Jump to content


new type of hijacker? Please help

  • Please log in to reply
4 replies to this topic

#1 spaceace13



  • New Member
  • Pip
  • 4 posts

Posted 14 June 2004 - 10:05 PM

I think I have stumbled on a new variant of the Coolweb search or lookthru.cc hijacker. I have run the newest versions of spy-bot, CWshredder, and the updated trial version of trojan hunter. both cw shredder and spybot came up clean. There were a few questionable items in trojan hunter. My home page in IE is always redirected to


if i miss type a url or forget the www. I am automatically redirected to a page titled WINDOWS HELP CENTER with a variety of search options. The url is what appears above with what ever website I was attempting to go to after the #.

Below is my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:28:15 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nancy\Local Settings\Temporary Internet Files\Content.IE5\5CWF594T\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\scyxm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://scyxm.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://scyxm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\scyxm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://scyxm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\scyxm.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Nancy\Application Data\Mozilla\Profiles\default\y84uwxyp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nancy\Application Data\Mozilla\Profiles\default\y84uwxyp.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {708C8B10-3987-7E41-9F01-070C226FA765} - C:\WINDOWS\system32\javaer32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [javagb.exe] C:\WINDOWS\javagb.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...or6/cabs/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7684.4844791667
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://wbt.appliedun...aDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

I would appreciate any help with this.

Thank you.

#2 irelynnmisses


    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 15 June 2004 - 01:16 AM

ok, try this:

As this is a relativly new and difficult infection to clean.. I suspect that the DLL I am looking for is hidden very well and you need the DLLFIX.. So please try this for me..

Download the file from
and save it in a place you like.

The file when downloaded will be dllfix.exe.

Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in BOOT drive and not in any place else. Preferable in Desktop.

Navigate to the folder with the contents of the file. You will see there are two more folders inside and two BAT files.

Run start.bat and you should get a screen with options.
Run the Option 1. for report. Which when run will have a purple screen.

Once the search is complete a ".txt" file should pop up with the name "Output.txt". Keep it. You will see there is a random dll named there if found. If you are not sure Post the log for Expert View.

Run the start.bat again after dll found or whatever. Run option 2 and choose correct option in submenu. The sub-menu should be another box with options in it. It's probably green to.

Option 1 -- > is if you found the dllname that is locked or in the appinit key.
Option 2 -- > is for if you can't find the dllname.

It will reboot in 15 seconds.

If you are still unsure, Post your query here for Expert View.

If you know the file name, Reboot & There will be the scan for the " dll " on-boot screen, which will search and fix it. There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

Reboot and Download ADAWARE. Check for updates. Then Run the update Ad-aware.

Reboot. Run HijackThis and save the fresh log.

THEN: Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log here in this thread.. well take it from there
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#3 spaceace13



  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 09:03 AM

Thank you very much for the info. I will do that tonight when I get home from work and let you know what happens.

#4 spaceace13



  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 05:40 PM

Hi. I installed dllfix.exe and ran it. It did not find any files and gave me an error message: the system was unable to find specific registry key or value.
WHen I ran it again and choose option 2 it kept repeating the same error message over and over. It never rebooted. Below is the text log:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Tue 06/15/2004
06:28 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (0355:14F9) - FS:FAT clusters:32k
Total: 40 006 156 288 [37G] - Free: 32 922 927 104 [31G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version : C:\Program Files\Windows Media Player\wmplayer.exe


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q83

Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.

Scanning for main Hijacker:

Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{708C8B10-3987-7E41-9F01-070C226FA765}]






[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"

@="AP Deflate Encoding/Decoding Filter "

@="AP GZIP Encoding/Decoding Filter "

@="AP lzdhtml encoding/decoding Filter"

@="WebView MIME Filter"

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Can't open Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

2 - The system cannot find the file specified.

#5 spaceace13



  • New Member
  • Pip
  • 4 posts

Posted 17 June 2004 - 09:23 AM

My computer is still infected with this spyware. Does anyone have any thoughts or ideas? Please help.

thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button