#1 jdog



Posted 29 June 2004 - 05:42 PM

I seem to be the latest victim of coolwebsearch. I cannot remove this from my system. Norton anitvirus does not recognize it, and Ad aware keeps finding more of it everytime I run it. Not sure what to do. I have read a lot of the comments that are already posted. Hopefully, we can find a way to remove this from my IE.

As you probably already know, CWS redirects IE to another site and even after I set my home page to the one I want. As soon as I re-launch it, it changes my default IE page.

#2 jdog



Posted 29 June 2004 - 06:25 PM

I left this out of my original email. Here's my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 7:25:04 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\documents and settings\jeremy czerwinski\local settings\temp\SGaONTou.exe
C:\documents and settings\jeremy czerwinski\local settings\temp\QXzIwsR.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy Czerwinski\Local Settings\Temporary Internet Files\Content.IE5\5SKR1TK5\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xzhmj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xzhmj.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xzhmj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xzhmj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xzhmj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xzhmj.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {EDBD92E2-B63E-794C-5397-2A8A46BBD49C} - C:\WINDOWS\system32\mszr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SGaONTou] C:\documents and settings\jeremy czerwinski\local settings\temp\SGaONTou.exe
O4 - HKLM\..\Run: [QXzIwsR] C:\documents and settings\jeremy czerwinski\local settings\temp\QXzIwsR.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [crnk.exe] C:\WINDOWS\system32\crnk.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe
O4 - HKLM\..\RunOnce: [addcx32.exe] C:\WINDOWS\system32\addcx32.exe
O4 - HKLM\..\RunOnce: [sdktw.exe] C:\WINDOWS\sdktw.exe
O4 - HKLM\..\RunOnce: [iprh32.exe] C:\WINDOWS\system32\iprh32.exe
O4 - HKLM\..\RunOnce: [netyd.exe] C:\WINDOWS\system32\netyd.exe
O4 - HKLM\..\RunOnce: [d3yy.exe] C:\WINDOWS\system32\d3yy.exe
O4 - HKLM\..\RunOnce: [msvo32.exe] C:\WINDOWS\msvo32.exe
O4 - HKLM\..\RunOnce: [addxj.exe] C:\WINDOWS\addxj.exe
O4 - HKLM\..\RunOnce: [appdd32.exe] C:\WINDOWS\system32\appdd32.exe
O4 - HKLM\..\RunOnce: [d3az32.exe] C:\WINDOWS\d3az32.exe
O4 - HKLM\..\RunOnce: [appbt32.exe] C:\WINDOWS\appbt32.exe
O4 - HKLM\..\RunOnce: [sysif32.exe] C:\WINDOWS\system32\sysif32.exe
O4 - HKLM\..\RunOnce: [d3kt32.exe] C:\WINDOWS\system32\d3kt32.exe
O4 - HKLM\..\RunOnce: [crev.exe] C:\WINDOWS\crev.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

