Jump to content


Photo

CoolWebSearch


  • Please log in to reply
3 replies to this topic

#1 baileym

baileym

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 09:31 AM

AdAware detects the CoolWebSearch and Possible Browser Hijack Attempt. We remove this, but then go back into Internet Explorer to find that MS Office Basic Installer starts and the homepage is res://aoqwb.dll/index.html#26980.

We're running in circles. I've applied CWShredder ver 1.59.1 and it does not detect. I believe we have a brand new strain of the trojan/spyware. I have log files for anyone to take a look at. I noticed on another post someone with a similiar issue and he had no resolution.

Please help, I am in an office environment and would rather find the fix to apply if it happened to another system instead of resorting to reformatting.

Thank you

baileym

:techsupport:

#2 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 09:47 AM

Please post your Hijack This logfile in this thread so someone can help you. Make sure that Hijack This is in its own permanent directory such as c:\HJT.

#3 baileym

baileym

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 10:00 AM

Logfile of HijackThis v1.98.0
Scan saved at 10:14:32 AM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\system32\msyt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
D:\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoqwb.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aoqwb.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aoqwb.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aoqwb.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aoqwb.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aoqwb.dll/index.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0ADEE711-8B02-83DC-B2AE-86A9DD5436D7} - C:\WINDOWS\system32\javaeq.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [msyt.exe] C:\WINDOWS\system32\msyt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

#4 baileym

baileym

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2004 - 09:52 AM

OK, I'm just blowing away the pc. I've read article after article that this trojan CoolWebSearch is to damaging and almost impossible to clean. Thanks anyways!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button