Jump to content


Photo

'jacked by CoolWebSearch


  • Please log in to reply
3 replies to this topic

#1 alagas54

alagas54

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 03:38 PM

O.K. --- I give in. I've been 'jacked by CoolWebSearch and I can't get rid of it. For a couple of days I've been getting educated (the hard way) about viruses and trojans. Afetr finding you guys I've tried to follow directions you've suggested --- Spybot, Ad-Aware,CWShredder (after application of a dollop of Smartkiller), AVG --- I'm still getting 'jacked by CoolWebSearch. I have faith in you --- I'm just afraid I'm the victim of a new strain.
So, I'm going the next level --- here's my HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 2:38:34 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Documents and Settings\crice\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spfxi.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spfxi.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\spfxi.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spfxi.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spfxi.dll/index.html#27063
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A3C4602E-2D9C-7869-388B-D9E372D7661E} - C:\WINDOWS\system32\d3ae32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [sdkgu.exe] C:\WINDOWS\system32\sdkgu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] c:\\Program Files\Washer\washer.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Add to Library - {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - C:\PROGRAM FILES\AMICUS50\Research\GetTags.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B8C4AA-4910-4A04-B79C-3F3F0779E73E}: NameServer = 24.116.0.81,24.116.0.201

Help! Logfile of HijackThis v1.98.0
Scan saved at 2:38:34 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Documents and Settings\crice\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spfxi.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spfxi.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\spfxi.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spfxi.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spfxi.dll/index.html#27063
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A3C4602E-2D9C-7869-388B-D9E372D7661E} - C:\WINDOWS\system32\d3ae32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [sdkgu.exe] C:\WINDOWS\system32\sdkgu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] c:\\Program Files\Washer\washer.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Add to Library - {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - C:\PROGRAM FILES\AMICUS50\Research\GetTags.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B8C4AA-4910-4A04-B79C-3F3F0779E73E}: NameServer = 24.116.0.81,24.116.0.201

Thanks.

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 03:43 PM

Visit this page http://www.ducky.atribune.org . Download About:Buster and save it to your desktop. Then startup Hijack this. Tick the boxes next to these items.


O2 - BHO: (no name) - {A3C4602E-2D9C-7869-388B-D9E372D7661E} - C:\WINDOWS\system32\d3ae32.dll
O4 - HKLM\..\Run: [sdkgu.exe] C:\WINDOWS\system32\sdkgu.exe


Then close all windows and hit fix checked. Start About:Buster. On the first prompt hit ok, then start, then ok again. It will run a while. Once it is done there will be a log in the white box. Save that log somewhere. Restart your computer. Post a new Hijack this log and the buster log.

If the fix does not work. Reboot into safe mode by tapping F8
Several times when the computer is first booting. Then running About:Buster.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 alagas54

alagas54

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 10:27 AM

RD: here are my logs after running Buster:

Logfile of HijackThis v1.98.0
Scan saved at 10:21:43 AM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\PROGRAM FILES\AMICUS50\aa50.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\crice\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] c:\\Program Files\Washer\washer.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Add to Library - {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - C:\PROGRAM FILES\AMICUS50\Research\GetTags.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B8C4AA-4910-4A04-B79C-3F3F0779E73E}: NameServer = 24.116.0.81,24.116.0.201


About:Buster Version 1.23
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

I ran these after rebooting. What next?

#4 alagas54

alagas54

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 July 2004 - 10:58 AM

I think I'm fixed. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button