Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Automatic generation cookies

Status
Not open for further replies.

cybermarcello

Technical User
Dec 3, 2003
16
BE
Hi there,

I'm new into virus- and security issues, so I don't really know if my problem is a virus problem, but something must have caused it (do have Norton's latest update, however). After starting up my pc, my system starts generating cookies automatically without my internet explorer being open. I used smartprotector.pro to empty the index.dat, but it happens anyway, and the index.dat gets filled again. Moreover, I have a .dat file in My Favourites which I cannot delete or edit, it behaves a little like the index.dat file, it is continually locked, probably by the explorer process. My OS = Winxp home edition.

Does anyone have an idea what is going on here?

Any help will be greatly appreciated.
 
Also post a hijackthis log

Please Download hijackthis from


Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam
 
Hi Carr,

The Spybot program looked great, and I removed a great number of suspicious entries. Unfortunately, the problem still persisted.

Steamwiz,

I used Hijackthis to make a scan, and here below is the log file. Can any of you make any sense out of this?

regards Marcel

Logfile of HijackThis v1.97.7
Scan saved at 21:57:56, on 4-12-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\rundll32.exe
C:\program files\GlobalDialer\tonex00229\556437.exe
C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe
C:\Program Files\Siemens\SANTIS WLAN\WlanMonitor.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Paul Gransbergen\Local Settings\Temp\Tijdelijke map 4 voor hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = R1 - HKCU\Software\Microsoft\Internet Explorer,Search = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = (obfuscated)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\tonex00229\556437.exe -remove
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SANTIS USB and PC Card Utility.lnk = C:\Program Files\Siemens\SANTIS WLAN\WlanMonitor.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
 
Haldex.dialer and CWS infection(s)

Disable System Restore.

Download and run this:


Rerun Hijack This! and remove any of these that remain:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank...;(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = R1 - HKCU\Software\Microsoft\Internet Explorer,Search = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = (obfuscated)
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\tonex00229\556437.exe -remove
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
 
Fix these as well :-

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
This is a CWS related trojan.....the real svchost file loads from the system directory

reboot and delete :-

C:\WINDOWS\svchost.exe file....if still there

DO NOT delete the C:\WINDOWS\system32\svchost.exe

steam
 
Steamwiz, carr

I followed your advice, unfortunately problems still persist (dialers starting themself, cookies generating themselves, startpages being displayed by themselves, etc.).

I guess the easiest approach is reinstalling the entire system.

Thanks for you help anyway, I have learned a lot, and your tips may no doublt be useful in the future.
 
cybermarcello

Post another log

There must be something we missed,or not taken out correctly.

Post another log and we'll get it.

steam
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top