Jump to content


Photo

Out of options please help


  • Please log in to reply
4 replies to this topic

#1 deadeyedick

deadeyedick

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 03:45 AM

I have run all of these programs and they removed quite a bit of stuff.

cwshredder
adware 6.0
bazooka
xcleaner
housecall
symantec anti virus corporate

after running each of these programs more than once, making sure they were all updated I restarted and my homepage is still that coolware bs. After resetting my web settings i ran all of these programs again and restarted. still i get popups and my homepage is the coolware one.

here is the hijack log. i went through it using the tutorial by Merijn and referenced the CLSID numbers and i noticed there is one that is not on the list from the sysinfo.org site. it is this one.

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - D:\Documents and Settings\s\Application Data\winoq\winoq32.dll

Iv'e tried everything that i know how and from reading on these sites but i can't eliminate htis crap if anyone can help that would be awesome.

here is the whole log file. I deleted the coolware home page they come up under RO R1. they come back after a reboot though as i have deleted them 3 or 4 times. So this makes me think there is an EXE somewhere but no idea how to find it.

F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - D:\Documents and Settings\s\Application Data\winoq\winoq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [RunAlert] D:\Program Files\MSI\PC Alert III\AService.exe
O4 - HKCU\..\Run: [cnet] "D:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\RunOnce: [Updater] rundll32 D:\DOCUME~1\s\APPLIC~1\winoq\winoq32.dll,UpdateDll s
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Get It With Kontiki - res://D:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)

#2 deadeyedick

deadeyedick

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 04:00 AM

here is the hijack this log after i restarted. maybe this will give someone a better idea of what the problem is.


Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\s\hijack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - D:\Documents and Settings\s\Application Data\winoq\winoq32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - D:\Documents and Settings\s\Application Data\winoq\netdc.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - D:\Documents and Settings\s\Application Data\winoq\atlxl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Image] rundll32 D:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunServices: [RunAlert] D:\Program Files\MSI\PC Alert III\AService.exe
O4 - HKCU\..\RunServices: [Image] rundll32 D:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "D:\Program Files\Common Files\submit.exe"
O4 - HKCU\..\RunOnce: [Updater] rundll32 D:\DOCUME~1\s\APPLIC~1\winoq\winoq32.dll,UpdateDll s
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Get It With Kontiki - res://D:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#3 deadeyedick

deadeyedick

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 04:07 PM

bump

#4 caruch6392

caruch6392

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 10 June 2004 - 04:26 PM

hey guys...new to this board but have been over at the g4techtv (and techtv when it used to be that) boards for a while...i know a ton about hijackthis logs and have been doing them for a while

dont need this up:
D:\Program Files\QuickTime\qttask.exe

or this:
D:\Program Files\Common Files\Real\Update_OB\realsched.exe

dont know what these are loading up for?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

the first one has no need to be up but the second one is definately bad:

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

looks like these have something to do with a search bar:

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - D:\Documents and Settings\s\Application Data\winoq\winoq32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - D:\Documents and Settings\s\Application Data\winoq\netdc.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - D:\Documents and Settings\s\Application Data\winoq\atlxl32.dll

un-necessary items at startup:

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

the first one here has to do with coolwebsearch infection, the second on is also bad:

O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "D:\Program Files\Common Files\submit.exe"
O4 - HKCU\..\RunOnce: [Updater] rundll32 D:\DOCUME~1\s\APPLIC~1\winoq\winoq32.dll,UpdateDll s


i dont think you need these:

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab

hope this helps {SoW}Rob
UPDATE and run adaware adware
UPDATE and run spybot spybot search and destroy
UPDATE and run cwshredder cwshredder
update and use spyware blaster spywareblaster
a nifty little program a squared 2 a squared 2
free virus scanner avg anti-virus
another free antivirus Avast!

dont forget to do windows updates windows updates

my pontiac grand prix gt
Posted Image

http://www.cardomain...id/fallen_blade

#5 Metallica

Metallica

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 849 posts

Posted 11 June 2004 - 09:02 AM

Hi deadeyedick,

Please post a new HijackThis log.
This time include the header which will tell us your version of Windows, IE and HijackThis (nothing more)

Regards,

Pieter

MVP Windows Security 2003-2015 mvp2.gif

Remove and prevent spyware





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button