Spyware begone! Please?

[Triumph]

All attempts thus far to permanently remove CoolWebSearch from my PC have failed. CWS Smartkiller removal tool says no CWS present. CWShredder won't remove it. Spybot and Adaware will find it and remove it, but it comes back. Have run multiple virus scans, multiple scans in safe mode, installed IE-Spyad, switched to Mozilla for browsing spyware prone websites (hahaha), running latest version of Kerio, etc. Nothing odd in my startup files, nothing odd in my Task Manager. Have tried every combination of the above: keeps coming back. And now it's starting to install some Casino Online thing!

HELP!

Logfile of HijackThis v1.97.7
Scan saved at 7:13:57 PM, on 6/8/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
D:\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
d:\WebDrive\wdService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\Explorer.EXE
D:\Kerio\Personal Firewall 4\kpf4gui.exe
D:\LOGITE~1\SYSTEM\EM_EXEC.EXE
D:\Philips Sound Agent 2\skin\QveCplSk.EXE
D:\WebDrive\webdrive.exe
D:\AIM5~1.5\aim.exe
d:\Winamp\winamp.exe
d:\Acrobat\Reader\AcroRd32.exe
D:\Spyware tools\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0F1D8BB6-F656-4EE3-96A1-5FCA18DE0131} - c:\winnt\system32\fhgk.dll (file missing)
O2 - BHO: (no name) - {11468F16-BFBC-4A43-B360-511D718A7272} - c:\winnt\system32\nhaif.dll (file missing)
O2 - BHO: (no name) - {38A4AA36-D561-43B8-81D3-8B4AC4F9B453} - c:\winnt\system32\kgo.dll (file missing)
O2 - BHO: (no name) - {42B2FA6F-1FF1-4CEF-B68C-042BEC5B619D} - c:\winnt\system32\hipel.dll (file missing)
O2 - BHO: (no name) - {437610DE-89A3-492A-BFC2-0EF2ACD5ADC1} - c:\winnt\system32\mglkid.dll (file missing)
O2 - BHO: (no name) - {552083AD-C560-462C-96D4-85014C2A85A3} - c:\winnt\system32\cfbfkpa.dll (file missing)
O2 - BHO: (no name) - {57BD46B5-6E7A-45DE-A9AE-3D59118A636C} - c:\winnt\system32\efed.dll (file missing)
O2 - BHO: (no name) - {79E77E36-2B94-4BD9-A5E7-D8D3DC553334} - c:\winnt\system32\ajpnl.dll (file missing)
O2 - BHO: (no name) - {852F1BF3-F8C0-4872-A507-5DBE2F603465} - c:\winnt\system32\jimgpb.dll (file missing)
O2 - BHO: (no name) - {87844341-8FEE-413F-A10A-797A9C446CD1} - c:\winnt\system32\lndcge.dll (file missing)
O2 - BHO: (no name) - {A0C6572B-1BF2-4B49-BB5C-F342DBE25A68} - c:\winnt\system32\daejmab.dll (file missing)
O2 - BHO: (no name) - {A5953EBC-10A4-443A-ADFB-EB1369A5AAEA} - C:\WINNT\system32\femhb.dll
O2 - BHO: (no name) - {B10C42AA-609B-4965-8E33-67542AB65DD6} - c:\winnt\system32\eime.dll (file missing)
O2 - BHO: (no name) - {C08D370A-4719-4055-B842-8C12DBC2E97F} - c:\winnt\system32\lfpdk.dll (file missing)
O2 - BHO: (no name) - {E150524E-1A81-4806-AAD1-F86155F57DD1} - c:\winnt\system32\lioeb.dll (file missing)
O2 - BHO: (no name) - {E9B27C5D-D13C-42A7-9928-3A50D7695E1D} - c:\winnt\system32\hkaibaa.dll (file missing)
O2 - BHO: (no name) - {FCE837F8-5920-4F44-8F09-EBC4308F129B} - c:\winnt\system32\jaf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] d:\LOGITE~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Launcher] relaunch.EXE
O4 - HKLM\..\Run: [QveCtl2Tray] d:\Philips Sound Agent 2\skin\QveCplSk.EXE d:\Philips Sound Agent 2\skin
O4 - HKLM\..\Run: [WebDriveTray] d:\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [AIM] D:\AIM5~1.5\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = D:\Office 2000\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37993.852037037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Schadenfroh]

are you using suns version of java and please post startup list log

 

[Triumph]

no, because i followed the insructions to remove Microsoft's virtual machine and it didn't work. although i did switch everything to "disable."

 

[Triumph]

The only thing on here that looks funny is the Enumerating Browser Helper Objects: they look like the DLL files that adaware commonly brings up and deletes (that's why its saying File Not Found). But what is calling these DLL's, I still can't figure out.

StartupList report, 6/8/2004, 9:03:48 PM
StartupList version: 1.52
Started from : D:\Spyware tools\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
D:\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
d:\WebDrive\wdService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\Explorer.EXE
D:\Kerio\Personal Firewall 4\kpf4gui.exe
D:\LOGITE~1\SYSTEM\EM_EXEC.EXE
D:\Philips Sound Agent 2\skin\QveCplSk.EXE
D:\WebDrive\webdrive.exe
D:\AIM5~1.5\aim.exe
d:\Winamp\winamp.exe
d:\Acrobat\Reader\AcroRd32.exe
D:\Eudora 6.0\Eudora.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Spyware tools\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = D:\Office 2000\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
EM_EXEC = d:\LOGITE~1\SYSTEM\EM_EXEC.EXE
NeroCheck = C:\WINNT\system32\NeroCheck.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SystemTray = SysTray.Exe
Launcher = relaunch.EXE
QveCtl2Tray = d:\Philips Sound Agent 2\skin\QveCplSk.EXE d:\Philips Sound Agent 2\skin
WebDriveTray = d:\WebDrive\webdrive.exe /trayicon
mswspl = C:\Program Files\Windows Media Player\wmplayer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = D:\AIM5~1.5\aim.exe -cnetwait.odl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - c:\winnt\system32\fhgk.dll (file missing) - {0F1D8BB6-F656-4EE3-96A1-5FCA18DE0131}
(no name) - c:\winnt\system32\nhaif.dll (file missing) - {11468F16-BFBC-4A43-B360-511D718A7272}
(no name) - c:\winnt\system32\kgo.dll (file missing) - {38A4AA36-D561-43B8-81D3-8B4AC4F9B453}
(no name) - c:\winnt\system32\hipel.dll (file missing) - {42B2FA6F-1FF1-4CEF-B68C-042BEC5B619D}
(no name) - c:\winnt\system32\mglkid.dll (file missing) - {437610DE-89A3-492A-BFC2-0EF2ACD5ADC1}
(no name) - c:\winnt\system32\cfbfkpa.dll (file missing) - {552083AD-C560-462C-96D4-85014C2A85A3}
(no name) - c:\winnt\system32\efed.dll (file missing) - {57BD46B5-6E7A-45DE-A9AE-3D59118A636C}
(no name) - c:\winnt\system32\ajpnl.dll (file missing) - {79E77E36-2B94-4BD9-A5E7-D8D3DC553334}
(no name) - c:\winnt\system32\jimgpb.dll (file missing) - {852F1BF3-F8C0-4872-A507-5DBE2F603465}
(no name) - c:\winnt\system32\lndcge.dll (file missing) - {87844341-8FEE-413F-A10A-797A9C446CD1}
(no name) - c:\winnt\system32\daejmab.dll (file missing) - {A0C6572B-1BF2-4B49-BB5C-F342DBE25A68}
(no name) - C:\WINNT\system32\femhb.dll - {A5953EBC-10A4-443A-ADFB-EB1369A5AAEA}
(no name) - c:\winnt\system32\eime.dll (file missing) - {B10C42AA-609B-4965-8E33-67542AB65DD6}
(no name) - c:\winnt\system32\lfpdk.dll (file missing) - {C08D370A-4719-4055-B842-8C12DBC2E97F}
(no name) - c:\winnt\system32\lioeb.dll (file missing) - {E150524E-1A81-4806-AAD1-F86155F57DD1}
(no name) - c:\winnt\system32\hkaibaa.dll (file missing) - {E9B27C5D-D13C-42A7-9928-3A50D7695E1D}
(no name) - c:\winnt\system32\jaf.dll (file missing) - {FCE837F8-5920-4F44-8F09-EBC4308F129B}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37993.852037037

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,421 bytes
Report generated in 0.180 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Triumph]

bump

 

[OZEE]

Are you running the current version of CWShredder? Could you run CWShredder first, then "Check for update"... if updates are available, let it install them. Then hit 'fix' as opposed to 'scan only'.

Then Reboot into safe mode by tapping F8 after the BIOS has loaded and with only HJT running, have it fix any of the following that may remain:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\femhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0F1D8BB6-F656-4EE3-96A1-5FCA18DE0131} - c:\winnt\system32\fhgk.dll (file missing)
O2 - BHO: (no name) - {11468F16-BFBC-4A43-B360-511D718A7272} - c:\winnt\system32\nhaif.dll (file missing)
O2 - BHO: (no name) - {38A4AA36-D561-43B8-81D3-8B4AC4F9B453} - c:\winnt\system32\kgo.dll (file missing)
O2 - BHO: (no name) - {42B2FA6F-1FF1-4CEF-B68C-042BEC5B619D} - c:\winnt\system32\hipel.dll (file missing)
O2 - BHO: (no name) - {437610DE-89A3-492A-BFC2-0EF2ACD5ADC1} - c:\winnt\system32\mglkid.dll (file missing)
O2 - BHO: (no name) - {552083AD-C560-462C-96D4-85014C2A85A3} - c:\winnt\system32\cfbfkpa.dll (file missing)
O2 - BHO: (no name) - {57BD46B5-6E7A-45DE-A9AE-3D59118A636C} - c:\winnt\system32\efed.dll (file missing)
O2 - BHO: (no name) - {79E77E36-2B94-4BD9-A5E7-D8D3DC553334} - c:\winnt\system32\ajpnl.dll (file missing)
O2 - BHO: (no name) - {852F1BF3-F8C0-4872-A507-5DBE2F603465} - c:\winnt\system32\jimgpb.dll (file missing)
O2 - BHO: (no name) - {87844341-8FEE-413F-A10A-797A9C446CD1} - c:\winnt\system32\lndcge.dll (file missing)
O2 - BHO: (no name) - {A0C6572B-1BF2-4B49-BB5C-F342DBE25A68} - c:\winnt\system32\daejmab.dll (file missing)
O2 - BHO: (no name) - {A5953EBC-10A4-443A-ADFB-EB1369A5AAEA} - C:\WINNT\system32\femhb.dll
O2 - BHO: (no name) - {B10C42AA-609B-4965-8E33-67542AB65DD6} - c:\winnt\system32\eime.dll (file missing)
O2 - BHO: (no name) - {C08D370A-4719-4055-B842-8C12DBC2E97F} - c:\winnt\system32\lfpdk.dll (file missing)
O2 - BHO: (no name) - {E150524E-1A81-4806-AAD1-F86155F57DD1} - c:\winnt\system32\lioeb.dll (file missing)
O2 - BHO: (no name) - {E9B27C5D-D13C-42A7-9928-3A50D7695E1D} - c:\winnt\system32\hkaibaa.dll (file missing)
O2 - BHO: (no name) - {FCE837F8-5920-4F44-8F09-EBC4308F129B} - c:\winnt\system32\jaf.dll (file missing)

Then reboot, rescan with HJT, and post new log.

Good luck