Jump to content


CoolWWW hijack

  • Please log in to reply
3 replies to this topic

#1 BriosCometfyre



  • Full Member
  • Pip
  • 55 posts

Posted 09 July 2004 - 02:39 PM

Not exactly sure what is going on but every time i try to use the internet my homepage is changed. I read some of the other posts and did some of the reccomended things and still cant figure this out. Ad-aware, spy sweeper and other things keep finding CoolWWW and deleting it but it keeps coming back. Here are my Buster logs and Hijackthis logs. Any help in fixing this is much appreciated. Also, i am constantly getting popups, mostly saying that i have spyware on my computer, annoying porn is also popping up, and im not sure why. Some of the things listed in my scans are DyFuCA, CoolWWW, WildTangent, Kontiki, Doubleclick Inc., Cydoor, Coolwebsearch, 00hq, Submithook and a few others. I also get a thing called Alexa Toolbar occasionally, and Minibug/Weatherbug, neither of which i want or need.

Sorry for the edit but i have a new problem. like 20% of the time when i open the internet it takes me to some about:blank site, and like 70% of the time it takes me to google, so only maybe 1 out of 10 times does my normal homepage open, i have no idea what any of this means or how to fix it.

-- Scan 1 --------
About:Buster Version 1.26
Removed! : C:\WINDOWS\System32\hbcmdo.dll
Removed! : C:\WINDOWS\System32\bkldbk.dll
Removed! : C:\WINDOWS\System32\olfcn.dll
Removed! : C:\WINDOWS\System32\nogid.dll
Removed! : C:\WINDOWS\System32\nbedl.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.26
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 4:42:12 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\system32\svchost.exe <---Occasionally on start up like 50 of these are open, not sure if that means anything.
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM95\aim.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Adware Spy] C:\Program Files\AdwareSpy\AdwareSpy.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instants...erxsigned35.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontal...protect/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab

Edited by BriosCometfyre, 15 July 2004 - 12:37 PM.

#2 BriosCometfyre



  • Full Member
  • Pip
  • 55 posts

Posted 10 July 2004 - 10:46 AM

Last night before i went to bed i ran AD-aware again with all the custom settings for optimum scanning activated and did a custom scan and it found about 300 things mostly coolwebsearch (even though i have scanned like 50000 times with cwshredder and not ONCE have found anything at all), and earlier in the day it hadnt found any, and spysweeper and other programs are still turning up with nothing. CoolWWW is showing up again also even though it was gone for a few hours yesterday. Not sure where all this is coming from. Also my computer is starting to run a lot slower and random porn is opening for no reason, getting very tiresome. Please help! =)

By the way, what is a DSO exploit? For weeks evert time is scan with Spybot S&D it doesnt find anything except 5 DSO exploits, which i delete every time, and the next time if finds 5 more, and 5 more, even if i scan consecutivly for hours...!

Edited by BriosCometfyre, 10 July 2004 - 11:38 AM.

#3 BriosCometfyre



  • Full Member
  • Pip
  • 55 posts

Posted 10 July 2004 - 12:21 PM

consistently finding Atwola now with scans, if that means anything.

#4 BriosCometfyre



  • Full Member
  • Pip
  • 55 posts

Posted 19 July 2004 - 03:56 PM

I hate to be rude and i know you are all really busy but its been 10 days since i posted this and still no reply =x. Please help me if it is at all possible. Again, sorry if i am being rude.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!