• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
turrin

Hijacked (duh) Help me please

6 posts in this topic

I've been infected by Coolwebseach. Spybot doesn't take care of it so I downloaded CWshredder - that didn't do it either. Yesterday I worked up the balls to go into the registry and delete the changes that spybot said had been made as well as running Norton 2004 and having it delete any files it said were at risk. That worked until today...it's back.

 

The startup page is changed to solongas.com/hp.htm?id=9

 

premptive thanks to anyone who can help me,

 

 

 

PS - yes I've read the FAQ

Edited by turrin

Share this post


Link to post
Share on other sites

Turrin

 

Did you click the Fix-button in CWShredder?

 

Please post a Hijack This log here.

 

Also download Find All, and unzip it to a permanent folder. Run Find_All.cmd by doubleclicking on it. It will output a text file. Post that here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

I did try the fix feature on spy bot

 

I am listing my Hackthis in this post and placing find all in the next to make it easier to read

 

Logfile of HijackThis v1.97.7

Scan saved at 3:02:05 PM, on 6/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\WINDOWS\System32\cmd.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Documents and Settings\Owner\Desktop\Tom\Anti-spyware\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jgn3vi23.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jgn3vi23.slt\prefs.js)

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\wrk9seulw1xxnp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: winlogin.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Share this post


Link to post
Share on other sites

Turrin

 

Could you please redownload CWShredder, unzip it to a permanent folder.

Run it in Windows Safe Mode (reboot, at the beginning of Windows startup hit F8 and choose 'Start in Safe Mode'). Have no other programs running, in CWShredder click the Fix-button and let it finish.

 

CWShredder was updated especially for the variant of Coolwebsearch you have.

 

Back in normal mode run Hijack This and fix the following lines if they are still there:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\wrk9seulw1xxnp.dll

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe <-- 2x

 

Do this by closing all browser windows, placing a checkmark in front of the above items and clicking the Fix-button.Reboot and post a fresh log here again (same topic).

 

Delete the following file if you find it:

C:\WINDOWS\System32\wrk9seulw1xxnp.dll

 

You may still post the result of Find_All.cmd, be careful to copy and paste the full text (Your HJT log was possibly not complete, select all of the text with Ctrl-A).

_______

Wiskonst

Share this post


Link to post
Share on other sites

That seems to have done it.... I guess all I had to do (essentally) is wait a couple of days for the new Cwshredder to come out. (haha) Thank you very much for your help. I am changing my hompage on IE and am going to open it a few times to make sure.

 

Once again, thank you

Share this post


Link to post
Share on other sites

Turrin

 

OK Glad we could help.

 

Also delete the file C:\WINDOWS\System32\sysstartup.exe if you find it.

 

Clean out the temporary folders:

- C:\Windows\Temp

- C:\Windows\Downloaded Program Files

- C:\Documents and Settings\<name>\Local Settings\Temp

 

As a general prevention measure we recommend Spywareguard and Spywareblaster (both free). And a good firewall (Kerio Personal Firewall is free).

_______

Wiskonst

 

Donate to Merijn Org (Merijn is the writer of Hijack This and CWShredder)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0