Jump to content


Photo

coolsearch.biz/over-frame.htm


  • Please log in to reply
7 replies to this topic

#1 jmacster

jmacster

    Member

  • New Member
  • Pip
  • 4 posts

Posted 14 July 2004 - 02:05 PM

:scratchhead: I have read all the FAQs,forum instructions and run Ad-Aware,
Spybot S/D,Total Cleaner & AVG Anti-virus but when I restart the hijacker comes
back. I Installed HijackThis and deleted BHOs but whithin 2-3 minutes after running
Hijackthis, some BHOs come back and the browser automatically re-launches to
this page. If I launch IE following a Hijackthis scan, I get about:blank page.
Here is my Hijackthis Log:

Logfile of HijackThis v1.98.0
Scan saved at 11:00:37 AM, on 7/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\services\wmplayer.exe
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Total Cleaner\cleaner.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotf...count_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotf...count_id=137837
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=137837
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\Total Cleaner\PKExt.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe
O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Total Cleaner - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\Total Cleaner\cleaner.exe (HKCU)
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx...erInstaller.exe

I have the luxsury of another computer, so I have disconnected this machine
from the internet to avoid more virus being downloaded. Any help is welcome.

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 14 July 2004 - 09:15 PM

You have a coolweb infection. Download coolweb shredder, unzip and click fix.

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotf...count_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotf...count_id=137837
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=137837
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\wmplayer.exe

Then reboot into safe mode and delete these folders.
C:\Program Files\SEP
C:\WINNT\system32\services

You may have to enable hidden files to find all the files.

Then reboot and run another hijackthis scan and post your new log here.
Posted Image

#3 jmacster

jmacster

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 July 2004 - 12:29 PM

:unsure:I followed your instructions by downloading coolweb shredder v1.59 and
it ran OK. I did another hijackthis scan removed three items that were on your list.
Apparently, some of the line items were removed during the CWS scan. I rebooted,into Safe Mode,found the two folders SEP and services and was able to
successfully delete them. I also emptied the re-cycle bin just to be safe. Then I
rebooted and so far no browser Hijacker. Here is my last HijackThis Log:

Logfile of HijackThis v1.98.0
Scan saved at 10:04:13 AM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Total Cleaner\cleaner.exe
C:\HiJack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\Total Cleaner\PKExt.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Total Cleaner.lnk = C:\Program Files\Total Cleaner\cleaner.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Total Cleaner - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\Total Cleaner\cleaner.exe (HKCU)
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx...erInstaller.exe

I was warned that MS Media Player has lost all its registry values and must be
re-installed. I plan to do that next. Is it safe to do at this point? Thanks very much
for all your time and attention, Racktracker. You guys are providing a great service to all us users.

#4 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 15 July 2004 - 01:16 PM

It is safe to reinstall media player.

Your log looks good.

You should read this to help prevent future problems.

So how did I get infected
Posted Image

#5 jmacster

jmacster

    Member

  • New Member
  • Pip
  • 4 posts

Posted 17 July 2004 - 02:07 AM

:wtf: While running thru all my applications to be sure they are working,
I notice several applications in the Add/Rem Prgms that were referenced to
in some of the BHOs. They are:
SEP
SlotchBar
IE Host

Are these apps critical to Windows or can I delete them? So far all my
applications seem to work OK. Thanks for your help.

#6 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 17 July 2004 - 10:12 AM

You can remove all those.
None are critical to say the least.
Posted Image

#7 jmacster

jmacster

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 July 2004 - 02:56 AM

;)
I was able to delete 2 of the 3 items from the Add/Rem Pgms but the application
Slotchbar would not delete. I then followed a suggestion that came from another
forum amounting to editing the registry. I first did a RegEdit Backup, then navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
and located a 1stbar1stbar entry. I deleted it. Then checked my Add/Rem Pgms
again and Slotchbar was gone. I hope this does it for now but I will continue to run
checks with HiJackThis from now on. Any other suggestions at this point?
jmacster

#8 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 25 July 2004 - 10:21 AM

Follow the advice given by Tony in the "So how did I get infected" link I posted and you should be fine.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button