Jump to content


Photo

recurring coolwebsearch


  • Please log in to reply
15 replies to this topic

#1 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 28 May 2004 - 10:13 AM

I have run Ad Aware, cwshredder, spybot, startpageguard and others and they seem to remove coolwebsearch mostly... but then 15 minutes later (often after opening and closing Outlook Express or sending an email... Coolwebsearch is back again! I just ran Hijack This, but don't know enough about this stuff to know what to do with this data. see below for log.

thanks!!!

Logfile of HijackThis v1.97.7
Scan saved at 10:43:02 AM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security Professional\SymPxSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE
C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Norton Internet Security Professional\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Citrix\ICA Client\wfica32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon\My Documents\My Received Files\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {803A141F-20D2-4051-A8D4-F94F9D7ACD5A} - C:\WINDOWS\System32\mnd.dll (file missing)
O2 - BHO: (no name) - {A2B882A5-B9C2-49BD-A50E-3926D35EDC5C} - C:\WINDOWS\System32\gifp.dll (file missing)
O2 - BHO: (no name) - {A96B0204-D921-4493-B822-F173C73FC436} - C:\WINDOWS\System32\dpodlma.dll__SpybotSDDisabled (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DA0844DE-ED2C-4A66-9541-23086DDE1A1C} - C:\WINDOWS\System32\lecadp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Attached Files



#2 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 28 May 2004 - 01:41 PM

Jonata

Download Find All and CopyLock. Unzip them to a permanent folder each.

Run Find_All.bat (from Find All.zip) by doubleclicking on it. It will produce a textfile. Post that here.

I will ask one of the moderators to move this topic to forum Malware Removal. done!
_______
Wiskonst

Edited by dave38, 28 May 2004 - 02:12 PM.


#3 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 May 2004 - 08:10 PM

wiskonst,

The CoplyLock link is dead. Is there another url to get this?

-Jon

#4 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 May 2004 - 08:23 PM

Found another copy of CopyLock. Ran Find_All.bat pasted results. What do I do next?

Thanks For Your Help!!!

-Jon

Possible bad file(s) found... (locked)
\\?\C:\WINDOWS\System32\D3DIEM.DLL +++ File read error
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{803A141F-20D2-4051-A8D4-F94F9D7ACD5A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9AF41189-3E74-4A55-8580-4A627004D8CE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2B882A5-B9C2-49BD-A50E-3926D35EDC5C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A96B0204-D921-4493-B822-F173C73FC436}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA0844DE-ED2C-4A66-9541-23086DDE1A1C}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{09C44958-C89E-4937-8A52-60037433C5C4}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{09C44958-C89E-4937-8A52-60037433C5C4}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



#5 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 04 June 2004 - 12:05 PM

Sorry to have overlooked your reply, Jonata

Perform the following operations with all browser windows closed (save this post to a file and print it):

Go to Start > Run and type 'regedt32' (without quotes).
Select window 'HKEY_LOCAL_MACHINE'.
In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.
In Explorer select 'Browser Helper Objects'.
In menu Security choose Edit Permissions. A dialog appears.
The upper listpane must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.
Then click the Advanced button below. A second panel appears.
Here uncheck 'Inherit from parents the permissions ...' and click OK.
In the main dialog also uncheck 'Inherit from parents ...' and click OK.
Close Regedt32.

As you have a stubborn variant of Coolwebsearch, the following phase may require a few trials.

Start CopyLock. Have no browser windows open.

Check 'Show Source Path' and 'Allow Downgrade' and click Add.
Choose Files to Rename. Browse to C:\Windows\System32. Type in the box below 'D3DIEM.DLL' (without quotes) and click Add. The text in the Source box should read 'C:\WINDOWS\System32\D3DIEM.DLL'.
In the destination box type 'C:\WINDOWS\System32\jump.txt' and click OK.
In the main panel click Apply. If all goes well a message says '1 file successfully replaced'. Click OK.
When asked to reboot, do so.
If not, close CopyLock.

In Explorer drag (without copy) the file 'jump.txt' to an other folder.

Then please download a new version of Find All, unzip it to a folder, run Find_All.cmd (doubleclick) and post the result here.
_______
Wiskonst

Edited by Wiskonst, 04 June 2004 - 12:08 PM.


#6 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 02:02 PM

Was unable to locate d3diem.dll. It gets stranger... I ran a defrag recently and got a message that that exact file couldn't be defragmented and that it is fragmented in 3 sections. I searched the entire drive for the file but can't find it, yet the defrag seemed to know about it... any ideas??


-Jon

#7 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 09 June 2004 - 03:47 PM

Jonata

It is a feature of this infection that you cannot see the file d3diem.dll (which is a random name BTW) from Explorer or an other file viewer.

Could you perform the rename of it in CopyLock as per my previous instructions?
(You will not see the file in CopyLock either; just type the name in the box under the browse pane.)

Also did you do the locking of the BHO keys in regedt32 ?
_______
Wiskonst

Edited by Wiskonst, 09 June 2004 - 03:58 PM.


#8 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 12 June 2004 - 03:31 PM

Wiskonst,

I did the BHO thing as per your instructions, but copylock doesn't seem to allow me to type in an address. It seems to want me to browse to the fiule... which I can't see. Any ideas... its still keeps coming back.

#9 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 12 June 2004 - 03:48 PM

Wiskonst,

Ran HiJackThis... heres the log... does this show anything?

Logfile of HijackThis v1.97.7
Scan saved at 4:42:31 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security Professional\SymPxSvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
C:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE
C:\WINDOWS\slrundll.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton Internet Security Professional\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jon\My Documents\My Received Files\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pauproxy.agere.com:8000
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#10 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 12 June 2004 - 04:27 PM

Wiskonst,

I did the BHO thing as per your instructions, but copylock doesn't seem to allow me to type in an address. It seems to want me to browse to the fiule... which I can't see. Any ideas... its still keeps coming back.

Jonata

You should not type the filename d3diem.dll in the Sourcebox, but choose Browse and type it in the filenamebox under the browsepane.

Could you give it one more try? If it doesn't work we will use an other program.

In Hijack This the infection has changed it's appearance, but it is still there.
_______
wiskonst

#11 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 14 June 2004 - 08:59 PM

i figured out what you meant and typed it in the path under the browsepane. After I did and click the Add button I got an error saying the file was not found.


-Jon

#12 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 15 June 2004 - 05:11 AM

Jonata

OK, please download dllfix and unzip it to a folder (download is a selfunzipper). Run start.bat by doubleclicking it.
Choose option 2 (Run Fix).
Then choose option 1 (Enter DLL name manually).
You will see the sentence: 'Enter full name and hit Enter C:\Windows\System32\'
At the end of the sentence at the red cursor type 'd3diem.dll' (without quotes and no spaces in front of it) and hit the Enter key.
You will see a message 'Restart in 14 seconds'. Let the reboot go on.
During reboot you will see a DOS window. Folder C:\Windows\System32 is scanned in two passes.

After completion of the boot please a new Find_All result plus the log.txt you find in the dllfix folder.
_______
Wiskonst

#13 jonata

jonata

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 15 June 2004 - 08:51 PM

Wiskonst,

Ran as you suggested. Here are the results. First the dllfix log and then the find all log. Does this mean its gone?

Thanks!
-Jon


DLLFIX LOG:

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.02 061404
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Tue 06/15/2004
09:15 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Running from C:\Documents and Settings\Jon\Desktop\dllfix
Scanning for Locked File
If this repeats 4 times than you may have another
Locked File not related to About:blank Hijack
Unlocking Locked File

C:\WINDOWS\System32\D3DIEM.DLL
Scanning For main hijacker.
Processing File Manually
C:\WINDOWS\system32\d3diem.dll
Md5 Check of C:\WINDOWS\system32\d3diem.dll

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249
Md5 matched known baddies.
Processing and Deleting File.
Processing ACL of: <\\?\C:\WINDOWS\system32\d3diem.dll>

SetACL finished successfully.

File was successfully Deleted.
Please Run Hijackthis or Cwshredder to finish cleanup.


Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully






FIND ALL LOG:

Possible bad file(s) found... (locked)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



#14 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 16 June 2004 - 04:31 AM

Jonata

Yes, the main reinstaller has gone now.
But the remnants must be cleaned up.

First be sure to have the latest version of CWShredder and the latest reference file of Ad Aware. Also the latest virus definitions for Norton.
Then please boot into Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode').
There run CWShredder without any other programs running. Click the Fix button and let it finish.
Then still in Safe Mode do a Norton virusscan and a scan with Ad Aware. Let them fix all they find.

Then boot to normal mode again, let Hijack This do a scan and post the log here.
_______
Wiskonst

#15 beetwaste

beetwaste

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 07:23 AM

Hi,

I've been following this thread with great interest, having had the same problem.

This morning, I downloaded the latest version of CWS Shredder, and I'm thinking it's been updated to get rid of this particularly evil little sod. I've run AdAware (latest update, 15th June apparently), and also Spybot. It would appear, after 2 reboots, that finally I am rid of the scourge that is the current incarnation of CWS. :D

So, a big Thanks to Wiskonst, you've probably been helping at least one more person than you realised. :thumbsup:

#16 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 16 June 2004 - 10:32 AM

Beetwaste

I think you had a slightly different variant of CWS, Beetwaste.
It comes in many flavours, see Coolwebsearch Chronicles.
Glad you got rid of it.

If CWS reoccurs, post a Hijack This log in an own thread on this forum.
_______
Wiskonst

Consider a donation to Merijn, writer of CWShredder





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button