Jump to content


Photo

Problems with Cool Web Search


  • This topic is locked This topic is locked
6 replies to this topic

#1 stlouis

stlouis

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 July 2004 - 08:12 AM

Gentlemen:

I have a case of Cool Web Search that I have been trying to resolve for several weeks. My browser is directed to 0Websearch.com. I used to get an occasional download of On-Line Casino, but that hasn't happened in a while.

I include the following HijackThis log. If I fix the following listings they just return on boot up.

R0 HKCU
04 HKLM Run [xp system]...
04 HKCU Run [xp system]...

I used to have the folder C:\Windows\INETDATA\SERVICES>EXE on my drive but it is no longer there, so I can't remove it. I think the problem is a DLL which I can't identify that keeps reloading this junk. I have Ad-Aware and Spybot, and Ad-Watch detects changes to the registry when I boot up. It can't remove them.
Any suggestions?

Logfile of HijackThis v1.98.0
Scan saved at 9:09:40 AM, on 07/22/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSOFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\MAPISP32.EXE
C:\WINDOWS\SYSTEM\AWFXEX32.EXE
C:\MARK\DOWNLOAD\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.rcn.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\200442614409_mcinfo.exe /insfin
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\MCAFEE.COM\SHARED\MCAPPINS.EXE /v=3 /cleanup
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O4 - HKCU\..\RunServices: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL
O20 - AppInit_DLLs: APITRAP.DLL

#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 22 July 2004 - 09:23 AM

Hello, stlouis,

Disable Adwatch and unlock registry settings or it can revert to earlier registry settings. You can enable it after your problem is fixed.
http://www.lavahelp....watchauto.shtml
** Note: You will probably have to close this in Task Manager first.
Reboot, and double-check to be sure it is no longer running at Startup.

Please download CWShredder
Extract CWShredder to its own folder.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safemode and press the <Enter> key.
Run the program.
Click the "Fix" button and follow the instructions you will receive.
Make sure you let it fix all CWS Remnants.
and reboot.


Make sure your computer is configured to show all folders/files:
http://www.xtra.co.n...1916458,00.html

Run HJT.
Have Hijack This fix all of the following that remain in your log by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
F1 - win.ini: run=C:\WINDOWS\INETDATA\SERVICES.EXE

Reboot into Safemode this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Look for: C:\WINDOWS\INETDATA\SERVICES.EXE and see if it shows up now so that you can delete.

Reboot normally.
Run Adaware again being sure it is configured this way:
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"

Please delete your temporary files by deleting all files and folders that are in those folders (Do not delete the temp folder itself)
For example:
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, being sure to also select "Delete All Offline Content".

Reboot, and run HJT. Please post a fresh log. Let us know if the problem is gone. Thanks.
Microsoft MVP - Consumer Security

#3 stlouis

stlouis

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 July 2004 - 02:29 PM

BB:

Thanks for the quick response. A few questions before I begin. Most of these things I have done already so they are not new to me. I didn't have Ad-Watch running on start-up. I usually just turn it on myself.

Don't know what you mean by "unlock registry settings" in Ad-Watch.

When I run HJ THis in safe mode do you want me to fix the following:

R0 HKCU etc.
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

These are showing in my current log. You have F1 listed. I don't see this in my log.

I have all files showing and I configured Ad-Aware as you requested a while ago.

Thanks for all.

Stlou

#4 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 22 July 2004 - 06:35 PM

Hello again,
Is it Lavasoft Ad-watch that you are using?
If so, it remembers registry settings and reverts to them the next time the program is run so it must be unlocked in order for some (malware) settings to be cleaned, or you will not be able to get rid of the malware. Check your "Memory and Registry" settings in Ad-watch to be sure that they are not locked. There is a screenshot on the webpage that I posted earlier.
http://www.lavahelp....watchauto.shtml

Sorry about the typo in my last post. Do have HJT fix these four items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O4 - HKCU\..\RunServices: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

Then reboot into Safemode, look for this, and delete services.exe:
C:\WINDOWS\INETDATA\SERVICES.EXE <--delete only this file

Reboot normally, scan with Ad-aware, and clean the temps.
Microsoft MVP - Consumer Security

#5 stlouis

stlouis

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 July 2004 - 02:36 PM

BB:

You seemed to have batted this particular bug.

I've rebooted several times and no found no traces. Thanks a lot. It was a real pain to get rid of, with much wasted time. I have downloaded the Microsoft fix to Virtual Machine so I'm hoping this won't happen again. If I'd kept my software up to date this probably wouldn't have occurred in the first place.

Keep up the good work.

Stlouis

#6 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 23 July 2004 - 07:31 PM

That is good news. You did a great job!

I have downloaded the Microsoft fix to Virtual Machine

Are you referring to Sun Java? That has updates as well, so keep an eye on it.

Here is my standard prevention speech:
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupd.../en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.javacools...ywareguard.html
Periodically check for updates.

4. Keep your antivirus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs)http://www.zonelabs....ontent/home.jsp is free.

5. You might consider installing Mozilla or Firefox. It seems to have fewer vulnerabilities than IE.
http://www.mozilla.org/

6. Check for updates in Adaware frequently as they sometimes can update daily.
I would check for updates in SpyBot once a week or so.
I scan with each at least weekly.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
:wave:
Microsoft MVP - Consumer Security

#7 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 03 August 2004 - 02:17 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button