|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
November 20th, 2004, 12:06 PM
|
|||
|
|||
|
another coolsearch.biz
I have the coolsearch.biz problem.I have run spybot and ad-aware.I have also run cwsshredder.I still get the same coolsearch.biz as home page.Also there was an icon near the system clock called instant access.After running sybot,ad-aware and cwsshredder it is still present in the startup taskbar near the clock.But now it is invisible ie there is a space in the taskbar where the icon had existed earlier and when I move my mouse over the space it gives me options such as hide and configure.
The following is the hijackthis log: Logfile of HijackThis v1.98.2 Scan saved at 2:10:04 PM, on 11/20/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\PTSNOOP.EXE C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\IGFXTRAY.EXE C:\WINDOWS\SYSTEM\HKCMD.EXE C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\WINDOWS\RUNDLL32.EXE C:\SPYBOT\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE D:\FLASHGET\FLASHGET\FLASHGET.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HJT\HIJACKTHIS.EXE F1 - win.ini: load=ptsnoop.exe F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\FLASHGET\FLASHGET\JCCATCH.DLL O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT\SPYBOT~1\SDHELPER.DLL O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - (no file) O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\FLASHGET\FLASHGET\FGIEBAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1055.dll,InstantAccess O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\spybot\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download using FlashGet - D:\FLASHGET\FLASHGET\jc_link.htm O8 - Extra context menu item: Download All by FlashGet - D:\FLASHGET\FLASHGET\jc_all.htm O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\FLASHGET\FLASHGET.EXE O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\FLASHGET\FLASHGET.EXE O16 - DPF: {EAAB55CB-9D6E-457A-A10B-4AAEC8317CFC} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_8_EN.cab O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1054_pack.cab O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vsnl.net O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.54.6.60,202.54.6.50 I hope someone can help me solve this problem. fightingback
|
|
#2
November 23rd, 2004, 08:07 PM
|
|||
|
|||
|
Hi fightingback,
You are infected with TrojanDropper.Win32.Small.cw and at least one dialer. You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis. If you have any questions before starting the fix, please don't hesitate to ask! You have a coolwebsearch infection, among other things. Please download CWShredder from Here Save it to a convenient location such as your Desktop. Do not run it yet! Next... Download Ad-Aware SE Personal Edition version 1.05 from: http://www.lavasoft.de/support/download/ Run Adaware, click the "Check for Updates now" link. Install the latest reference file, Do not run it yet, just update it! Next... Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Run CWShredder and select "Fix" (do not just Scan). It will automatically remove the infections. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - (no file) O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1055.dll,InstantAccess O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O16 - DPF: {EAAB55CB-9D6E-457A-A10B-4AAEC8317CFC} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_8_EN.cab O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1054_pack.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - These are resource hogs that can be fixed also: O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Then... Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck hide extensions for known file types. Uncheck the Hide Protected Operating System Files option. Click Yes to confirm. Click OK. Search for and delete the following files: C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE EGDACCESS_1055.dll Next.... Open My Computer, browse to C:\Temp folder and delete all files and folders in it. Open My Computer, browse to C:\Windows\Temp folder and delete all files and folders in it. Open Internet Explorer click Tools > Internet Options > General. Check "delete all offline content", click "Delete Files" then Click OK. Empty your Recycle Bin. While still in Safe Mode, run Adaware - perform a full system scan. Let it remove everything it finds. Reboot normally. Next... Perform an onlne virus scan from this site: Trend Micro Housecall - Select all of your drives to be scanned. Please check "Auto clean" before scanning. http://housecall.trendmicro.com/ If you can, copy and paste the report logs from the scans into your next post. Next... Please go to Start > Find > Files or folders > and search for ptsnoop.exe please include the file's properties and version information in your next post. Please post a fresh HijackThis log. Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting! Last edited by Tom Myboy : November 23rd, 2004 at 08:14 PM.
|
|
#3
December 4th, 2004, 01:45 AM
|
|||
|
|||
|
Hi,
Just a few problems. 1)My mouse does not work when I boot in safe mode. 2)I was able to manage without the mouse to get till the point where you have asked me to run ad-aware se personal edition 1.05. To perform the full system scan I have to press the next button and tab does not take me to the next button.So I was unable to complete the fix. 3)Another problem that I had faced which I had forgotten to mention in my last post was that when I perform a full system scan using ad-aware SE , it almost hangs when it is nearing the end.I waited for nearly 1 hour for it to complete the scan but it never moved from a particular point.The cancel button works.So I guess it hasn't hung up.I was just wondering if I have any configuration issues with ad-aware SE. Here is also the latest version of the hijackthis log Logfile of HijackThis v1.98.2 Scan saved at 12:44:54 PM, on 12/4/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\PTSNOOP.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\IGFXTRAY.EXE C:\WINDOWS\SYSTEM\HKCMD.EXE C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\SPYBOT\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\NOTEPAD.EXE C:\HJT\HIJACKTHIS.EXE F1 - win.ini: load=ptsnoop.exe O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\FLASHGET\FLASHGET\JCCATCH.DLL O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT\SPYBOT~1\SDHELPER.DLL O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - (no file) O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\FLASHGET\FLASHGET\FGIEBAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\spybot\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download using FlashGet - D:\FLASHGET\FLASHGET\jc_link.htm O8 - Extra context menu item: Download All by FlashGet - D:\FLASHGET\FLASHGET\jc_all.htm O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\FLASHGET\FLASHGET.EXE O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\FLASHGET\FLASHGET.EXE O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab O16 - DPF: {EAAB55CB-9D6E-457A-A10B-4AAEC8317CFC} - O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vsnl.net O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.54.6.60,202.54.6.50 The properties of ptsnoop.exe Type:application Location:c:\windows size:9.46kb(9,696 bytes),12,288 bytes used MS-DOS name:PTSNOOP.EXE Created: Tuesday,September 23,2003 6:27:26 pm Nodified: Tuesday,March 09,1999 12:55:42 pm Accessed:Saturday,December 04,2004 Attributes are all unchecked I hope these were the poperties you were referring to. How should I find the version? Bye, fightingback (p.s-Sorry for the delayed post)
|
|
#4
December 4th, 2004, 02:39 PM
|
|||
|
|||
|
Quote:
I have been through similar situations. Try scanning with Spybot Search and Destroy 1.3 first. Make sure you have the most recent updates. Remove all items checked in red. Then scan with Adaware 1.05. Just try a "Smart System Scan" first. Make sure you have the most recent definitions. Please post a fresh Hijackthis log. Tom
|
|
| Viewing: Dev Shed Forums > System Administration > Antivirus Protection > another coolsearch.biz |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
