• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jmacster

coolsearch.biz/over-frame.htm

8 posts in this topic

:scratchhead: I have read all the FAQs,forum instructions and run Ad-Aware,

Spybot S/D,Total Cleaner & AVG Anti-virus but when I restart the hijacker comes

back. I Installed HijackThis and deleted BHOs but whithin 2-3 minutes after running

Hijackthis, some BHOs come back and the browser automatically re-launches to

this page. If I launch IE following a Hijackthis scan, I get about:blank page.

Here is my Hijackthis Log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:00:37 AM, on 7/14/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\gearsec.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\devldr32.exe

C:\WINNT\system32\services\wmplayer.exe

C:\WINNT\system32\atiptaxx.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Total Cleaner\cleaner.exe

C:\HiJack\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=137837

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=137837

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=137837

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\Total Cleaner\PKExt.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [updReg] C:\WINNT\Updreg.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe

O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: Total Cleaner - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\Total Cleaner\cleaner.exe (HKCU)

O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe

 

I have the luxsury of another computer, so I have disconnected this machine

from the internet to avoid more virus being downloaded. Any help is welcome.

Share this post


Link to post
Share on other sites

You have a coolweb infection. Download coolweb shredder, unzip and click fix.

 

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=137837

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=137837

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=137837

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe

O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe

Then reboot into safe mode and delete these folders.

C:\Program Files\SEP

C:\WINNT\system32\services

 

You may have to enable hidden files to find all the files.

 

Then reboot and run another hijackthis scan and post your new log here.

Share this post


Link to post
Share on other sites

:unsure:I followed your instructions by downloading coolweb shredder v1.59 and

it ran OK. I did another hijackthis scan removed three items that were on your list.

Apparently, some of the line items were removed during the CWS scan. I rebooted,into Safe Mode,found the two folders SEP and services and was able to

successfully delete them. I also emptied the re-cycle bin just to be safe. Then I

rebooted and so far no browser Hijacker. Here is my last HijackThis Log:

 

Logfile of HijackThis v1.98.0

Scan saved at 10:04:13 AM, on 7/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\gearsec.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\devldr32.exe

C:\WINNT\system32\atiptaxx.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Total Cleaner\cleaner.exe

C:\HiJack\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\Total Cleaner\PKExt.dll

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [updReg] C:\WINNT\Updreg.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: Total Cleaner - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\Total Cleaner\cleaner.exe (HKCU)

O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe

 

I was warned that MS Media Player has lost all its registry values and must be

re-installed. I plan to do that next. Is it safe to do at this point? Thanks very much

for all your time and attention, Racktracker. You guys are providing a great service to all us users.

Share this post


Link to post
Share on other sites

:wtf: While running thru all my applications to be sure they are working,

I notice several applications in the Add/Rem Prgms that were referenced to

in some of the BHOs. They are:

SEP

SlotchBar

IE Host

 

Are these apps critical to Windows or can I delete them? So far all my

applications seem to work OK. Thanks for your help.

Share this post


Link to post
Share on other sites

;)

I was able to delete 2 of the 3 items from the Add/Rem Pgms but the application

Slotchbar would not delete. I then followed a suggestion that came from another

forum amounting to editing the registry. I first did a RegEdit Backup, then navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

and located a 1stbar1stbar entry. I deleted it. Then checked my Add/Rem Pgms

again and Slotchbar was gone. I hope this does it for now but I will continue to run

checks with HiJackThis from now on. Any other suggestions at this point?

jmacster

Share this post


Link to post
Share on other sites

Follow the advice given by Tony in the "So how did I get infected" link I posted and you should be fine.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0