Jump to content


CoolWebSearch and Backdoor.trojan

  • Please log in to reply
1 reply to this topic

#1 stunod



  • New Member
  • Pip
  • 2 posts

Posted 24 July 2004 - 09:51 AM

OS: Win2K fully patched

I had hoped that I could solve this problem on my own, but to no avail. So I've registered here in hopes that someone smarter than me can fix this problem. (I have read the newbie FAQ)
- CoolWebSearch had gotten 'installed' and I could not remove it. Running Adaware would temporarily fix the problem, but then it would be back.
- I installed Norton Anti-Virus, ran it in safe-mode and it found 5 infected DLL's. All of these were removed.
- Now CoolWebSearch "appears" to be gone. But the backdoor.trojan dll is continually re-installed in my System32 folder, just under new names, each time I remove it. (maybe it's what keeps installing CWS?)
- I've found the registry key that points to the offending DLL (HKLM\software\microsoft\windows nt\currenversion\windows\appinit_dlls) but can't figure out what service/app is creating it. If I modify the dll name for this registry key and reboot it simply goes back to what it was before. If I remove the DLL and reboot a new DLL takes it's place and the registry entry now has it's name.
- I've searched the rest of the registry for any signs of this DLL, but unless it's stored in hex or something there doesn't appear to be any references.

- Fully updated SpyBot comes up clean for right now
- Fully updated AdAware comes up clean for right now
Neither seems to 'see' what keeps creating the DLL

I'm not sure if you guys can help with this problem since it seems to be more a stright-up virus than malware, but I thought I'd give it a try.

Here's my HiJackThis log (regarding the references to Pluck, this is software that my company creates)

Thanks in advance for any assistance.

Logfile of HijackThis v1.97.7
Scan saved at 9:52:31 AM, on 7/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Pluck Corporation\Pluck\PluckTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Pluck Corporation\Pluck\PluckSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sryder\My Documents\My Downloads\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: exchange.powered.com exchange
O2 - BHO: (no name) - {09AF76DD-6988-4664-97D0-362F1011E311} - C:\Program Files\Pluck Corporation\Pluck\PluckExplorerBar.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLLaaa32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwizaaa.exe /install
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PluckTrayApp.lnk = C:\Program Files\Pluck Corporation\Pluck\PluckTray.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Pluck (HKLM)
O9 - Extra 'Tools' menuitem: Pluck (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Pluck this page (HKLM)
O9 - Extra 'Tools' menuitem: Pluck this page (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?37890.348125
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD4C1024-851F-404D-BE24-9A1CB46775AC}: NameServer =,

#2 stunod



  • New Member
  • Pip
  • 2 posts

Posted 24 July 2004 - 09:54 AM

Another note. I messed with the names of some of the DLLs/EXEs in the RUN keys to see if they were the problem - that didn't help and I didn't set them back before creating this log...

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button