Results 1 to 4 of 4

Thread: CWS and VX2 taking over computer: saiaap.dll

  1. #1
    Junior Member
    Join Date
    Feb 2005
    Posts
    2

    CWS and VX2 taking over computer: saiaap.dll

    The saiaap.dll from CoolWebSearch (according to Ad-Aware) keeps getting installed on my computer. I try deleting it and renamiing it, but it keeps coming back. Any help would be greatly appreciated.

    Logfile of HijackThis v1.99.0
    Scan saved at 9:14:08 PM, on 2/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\altera\quartus41\bin\JTAGServer.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\WINDOWS\system32\qkvkku.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\download\software\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...LC=0409&c=1c00
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
    O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
    O4 - HKLM\..\RunServicesOnce: [PestPatrol Pest Removal ] C:\Program Files\PestPatrol\autoupdate.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O4 - Startup: install.lnk = C:\Documents and Settings\bsulliva\Local Settings\Temp\install2.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
    O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
    O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.cleveland.com
    O16 - DPF: PlaceWare Console: PWS-CC2K-4-1-0-2-1-l6g9h1 - http://www27.placeware.com/etc/pwc/test/lib/cc-full.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/def...caploader1.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/181e7b77e8eea9e...p/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103951165392
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab33902.cab
    O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://altera.webex.com/client/late...ex/ieatgpc.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_0_2_7.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC3CA68-7715-49A1-AFE2-FE5C8C2B283F}: Domain = ameritech.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC3CA68-7715-49A1-AFE2-FE5C8C2B283F}: NameServer = 206.141.251.2,206.141.192.243
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF33B4AC-ACC1-42CA-8E69-3A569CB44C34}: NameServer = 67.36.13.26 66.73.20.40
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ameritech.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ameritech.net
    O23 - Service: Altera JTAG Server - Unknown - C:\altera\quartus41\bin\JTAGServer.exe
    O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PCTEL Speaker Phone - Unknown - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

    Thanks in advance.

  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    You may have already seen this thread about Spyware/Adware Removal but here it is again anyway: http://www.techzonez.com/forums/showthread.php?t=9739

    Try the CWShredder to get rid of the CoolWebSearch, and I recommend either using the MS Spyware SW or the SpyBot, or Spyware Blaster as a preventative measure once the system is clean.

  3. #3
    Junior Member
    Join Date
    Feb 2005
    Posts
    2
    Thanks Rik, but I forgot to state that I already tried the CWShredder and it did not work... It gave me a clean bill of health.

  4. #4
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Things you should definately FIX

    C:\WINDOWS\system32\qkvkku.exe - almost certainly random dodgy file I would use autoruns from www.sysinternals.com to approach this startup entry.

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
    O4 - HKLM\..\RunServicesOnce: [PestPatrol Pest Removal ] C:\Program Files\PestPatrol\autoupdate.exe
    - well everything from runservices is really ok to remove
    O15 - Trusted Zone: http://www.cleveland.com
    O16 - DPF: PlaceWare Console: PWS-CC2K-4-1-0-2-1-l6g9h1 - http://www27.placeware.com/etc/pwc/test/lib/cc-full.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/181e7b77e8eea9...ip/RdxIE601.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://altera.webex.com/client/lat...bex/ieatgpc.cab
    O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab

    Things I would also fix - all 09's, 016's and 017's they can easily be restored if actually required.

    Do all that (in one go) then reboot and post a new HJT log.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •