Want a Clean Machine!

[Leurgy]

Helping my brother get some nasties off his computer while I'm here for a visit. Spybot found only 8 - 10 cookies when I ran it but AdAware found the following:

IWon

Dialer (Dialer Offline.dll)

Adult Links Quickbar (Gabar)

Above removed with AdAware.

Also Add/Remove Programs shows these three:

Search Assistant - My Web Search

My Websearch Email Plugin

Casino on Net

When trying to uninstall those three through Add/Remove, screen that pops up just hangs.

His log:

Logfile of HijackThis v1.99.0
Scan saved at 7:16:24 AM, on 12/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\VYTALV~1\VVAgent.exe
C:\VSServer\prog\VVListen.exe
C:\VSServer\prog\VVQMgr.exe
C:\VSServer\prog\VVSvrAg.exe
C:\VSServer\prog\VVSvrDae.exe
C:\VSServer\prog\VVSvrReg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Connected\CBSysTray.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TaskReg] C:\WINNT\system32\servwin.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hwspade...14_4309364.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/ps.../axscanner.cab
O16 - DPF: {35F49483-7BB9-46A0-90EB-9278FE8771F7} (Project1.AddChild) - http://www.rogershelp.com/help/conte...d/addchild.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://commvault.webex.com/client/l...ex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Connected Agent Service - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: EVault Data Protection Service Agent - EVault, Inc. - C:\PROGRA~1\VYTALV~1\VVAgent.exe
O23 - Service: VytalVault Server Listener - eVault, Inc. - C:\VSServer\prog\VVListen.exe
O23 - Service: VytalVault Queue Manager - eVault, Inc. - C:\VSServer\prog\VVQMgr.exe
O23 - Service: VytalVault Server Agent - eVault, Inc. - C:\VSServer\prog\VVSvrAg.exe
O23 - Service: VytalVault Server Scheduler - eVault, Inc. - C:\VSServer\prog\VVSvrDae.exe
O23 - Service: VytalVault Server Registrar - eVault, Inc. - C:\VSServer\prog\VVSvrReg.exe
O23 - Service: VNC Server - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

[photolady]

Have you tried removing them via safe mode? Try that, and if that does not work you can search the computer and remove them manually. If the mysearch bar is in IE, go to View>Explorer Bars and uncheck it.

[Leurgy]

Can't boot that machine, I'm 100 miles away, back home now. The only thing that really bothers me about that log is:

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

Thats the Cool Web Search thing. But in Add/Remove programs the uninstall pointed to something else, some DLL.

[photolady]

ok, didn't know you were so far away. But you could have your brother try the same I posted. And also send him the link to this, if he can still download, CWShredder

http://www.spywareinfo.com/~merijn/downloads.html

[Leurgy]

I did that. CWShreder came up clean. I think I got it from the same site.

It was really interesting to get my hands on a typically infected computer. By doing that I think I gained some insite concerning the interaction between Cool Web Search, IWon and that Gabar thing.

Any thoughts on the log?

[P3-450]

Your actual log looks clean.

Try removing Mywebsearch manually, follow these instructions

[Leurgy]

Thanks P-3 thats a great link. Don't think my brother will want to try that though. Will have to wait til I get back there. The log does look clean. I removed 5 or 6 items before I posted it. Still not sure about that email plug-in, but did have him remove C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe and the folder.