Jump to content


Photo

CoolWebSearch...Removed?


  • Please log in to reply
1 reply to this topic

#1 Veeduber

Veeduber

    Member

  • New Member
  • Pip
  • 1 posts

Posted 06 July 2004 - 08:15 PM

Hey Folks -

I recently was infected with CoolWeb Search. I spoke with a few techs moderating the Comcast support forum, and they had me run several utilities to help diagnose & clean my machine.

The Malware was trouble to get rid of, and returned errors in the removal logs. A tech that was helping me, JohnD, asked me to post my logs on this form to hopefully figure out if my machine is truely clean, and to inform this forum of any changes that this Malware has undergone.

Below are my logs...

I have been infected with Cool Web Search. It is killing me! I have downloaded & run Ad Aware, Spybot, Spykiller(which I removed) & HyjackThis! Here is the log from Hyjack This:--V Please advise. All of these scanners work, until the browser is closed(sometimes it works for a few closes) Hyjack this displays the results & allows me to decide which is clean & not. I hope this forum can help!

Logfile of HijackThis v1.97.7
Scan saved at 11:01:46 AM, on 6/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogo n.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\P rogram Files\Ahead\InCD\InCDsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.ex e
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system 32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBE M\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\s vchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Expl orer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd. exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshl d.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafe e.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe< br>C:\WINNT\system32\ctfmon.exe
C:\Program Files\Access97\Office\OSA.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfA gent.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\kfa\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C45884EB-EC14-4AB5-90CD-5EA2C4DEB9FB} - C:\WINNT\system32\dcfe.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Access97\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

All of these scanners work, until the browser is closed(sometimes it works for a few closes) Hyjack this displays the results & allows me to decide which is clean & not. I hope this forum can hwlp!


Message was edited by: Michael (ComcastOnline)

Moved to a new thread.




TNTaangela Re: READ THIS FIRST IF YOU'VE BEEN HIJACKED HAVE SPYWARE OR YOUR PC'S INFEC Jun 26, 2004 5:00 PM

Posts: 1,474 From: Nashville, TN
Registered: Oct 1, 2003
Reply

You need to start a new thread and post your HJT log into it. That way there is no confusion. Also, click the Settings at the top of the forum and get a username. Again, to cut down on confusion.



CajunTek Re: Infected with CoolWebSearch Jun 26, 2004 8:49 PM

Posts: 3,056 From: Arlington Texas
Registered: Oct 7, 2003
Reply

Download and install APM from: http://www.diamondcs...ex.php?page=apm Do not run it yet!!!
Scan with hijackthis and fix the following lines

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

THIS IS THE BHO FOR THE FIX IN THE APM PROGRAM
O2 - BHO: (no name) - {C45884EB-EC14-4AB5-90CD-5EA2C4DEB9FB} - C:\WINNT\system32\dcfe.dll

Then start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log
Select Unload DLL and click OK on the prompts that follow.

Scan with ad-aware again and set it up for a fullscan per the linked procedure..

Scan again with hijackthis and post a new log..



VeeDuber Re: Infected with CoolWebSearch - Updated Jun 28, 2004 9:48 PM

Posts: 10 From: Renton
Registered: Jun 22, 2004
Reply

OK, CajunTek -

Thanks for the reply. I followed all of your direction, except for the following:

In the upper window select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log
Select Unload DLL and click OK on the prompts that follow.


In the APM application, BHO was not listed with explorer.exe selected. I did close the hijack this program once I cleaned the files per your instruction. Hijack this did not even show up in the folder list.

I ran adaware again, and although it showed 12 items, 10 of the twelve were tracking cookies. Two were the about:blank item registry entries.

So here are my log files. First the Adaware log:


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, June 28, 2004 6:31:52 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R324 22.06.2004
______________________________________________________< br>
Reffile status:
=========================
Reference file loaded:
Reference Number : 01R324 22.06.2004
Internal build : 256
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1265402 Bytes
Signature data size : 1244925 Bytes
Reference data size : 20413 Bytes
Signatures total : 27677
Target categories : 10
Target families : 506

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:42 %
Total physical memory:514864 kb
Available physical memory:214832 kb
Total page file size:1257388 kb
Available on page file:910240 kb
Total virtual memory:2097024 kb
Available virtual memory:2051788 kb
OS:Windows 2000

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


6-28-2004 6:31:52 PM - Scan started. (Custom mode)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-29-2004 1:01:28 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:39 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:41 AM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 12:43:27 AM
Last modified : 7/14/2003 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:41 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 12:43:27 AM
Last modified : 2/25/2004 11:59:07 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:44 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 12:43:29 AM
Last modified : 7/14/2003 12:00:00 PM

#:6 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:44 AM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 2/20/2004 4:11:25 PM
Last accessed : 6/29/2004 12:43:30 AM
Last modified : 7/14/2003 12:00:00 PM

#:7 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:45 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 12:43:29 AM
Last modified : 7/14/2003 12:00:00 PM

#:8 [hidserv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:45 AM
BasePriority : Normal
FileSize : 19 KB
FileVersion : 5.00.2195.6655
ProductVersion : 5.00.2195.6655
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
OriginalFilename : HIDSERV.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 2/26/2004 5:43:25 PM
Last accessed : 6/29/2004 12:43:35 AM
Last modified : 6/19/2003 8:05:04 PM

#:9 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 6-29-2004 1:01:46 AM
BasePriority : Normal
FileSize : 780 KB
FileVersion : 4, 0, 5, 4
ProductVersion : 4, 0, 5, 4
Copyright : Copyright
CompanyName : AHEAD Software
FileDescription : incdsrv
InternalName : incdsrv
OriginalFilename : incdsrv.exe
ProductName : AHEAD Software incdsrv
Created on : 2/21/2004 2:30:50 AM
Last accessed : 6/29/2004 12:43:36 AM
Last modified : 9/1/2003 1:32:08 PM

#:10 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 6-29-2004 1:01:51 AM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
OriginalFilename : mcvsrte.exe
ProductName : McAfee VirusScan
Created on : 6/23/2004 1:37:35 AM
Last accessed : 6/29/2004 1:02:56 AM
Last modified : 8/9/2003 1:04:38 AM

#:11 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 6-29-2004 1:01:54 AM
BasePriority : Normal
FileSize : 492 KB
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
Copyright : Copyright
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
OriginalFilename : MpfService.exe
ProductName : McAfee Personal Firewall
Created on : 6/23/2004 1:45:16 AM
Last accessed : 6/29/2004 1:01:54 AM
Last modified : 9/2/2003 9:00:00 PM

#:12 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:55 AM
BasePriority : Normal
FileSize : 66 KB
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 12:43:38 AM
Last modified : 7/14/2003 12:00:00 PM

#:13 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:56 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright © Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 2/21/2004 12:28:39 AM
Last accessed : 6/29/2004 1:03:11 AM
Last modified : 7/14/2003 12:00:00 PM

#:14 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 6-29-2004 1:01:57 AM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright © Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 12:43:39 AM
Last modified : 7/14/2003 12:00:00 PM

#:15 [mspmspsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:57 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft ® DRM
Created on : 6/3/2004 2:50:05 AM
Last accessed : 6/29/2004 12:43:39 AM
Last modified : 5/2/2001 12:06:22 AM

#:16 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:01:57 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 12:43:29 AM
Last modified : 7/14/2003 12:00:00 PM

#:17 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 6-29-2004 1:02:07 AM
BasePriority : High
FileSize : 224 KB
Created on : 6/23/2004 1:37:34 AM
Last accessed : 6/29/2004 1:02:07 AM
Last modified : 3/13/2002 3:50:26 PM

#:18 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-29-2004 1:02:27 AM
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 7/14/2003 12:00:00 PM
Last accessed : 6/29/2004 1:02:27 AM
Last modified : 7/14/2003 12:00:00 PM

#:19 [igfxtray.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:02:36 AM
BasePriority : Normal
FileSize : 152 KB
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
OriginalFilename : IGFXTRAY.EXE
ProductName : Intel® Common User Interface
Created on : 2/21/2004 2:18:29 AM
Last accessed : 6/29/2004 12:44:14 AM
Last modified : 4/6/2003 4:19:52 PM

#:20 [hkcmd.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:02:36 AM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel® Common User Interface
Created on : 2/21/2004 2:18:24 AM
Last accessed : 6/29/2004 12:44:15 AM
Last modified : 4/6/2003 4:07:38 PM

#:21 [soundman.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-29-2004 1:02:36 AM
BasePriority : Normal
FileSize : 61 KB
FileVersion : 5.1.14
ProductVersion : 5.1.14
Copyright : Copyright © 2001-2003 Realtek Semiconductor Corp.
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
OriginalFilename : ALSMTray.exe
ProductName : Realtek Sound Manager
Created on : 2/21/2004 2:19:14 AM
Last accessed : 6/29/2004 12:44:15 AM
Last modified : 11/13/2003 10:23:52 AM

#:22 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 6-29-2004 1:02:38 AM
BasePriority : Normal
FileSize : 1172 KB
FileVersion : 4, 0, 5, 4
ProductVersion : 4, 0, 5, 4
Copyright : Copyright © 2003 Ahead Software and its licensors
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
OriginalFilename : InCD.exe
ProductName : InCD
Created on : 2/21/2004 2:30:48 AM
Last accessed : 6/29/2004 12:44:18 AM
Last modified : 9/1/2003 1:32:36 PM

#:23 [tgcmd.exe]
FilePath : C:\Program Files\support.com\bin\
ThreadCreationTime : 6-29-2004 1:02:39 AM
BasePriority : Normal
FileSize : 1508 KB
FileVersion : 5,5,402,0
ProductVersion : 5,5,402,0
Copyright : Copyright 1997-2069 Support.com
CompanyName : Support.com, Inc.
FileDescription : Support.com Scheduler and Command Dispatcher
InternalName : TGCMD
OriginalFilename : TGCMD.EXE
ProductName : Support.com Scheduler and Command Dispatcher
Created on : 4/24/2002 7:55:54 PM
Last accessed : 6/29/2004 12:44:21 AM
Last modified : 4/25/2002 1:37:43 AM

#:24 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 6-29-2004 1:02:41 AM
BasePriority : Normal
FileSize : 160 KB
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
OriginalFilename : mcvsshld.exe
ProductName : McAfee VirusScan
Created on : 6/23/2004 1:37:35 AM
Last accessed : 6/29/2004 1:02:41 AM
Last modified : 8/18/2003 4:50:34 AM

#:25 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ThreadCreationTime : 6-29-2004 1:02:42 AM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 4, 3, 0, 27
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 6/23/2004 1:37:33 AM
Last accessed : 6/29/2004 1:02:42 AM
Last modified : 12/8/2003 10:38:52 PM

#:26 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ThreadCreationTime : 6-29-2004 1:02:43 AM
BasePriority : Normal
FileSize : 408 KB
FileVersion : 8, 0, 0, 30
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
OriginalFilename : mcvsescn.EXE
ProductName : McAfee VirusScan
Created on : 6/23/2004 1:37:36 AM
Last accessed : 6/29/2004 1:23:32 AM
Last modified : 4/29/2004 12:55:12 AM

#:27 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 6-29-2004 1:02:43 AM
BasePriority : Normal
FileSize : 32 KB
Created on : 2/23/2068 6:44:46 AM
Last accessed : 6/29/2004 12:44:29 AM
Last modified : 2/23/2004 6:44:44 AM

#:28 [mpftray.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 6-29-2004 1:02:44 AM
BasePriority : Normal
FileSize : 1348 KB
FileVersion : 5.0.1.5
ProductVersion : 5.0.1.5
Copyright : Copyright
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Tray Monitor
InternalName : MpfTray
OriginalFilename : MPFTRAY.EXE
ProductName : McAfee Personal Firewall (MPF)
Created on : 6/23/2004 1:45:17 AM
Last accessed : 6/29/2004 1:03:33 AM
Last modified : 3/24/2004 10:56:00 PM

#:29 [ctfmon.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-29-2004 1:02:47 AM
BasePriority : Normal
FileSize : 8 KB
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
Copyright : Copyright © Microsoft Corporation. 1981-2001
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
OriginalFilename : CICLOAD.EXE
ProductName : Microsoft® Windows NT® Operating System
Created on : 2/20/2001 8:09:54 PM
Last accessed : 6/29/2004 12:44:29 AM
Last modified : 2/20/2001 8:09:54 PM

#:30 [mfindexer.exe]
FilePath : C:\Corel\Graphics8\Programs\
ThreadCreationTime : 6-29-2004 1:02:48 AM
BasePriority : Normal
FileSize : 81 KB
FileVersion : 8.232
ProductVersion : 8.232
Copyright : Copyright
CompanyName : Corel Corporation
FileDescription : Utility which indexes Corel Media Folders
InternalName : Corel Media Indexer
OriginalFilename : MFIndexer.exe
ProductName : CorelDRAW ™
Created on : 5/8/2004 4:39:06 PM
Last accessed : 6/29/2004 12:44:31 AM
Last modified : 11/7/1997 5:55:46 PM

#:31 [osa.exe]
FilePath : C:\Program Files\Access97\Office\
ThreadCreationTime : 6-29-2004 1:02:50 AM
BasePriority : Normal
FileSize : 60 KB
Created on : 7/11/1997 7:00:00 AM
Last accessed : 6/29/2004 12:44:32 AM
Last modified : 7/11/1997 7:00:00 AM

#:32 [winword.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ThreadCreationTime : 6-29-2004 1:02:50 AM
BasePriority : Normal
FileSize : 8592 KB
FileVersion : 9.0.2717
ProductVersion : 9.0.2717
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Word for Windows
InternalName : WinWord
OriginalFilename : WinWord.exe
ProductName : Microsoft Office 2000
Created on : 3/18/1999 5:38:10 AM
Last accessed : 6/29/2004 1:02:50 AM
Last modified : 3/18/1999 5:38:10 AM

#:33 [mpfagent.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 6-29-2004 1:02:57 AM
BasePriority : Normal
FileSize : 556 KB
FileVersion : 5.1.0.8
ProductVersion : 5.1.0.8
Copyright : Copyright
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
OriginalFilename : MPFAGENT.EXE
ProductName : McAfee Personal Firewall (MPF)
Created on : 6/23/2004 1:45:17 AM
Last accessed : 6/29/2004 1:02:57 AM
Last modified : 6/7/2004 5:42:20 PM

#:34 [tgagentm.exe]
FilePath : C:\Program Files\support.com\comcastsupport\
ThreadCreationTime : 6-29-2004 1:06:53 AM
BasePriority : Normal
FileSize : 1140 KB
FileVersion : 5, 5, 402, 1
ProductVersion : 5, 5, 402, 1
Copyright : Copyright 1997-2069 Support.com
CompanyName : Support.com, Inc.
FileDescription : ComcastSUPPORT Agent
InternalName : TGAGENTM
OriginalFilename : TGAGENTM.EXE
ProductName : ComcastSupport Agent
Created on : 7/26/2002 1:41:26 AM
Last accessed : 6/29/2004 1:06:55 AM
Last modified : 9/11/2002 9:55:42 PM

#:35 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 6-29-2004 1:08:57 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 3:14:40 PM
Last accessed : 6/29/2004 1:08:57 AM
Last modified : 8/29/2002 3:14:40 PM

#:36 [outlook.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ThreadCreationTime : 6-29-2004 1:12:47 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 9.0.2416
ProductVersion : 9.0.2416
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Outlook
InternalName : Outlook
OriginalFilename : Outlook.exe
ProductName : Microsoft Outlook
Created on : 12/16/1998 9:09:20 PM
Last accessed : 6/29/2004 1:12:47 AM
Last modified : 12/16/1998 9:09:20 PM

#:37 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 6-29-2004 1:25:49 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6/26/2004 12:43:04 AM
Last accessed : 6/29/2004 1:25:49 AM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


Registry scan result :

New objects : 0
Objects found so far: 0


Started deep registry scan

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :

New objects : 2
Objects found so far: 2


Deep scanning and examining files (C


Tracking Cookie Object recognized!
Type : File
Data : administrator@atdmt[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 6/26/2004 6:44:51 PM
Last accessed : 6/29/2004 1:32:52 AM
Last modified : 6/26/2004 6:44:51 PM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@0[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:56:05 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 2:56:05 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@2o7[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:46:52 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 3:10:57 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@ads.addynamix[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\
FileSize : 1 KB
Created on : 6/28/2004 2:56:04 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 2:57:27 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@cgi-bin[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 3:46:13 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 3:46:13 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@overture[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:47:31 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 12:24:23 PM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:57:27 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 2:57:27 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@server.iad.liveperson[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:51:28 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 2:51:28 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@tmpad[1].txt
Category : Data Miner
Comment : www.searchtraffic.com
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:33:53 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 2:33:53 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@trafficmp[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:33:53 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 2:33:53 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@tribalfusion[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 2:57:26 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 2:57:26 AM



Tracking Cookie Object recognized!
Type : File
Data : kalbrecht@www.maximumcash[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\kalbrecht\Cookies\

Created on : 6/28/2004 3:07:06 AM
Last accessed : 6/29/2004 1:32:59 AM
Last modified : 6/28/2004 3:07:06 AM



Disk scan result for C:\

New objects : 0
Objects found so far: 14


Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)


Hosts file scan result:

1 entries scanned.
New objects :0
Objects found so far: 14




Performing conditional scans..


Conditional scan result:

New objects : 0
Objects found so far: 14


6:35:15 PM Scan complete

Summary of this scan

Total scanning time :00:03:22:453
Objects scanned :85689
Objects identified :14
Objects ignored :0
New objects :14

And now the HyJackThis! log:

Logfile of HijackThis v1.97.7
Scan saved at 6:38:48 PM, on 6/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogo n.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\P rogram Files\Ahead\InCD\InCDsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.ex e
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system 32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBE M\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\s vchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Expl orer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd. exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshl d.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafe e.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PER SON~1\MpfTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Corel\Graphics 8\Programs\MFIndexer.exe
C:\Program Files\Access97\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent .exe
C:\Program Files\support.com\comcastsupport\tgagentm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\kfa\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.c....dogpl.toolbar/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C45884EB-EC14-4AB5-90CD-5EA2C4DEB9FB} - C:\WINNT\system32\dcfe.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Access97\Office\OSA.EXE
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

Thanks again for your help!



JohnD Re: Infected with CoolWebSearch - Updated Jun 28, 2004 11:15 PM

Posts: 1,300 From: Elk Grove Vil, IL
Registered: Jun 30, 2003
Reply

VeeDuber,

I suspect that your infection may return if you have not removed the DLL which is causing it. I would also suggest you download CWShredder and see if it finds anything. If it returns, you need to try CajunTek's solution. What he meant by "rightclick the BHO from the HijackThis log" was to select dcfe.dll. This is a cause of the infection and hopefully the only one. There may be another hidden one on your system which will require another tool.



VeeDuber Re: Infected with CoolWebSearch - Updated Jun 29, 2004 12:46 AM

Posts: 10 From: Renton
Registered: Jun 22, 2004
Reply

Jon -

Where should I look for this DLL? And what is the risk involved in deleting/renaming it? What would the process be to get this CoolWeb search off of my machine? I have tried MANY of the anti spy software AV software...

CWShredder was one of them, adaware, hyjackthis!.. I keep tryin'



JohnD Re: Infected with CoolWebSearch - Updated Jun 29, 2004 2:14 AM

Posts: 1,300 From: Elk Grove Vil, IL
Registered: Jun 30, 2003
Reply

1. Download FindnFix.exe from here: http://freeatlast100.100free.com/

2. Double Click on FindnFix.exe and it will install the batch file in its own folder.

3. Open the FindnFix folder and double click on !LOG!.bat.

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

4. Wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

5. When the program is finished, open the FindnFix folder.
a. Post the contents of Log.txt in this thread.
b. Also post the WIN.txt file in the same post.



VeeDuber Re: Infected with CoolWebSearch - Updated Jun 29, 2004 10:17 PM

Posts: 10 From: Renton
Registered: Jun 22, 2004
Reply

THanks JohnD -

Here are my logs:


*** freeatlast100.100free.com ***

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is NTFS.
C: is not dirty.

Tue 06/29/2004
7:11pm up 0 days, 0:21

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...


C:\WINNT\System32\COMGGOG.DLL +++ File read error
\\?\C:\WINNT\System32\COMGGOG.DLL +++ File read error

(*2*) ........
**File C:\FINDnFIX\LIST.TXT
COMGGOG.DLL Can't Open!

(*3*) ........

C:\WINNT\SYSTEM32\
comggog.dll Mon Jun 21 2004 9:54:20p A...R 57,344 56.00 K
nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K
ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

3 items found: 3 files (2 H/S), 0 directories.
Total of file sizes: 59,392 bytes 58.00 K

unknown/hidden files...

C:\WINNT\SYSTEM32\
nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K
ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 2,048 bytes 2.00 K

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\COMGGOG.DLL
Sniffed -> C:\WINNT\SYSTEM32\NTICDM~1.DLL
Sniffed -> C:\WINNT\SYSTEM32\NTIEMBED.DLL
******** *

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group USER-D7A07D9E29\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

Service searchdifferent variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: USER-D7A07D9E29\None



Backups created...
7:12pm up 0 days, 0:21
Tue 06/29/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-29-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-29-2004 winkey.reg

Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLsp
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTW ARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelected Timeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"=" yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProce ssHandleQuota"=dword:00002710

Windows
AppInit
DLLsp
De viceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuotan

**File C:\FINDnFIX\WIN.TXT
         8     @ vk <    o AppInit_DLLsp o C : \ W I N N T \ s y s t e m 3 2 \ c o m g g o g . d l l vk  h   k DeviceNotSelectedTimeout1 5  h   vk  '   o GDIProcessHandleQuota e vk     \ Spooler y e s m p vk    K swapdiskvk  0   c TransmissionRetryTimeout9 0  h vk  '   i USERProcessHandleQuotan ? /Lu=Lu????LuLu????"Mu0Mu????Mu Mu???? NuNu????rNuNu????Ou&Ou????OuOu???? *Pu8Pu????PuPu????$Qu2Qu????QuQu????Yu Yu YuYuZu Zu????K\u\\u????]u]u????6^uD^u( ` ~ ! @ # $ % ^ & * _ - + = | \ { } [ ] : ; " ' < > , . ? ) ????qcu?cu???? eu.eu????JfuXfu????fufu????huhu????D xW44ͫ #Eg ] +H` uyuyuu uu 

And if that last bit wasn't messy enough, here is the Win.txt text:

regf       o m t h e f i l e A p p B k U p . r e g

&
T h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y
)
E r r o r : B a d o p e r a t i o n . U s e / ? f o r h e l p
)
E r r o r : T o m a n y c o m m a n d - l i n e p a r a m e t e r s
(
E r r o r : T o f e w c o m m a n d - l i n e p a r a m e t e r s ]u`f hbin  Ew5w  nk, 6gX   x 0 < 1  Windows skx x        
     !
   !      #
   #  ?    
     ?   
    ?    
         8     @ vk <    o AppInit_DLLsp o C : \ W I N N T \ s y s t e m 3 2 \ c o m g g o g . d l l vk  h   k DeviceNotSelectedTimeout1 5  h   vk  '   o GDIProcessHandleQuota e vk     \ Spooler y e s m p vk    K swapdiskvk  0   c TransmissionRetryTimeout9 0  h vk  '   i USERProcessHandleQuotan ? /Lu=Lu????LuLu????"Mu0Mu????Mu Mu???? NuNu????rNuNu????Ou&Ou????OuOu???? *Pu8Pu????PuPu????$Qu2Qu????QuQu????Yu Yu YuYuZu Zu????K\u\\u????]u]u????6^uD^u( ` ~ ! @ # $ % ^ & * _ - + = | \ { } [ ] : ; " ' < > , . ? ) ????qcu?cu???? eu.eu????JfuXfu????fufu????huhu????D xW44ͫ #Eg ] +H` uyuyuu uu $u     /uc1uququququ H  1 \ D
 
H   p  H   0  D   p   H   0@  F    H    4 p  H   0@  E   H     F p  H   0@   D   p   H   0@   G     d   z p  H   0@ (  E   X    H  P!  p   H   0@ F    H     $p   H   0@   E
  H 
  (p  H  0@   F
  H 
 p  H
 0@ ( F     d H    $P!  p   H  0@ (  E   X    H  P!  p   H  0@ ( F     d H    $P!  p   H
 0@ 0  E   X  H    H   P!  p   H   0@ ( F     d H    $P!  p   H   0@ (  E   X    H  P!  p   H   0@   G     ! p  H   0@  G       ! ! p   H   0@  G     :  H! ! p   H   0@ ( D   H   H    $p   H   0@   E   H 
  p  H   0@   F    H 
 p  H   0@ (  D   H   H   p  H   0  D   p   H  0@  D   H   p   H  0@   E     p   H   0@ (  D   H   H   p  H   0@ ( D   H   H    $p   H   0@   E   H 
  &p  H   0@   F    H 
 p  H   0  D   p   H  0@   F     p   H 0@   F     p   H ! 0@   E   ! p   H "  0@ ( D   H   H    $p   H #  0  D   p   H $  0@   E`   H 
  p  H %  0@   F `   H 
 p  H & 0 0@  D    H  
 .
. H  
 .
 . H  
. H $ 
( . p ,  H ' 0@   E     2 p   H ( $ 0@ 6  E    H 
H   H  H   P!  P!  ! b p  H )  0@   F    H 
 d P!  p   H *  0@   D   p   H +  0@   D   p   H , 0@   D   !
p   H - 0@   F     p   H .  0@   E


Thanks again for your help. It is much appreceated. - K



JohnD Re: Infected with CoolWebSearch - Updated Jun 29, 2004 10:46 PM

Posts: 1,300 From: Elk Grove Vil, IL
Registered: Jun 30, 2003
Reply

VeeDuber,

We have identified the evil DLL. Please post another HijackThis log so we can see where you stand there.



VeeDuber Re: Infected with CoolWebSearch - Updated Jun 29, 2004 11:59 PM

Posts: 10 From: Renton
Registered: Jun 22, 2004
Reply

JohnD -

Here is the lastest, generated right after Ad Aware:

Logfile of HijackThis v1.97.7
Scan saved at 9:00:16 PM, on 6/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogo n.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\P rogram Files\Ahead\InCD\InCDsrv.exe
c:\P

#2 johnpd

johnpd

    Member

  • New Member
  • Pip
  • 1 posts

Posted 08 July 2004 - 04:37 AM

We need some assistance from "freeatlast". When VeeDuber ran the second FINDnFIX process, it failed to move the file to the C:\junkxxx folder. Here is the log1.txt file.

*** freeatlast100.100free.com ***

Tue 06/29/2004
10:06pm up 0 days, 0:02

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is NTFS.
C: is not dirty.

***LOG1!***
Scanning for file(s)...

(1)
\\?\C:\WINNT\System32\COMGGOG.DLL +++ File read error

(2)
**File C:\FINDnFIX\LIST.TXT
COMGGOG.DLL Can't Open!

(3)

C:\WINNT\SYSTEM32\
comggog.dll Mon Jun 21 2004 9:54:20p A...R 57,344 56.00 K
nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K
ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

3 items found: 3 files (2 H/S), 0 directories.
Total of file sizes: 59,392 bytes 58.00 K

C:\WINNT\SYSTEM32\
nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K
ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 2,048 bytes 2.00 K

(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\COMGGOG.DLL
Sniffed -> C:\WINNT\SYSTEM32\NTICDM~1.DLL
Sniffed -> C:\WINNT\SYSTEM32\NTIEMBED.DLL

* Scanning for moved file... *

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

fgrep: no files found for C:\JUNKXXX\*.*
**File C:\FINDnFIX\LIST.TXT
COMGGOG.DLL Can't Open!

move C:\WINDOWS\System32\COMGGOG.dll c:\junkxxx\COMGGOG.dll




File not found - C:\junkxxx\*.*

Permissions:
There are no more files.

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: USER-D7A07D9E29\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
AppInit_DLLsp

---------- NEWWIN.TXT
AppInit_DLLs2
**File C:\FINDnFIX\NEWWIN.TXT
27B@?  8 h    8 vk     DeviceNotSelectedTimeout1 5 c r e e n vk  '   GDIProcessHandleQuota vk     Spooler y e s h   vk    swapdiskvk     V TransmissionRetryTimeout9 0  h vk  '   USERProcessHandleQuota vk    s AppInit_DLLs2 \  /  C : \ j u n k x x x
**File C:\FINDnFIX\NEWWIN.TXT
00001350: 01 00 00 00 01 00 73 00 . 5F 44 4C 4C 73 32 00 5C ......s. _DLLs2.\
**File C:\FINDnFIX\NEWWIN.TXT
27B@?  8 h    8 vk     DeviceNotSelectedTimeout1 5 c r e e n vk  '   GDIProcessHandleQuota vk     Spooler y e s h   vk    swapdiskvk     V TransmissionRetryTimeout9 0  h vk  '   USERProcessHandleQuota vk    s AppInit_DLLs2 \  /  C : \ j u n k x x x




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button