Jump to content


Photo

Hijacked, CoolWebSearch


  • Please log in to reply
7 replies to this topic

#1 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2004 - 10:05 AM

:grrr: Not exactly sure what is going on but every time i try to use the internet my homepage is changed. I read some of the other posts and did some of the reccomended things and still cant figure this out. Ad-aware, spy sweeper and other things keep finding CoolWWW and deleting it but it keeps coming back. Here are my Buster logs and Hijackthis logs. Any help in fixing this is much appreciated. Also, i am constantly getting popups, mostly saying that i have spyware on my computer, annoying porn is also popping up, and im not sure why. Some of the things listed in my scans are DyFuCA, CoolWWW, WildTangent, Kontiki, Doubleclick Inc., Cydoor, Coolwebsearch, 00hq, SubmitHook and a few others. I also get a thing called Alexa Toolbar occasionally, and Minibug/Weatherbug, neither of which i want or need.

Sorry for the edit but i have a new problem. like 20% of the time when i open the internet it takes me to some about:blank site, and like 70% of the time it takes me to google, so only maybe 1 out of 10 times does my normal homepage open, i have no idea what any of this means or how to fix it.


-- Scan 1 --------
About:Buster Version 1.26
Removed! : C:\WINDOWS\System32\hbcmdo.dll
Removed! : C:\WINDOWS\System32\bkldbk.dll
Removed! : C:\WINDOWS\System32\olfcn.dll
Removed! : C:\WINDOWS\System32\nogid.dll
Removed! : C:\WINDOWS\System32\nbedl.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.26
Attempted Clean Of Temp folder.
Pages Reset... Done!


Logfile of HijackThis v1.97.7
Scan saved at 4:42:12 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe <---Occasionally on start up like 50 of these are open, not sure if that means anything.
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Adware Spy] C:\Program Files\AdwareSpy\AdwareSpy.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instants...erxsigned35.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontal...protect/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab

Every , morning when i wake up, everything i got rid of the day before, including new about:buster entries, all comes back.Please help!!!!

Edited by BriosCometfyre, 15 July 2004 - 12:37 PM.


#2 darksilvertears

darksilvertears

    Member

  • New Member
  • Pip
  • 4 posts

Posted 11 July 2004 - 10:43 AM

hi

just a month ago, i had this same problem, although im quite certain it was a different virus. it redirected my homepage etc...it sounds like you've got alot of problems there...im not too great at fixing computers but i'll share with you what i did and maybe it will work for u too. (im not sure how much you know about computers so if you already tried these things i apologize)

first of all, what operating system are you running? windows 98, winXP? try doing a search on the spyware programs with the find files optiion in the start menu. type in their names and find out what folders there in and try to delete them. also, go to your start menu, go to "run", and type in "regedit.exe" (without the quotes.) once your in regedit, go to "Hkey Classes Root" (it should be the first one) and scroll down through there until you come to the folders (the actual named folders) try to see if you can find any folder thats spyware, if you do, then delete it. sometimes this works.

also, go back to the start menu, and back to "run" and type in msconfig.exe and run that. go to the last tab that says startup. there will be all sorts of programs in there. if you find any of the spywares that you mentioned, then uncheck them. you will need to restart your computer.

i hope some of this will help you, but to be honest i dont think it will, being as it sounds like what you have is hidden in your computer and checks the regestry each time you turn on the computer to make sure it wasnt deleted, and if it was, it just starts it back up. when i had this virus, i used hijackthis.exe and it wiped it out so if that didnt work for you i dont know what else you can try. i currnently have another really nasty virus and i cant get rid of it for the life of me. grr/

good luck

Edited by darksilvertears, 11 July 2004 - 10:45 AM.


#3 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2004 - 11:33 AM

thanks for trying to help dark, tried all that, rescanned, rebooted, blah blah... still came back a few minutes later, with a lot more lol, ad aware found like 200 things.

Also i tried using Trojanhunter just for the chance it might find a few things and maybe minimize the problem during the wait and it said all this, not sure how to proceed with any of it though.

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
Port 1784/TCP is open (Matches Snid.120. Port being used by process svchost.exe/PID 860) (Tell me more about port alerts...)
Port 1784/TCP is open (Matches Snid.212. Port being used by process svchost.exe/PID 860) (Tell me more about port alerts...)
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\Program Files\AdbeRdr60_enu_full.exe (Add to ignore list)
Found possible trojan file: C:\WINDOWS\Downloaded Program Files\UGO20.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
1 possible trojan files found

#4 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2004 - 01:38 PM

bump

#5 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2004 - 05:44 PM

Scans now finding something called Atwola, not sure what that is but there is lots of it

#6 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2004 - 08:29 PM

bump

#7 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 12 July 2004 - 10:59 AM

bump

#8 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 12 July 2004 - 03:34 PM

Ad-Aware still finding lots of CoolWebSearch and other stuff, and this is like 30 mins after a a prior scan...

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, July 12, 2004 10:13:19 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R331 08.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R331 08.07.2004
Internal build : 263
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref
Total size : 1300142 Bytes
Signature data size : 1279388 Bytes
Reference data size : 20690 Bytes
Signatures total : 28395
Target categories : 10
Target families : 519

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:80 %
Total physical memory:1047564 kb
Available physical memory:830376 kb
Total page file size:2521396 kb
Available on page file:1842588 kb
Total virtual memory:2097024 kb
Available virtual memory:2044496 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-12-2004 10:13:19 AM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-9-2004 10:55:39 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-9-2004 10:55:42 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-9-2004 10:55:43 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-9-2004 10:55:44 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/18/2001 12:00:00 PM

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-9-2004 10:55:44 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/29/2002 10:41:26 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-9-2004 10:55:45 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/18/2001 12:00:00 PM

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-9-2004 10:55:45 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/18/2001 12:00:00 PM

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-9-2004 10:55:46 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/18/2001 12:00:00 PM

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-9-2004 10:55:47 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/18/2001 12:00:00 PM

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-10-2004 4:26:54 AM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 6/18/2003 3:03:41 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/29/2002 10:41:24 AM

#:11 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-10-2004 3:33:39 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 6/18/2003 3:02:15 PM
Last accessed : 7/12/2004 3:58:13 PM
Last modified : 8/29/2002 10:41:22 AM

#:12 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 7-11-2004 10:46:45 PM
BasePriority : Normal
FileSize : 649 KB
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
Copyright : Copyright © 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 7/7/2004 4:10:32 PM
Last accessed : 7/12/2004 3:56:42 PM
Last modified : 2/13/2004 10:52:36 PM

#:13 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 7-12-2004 4:13:12 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/5/2004 4:48:00 PM
Last accessed : 7/12/2004 4:13:12 PM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\BRYAN\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\WINDOWS\TEMP\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\WINDOWS\TEMP\sp.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\WINDOWS\TEMP\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\WINDOWS\TEMP\sp.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\WINDOWS\TEMP\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\WINDOWS\TEMP\sp.html"


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\bkldbk.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{16EBD877-B7B7-4397-B1D8-B3B84A414DE9}


CoolWebSearch Object recognized!
Type : File
Data : bkldbk.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 7/12/2004 5:07:14 AM
Last accessed : 7/12/2004 3:58:20 PM
Last modified : 7/12/2004 5:07:14 AM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\bkldbk.dll
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\bkldbk.dll
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 13
Objects found so far: 14


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 14


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
New objects :0
Objects found so far: 14




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : File
Data : sp.html
Category : Malware
Comment :
Object : c:\docume~1\bryan\locals~1\temp\
FileSize : 7 KB
Created on : 7/11/2004 11:56:26 PM
Last accessed : 7/12/2004 4:13:53 PM
Last modified : 7/12/2004 4:13:53 PM



Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 15


10:42:08 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:28:40:204
Objects scanned :182524
Objects identified :15
Objects ignored :0
New objects :15




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button