Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - CoolWebSearch


  • This topic is locked This topic is locked
2 replies to this topic

#1 Phantasmagoria

Phantasmagoria

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 15 April 2005 - 09:43 AM

Hello,

I have a recurring problem with CoolWebSearch infecting my machine (HiddenDLL variant according to CWShredder). I have posted twice before on SFDC and have received two fixes that work the first few times. When I followed the fix's instructions, I removed the spyware with no problem, but it kept coming back and it would come back quicker each time I removed it. Now it's gotten to the point which every time I remove the spyware and reboot, I get reinfected when I get logged into my workstation. Also, se.dll is being installed along with CWS, which actually gives me popups along with CWS's normal browser hijack. Any help would be much appreciated, as a clean install is not an option at this point.

Logfile of HijackThis v1.99.1
Scan saved at 10:11:01 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\RasheemJabaar\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RASHEE~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RASHEE~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Dat bleep Jesus
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {D47AB8D2-0877-430B-ADA0-1FAC7284EE7F} - C:\WINDOWS\system32\kdi.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\RASHEE~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\Software\..\Telephony: DomainName = truaxx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O18 - Filter: text/html - {D6D5359D-AD49-4BD3-A4B6-C29FB88FE552} - C:\WINDOWS\system32\kdi.dll
O18 - Filter: text/plain - {D6D5359D-AD49-4BD3-A4B6-C29FB88FE552} - C:\WINDOWS\system32\kdi.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe

Thank you in advance.

BC AdBot (Login to Remove)

 


m

#2 Phantasmagoria

Phantasmagoria
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 19 April 2005 - 05:41 PM

I appreciate the help, but I do believe I have fixed the problem by following instructions placed in a similar post. Thank you anyway.

-Phantasmagoria

#3 ~Kat~

~Kat~

    Princess Kitty


  • Members
  • 476 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 20 April 2005 - 02:19 AM

We're glad you were able to fix things back up! If at any time this becomes an issue, please feel free to start a new topic!



~LAUGH like no one can hear, DANCE like no one is watching and LOVE like you've never been hurt

Come and meet ~ME~

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users