.0.0.1 which is itself. This effectively keeps the computer
from ever going to the sites. Blaster puts a similar list in your Restricted
Zone so that IE can't go there.
run HijackThis again and check everything then Add Checked to Ignore List.
Repeat once since some benign things seem to be hidden and may show up on the
second scan. When you do this you can do a Scan and only new stuff will show
up. You can also configure HijackThis to run at boot and to popup if it finds
anything new so you will have an early warning of an infection. You can then
decide yourself by googling for the .exe or dll file whether this is something
you want to keep or not or you can send the new log to me. I'm totally bored at
work so I welcome all questions.
http://www.pandasoftware.com//activescan/activescan.asp?
ky331
3 Apprentice
•
15.6K Posts
0
May 5th, 2005 19:00
RKinner
2 Intern
•
5.9K Posts
0
May 5th, 2005 20:00
ky331
3 Apprentice
•
15.6K Posts
0
May 5th, 2005 22:00
fascinating.... i've been following the watson problem for quite a while now, and recall that SpotCheckBilly was (is?) under the impression that neither version 2.13 nor 2.14 of CWShredder could clean-up this problem --- see http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=39306&query.id=203352#M39306
i've alerted Billy (and Bertha2) to the existence of this thread for his(/their) consideration.
Message Edited by ky331 on 05-06-2005 10:08 AM