CWS smartsearc returns on boot

[Sparci]

Folks,

Someone please advise.

After using several spyware progs :

spybot
adaward
cwshedder

I'm still having real problems. Cws smartsearch seems to return every time I reboot along with several others. My pc seems to run at 100 % processor power even when its idle.
My norton found viruses but removed them, and still it runs at this speed.

Below is the output from hijackthis can someone please please advise.......got a lotta work to do on this pc this week but not look,ing to rosey from me at the mo :

Logfile of HijackThis v1.97.7
Scan saved at 13:03:04, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\MSPMSPSU.EXE
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINDOWS\System32\ssms.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\MSlti16.exe
C:\WINDOWS\System32\vkigyz.exe
C:\WINDOWS\System32\sysentry32.exe
C:\WINDOWS\System32\csmss.exe
C:\WINDOWS\System32\wmplayer.exe
C:\WINDOWS\System32\fsecure.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.btopenworld.com/default

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.btopenworld.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

http://www.btinternet.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Smss] ssms.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\guwbuliy.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\ebnvtq.exe
O4 - HKLM\..\Run: [restrictanonymous]

O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [nnlgvdbdp] C:\WINDOWS\System32\vkigyz.exe
O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\Run: [WIN95DEFVIEW] C:\WINDOWS\System32\csmss.exe
O4 - HKLM\..\Run: [Win32 NVIDIA Driver] MSPMSPSU.EXE
O4 - HKLM\..\Run: [Media Player] wmplayer.exe
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\Run: [Norton Secure] fsecure.exe
O4 - HKLM\..\RunServices: [Smss] ssms.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\RunServices: [Win32 NVIDIA Driver] MSPMSPSU.EXE
O4 - HKLM\..\RunServices: [Media Player] wmplayer.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunServices: [Norton Secure] fsecure.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Smss] ssms.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [Win32 NVIDIA Driver] MSPMSPSU.EXE
O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunOnce: [Win32 NVIDIA Driver] MSPMSPSU.EXE
O4 - HKLM\..\RunOnce: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\RunOnce: [Win32 NVIDIA Driver] MSPMSPSU.EXE
O4 - HKCU\..\RunOnce: [Windows Messenger] msmsgs.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://c:\program files\internet explorer\plugins\awswaxf.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37742.6739930556

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Cheers

 

[BadBigBen]

Hi there, I haven't found any reference for the following progies, so they are suspect and should be quarantined by HiJackThis...

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\guwbuliy.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\ebnvtq.exe
O4 - HKLM\..\Run: [restrictanonymous]
O4 - HKLM\..\Run: [nnlgvdbdp] C:\WINDOWS\System32\vkigyz.exe


The following keys should be definetely deleted, see the link following the keys...

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.FO

I hope that was all that I've found so far, maybe someone else can give more insight into the others...

Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[carrr]

Note: If you're not disabling system restore before runnign your removal tools (namely CWShredder), you're going to allow the malware to repopulate every time.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Sparci]

Cheers guys.

Will try removing those entries when i get home.

System restore has been turned off, plus i've running cwshedder etc in safe mode. But smartsearch returns on boot every time. Must be hidden dll somewhere?

 

[carrr]

You've got further virus trouble:

http://www.sophos.com/virusinfo/analyses/w32rbotfs.html

discussed entries related to C:\WINDOWS\System32\MSlti16.exe
, which is also in your run services.

Additionally, all of these file:
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\MSlti16.exe
C:\WINDOWS\System32\vkigyz.exe
C:\WINDOWS\System32\sysentry32.exe
C:\WINDOWS\System32\csmss.exe
C:\WINDOWS\System32\wmplayer.exe
C:\WINDOWS\System32\fsecure.exe
in your System folder are trouble.

You need to do some thorough virus/worm removal.
You might start here:

http://housecall.trendmicro.com/housecall/start_corp.asp

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[diogenes10]

Hopefully the trendmicro would get these too, but I think these are also bad:
O4 - HKLM\..\RunServices: [Smss] ssms.exe
O4 - HKCU\..\Run: [Smss] ssms.exe

And, because of the location, I also wonder about this one:
O4 - HKLM\..\RunServices: [Media Player] wmplayer.exe
C:\WINDOWS\System32\wmplayer.exe
The file name is valid, but I'm not sure it is in the right place.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[BadBigBen]

Hi there,

as Diogenes10 suggested the SMSS.EXE file should also be deleted, see the following link:

securityresponse.symantec.com/ avcenter/venc/data/w32.gismor@mm.html

always update your AntiVirus software to the latest and do a multiple scan once you've been infected... also check you AUTOSTART progies for changes, best use the TeaTimer out of SpyBot and or use The Cleaner (moosoft.com) it has functions similiar to the Tea Timer...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[Sparci]

Ok

What I had to do.......

After trying and failing miserably to do an online virus scan, I downloaded Stinger from Mcafee. This found a lot of entries, 41 in total and automatically cleaned them.

I then re-run all spyware programs and cwshedder ( in safe-mode, sys restore turned off ). Then immunized.

Booted the system back up and then went online to trend micro and did a virus scan ( no problems this time), more entries found and deleted.

Next was the installation of XP 1a. I was using norton on the machine but thats me finished with it, not as good as norton likes to make out - in my opinion.

Im now using avg virus scan (freeware), which seems to do nicely. The PC seems to going fine again.

Thanks for all the help guys.

Cheers.

 

[diogenes10]

For best security you should do something for spyware as well as virus/trojan. Two products commonly recommended are spywareblaster and iespyad. Setting up spybot with its immunize function and spywareblaster would give you some level of additional protection.

You can read this for a few additional comments:

http://computercops.biz/postt7736.html

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?