Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lasting Coolwebsearch Affects + Hjt Log


  • Please log in to reply
1 reply to this topic

#1 ReflectingSummer

ReflectingSummer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 23 December 2005 - 10:05 AM

Hello! I followed the sticky directions.

Here's my PC info:

Here is My PC Info:

MS Windows 2000

I use 99.9 % of the time Firefox

-AVG Free Edition Version: 7.1.362

-Ewido Security Suite: 3.5 (trial version)

-AOL Spyware Protection Version: 2.0.7

-SpywareGuard Version: 2.20

-SpywaeBlaster Version: 3.4

-Spybot Search & Destroy 2.4

-CCleaner: v1.25.01

-HijackThis: v1.99.1

-ZoneAlarm Version: 6.0.667.00

I would like help with two things. One I'd like for somebody to look over my HijackThis log to see if there's anything I need to fix. The second thing is a question. I was infected with CoolWebSearch. I did an ewido Security Suite scan that detected it and cleaned it. I've also all with in the same time been hit with spyware that of which was the following: Trojan.Win32.Dialer.hc, Networ.1.Popups. My AdAware SE Personal & AOL Spyware Protection detected and blocked these. I've not yet completely deleted them from the blocked list because I don't know if that's deleting the finds from the computer or just from the list?

I've since done AdAware SE Personal scan and it has come up clean -- no new critical objects found. I also have done a Spybo S&D scan and it came up clean. I've done both a Panda Activescan and BitDefender Online scan and both did not find anything.

Yesterday I did a RegSearch and found a ton... and I mean a ton of porn web sites all pretty much listed under HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

I would like to know if these sites are the ones listed in my "always block" & Restricted Internet Options Security and Privacy settings or are these some sort of left-over-junk from CoolWebSearch?

Here is a fresh HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:10 AM, on 12/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Windows folder: C:\WINNT
System folder: C:\WINNT\SYSTEM32
Hosts file: C:\WINNT\System32\drivers\etc\hosts

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1130045948\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1130045948\ee\AOLServiceHost.exe
C:\program files\common files\aol\1130045948\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1130045948\ee\AOLServiceHost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (filesize 192512 bytes, MD5 964621E8B2415FEAA99026ED4F29D198)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 853672 bytes, MD5 250D787A5712D7768DDC133B3E477759)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (filesize 356352 bytes, MD5 6492815FC67068A11420740637946B0E)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup (filesize 10000 bytes, MD5 1ED5274825CD1EEBBE102B9FF7C9EC31)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (filesize 741376 bytes, MD5 A4AE9BA1E10CB9F6C0949C4DB91A1F72)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon (filesize 111376 bytes, MD5 9B2F5B9E745DEAAA57FB78329ED03061)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: spywareguard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (filesize 360448 bytes, MD5 61C028ABA5E49573A6332F4A7C744E87)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll (filesize 69740 bytes, MD5 D25BB4762A876A3DBF6F2BAA36A179FA)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll (filesize 69740 bytes, MD5 D25BB4762A876A3DBF6F2BAA36A179FA)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (filesize 390256 bytes, MD5 924EAE29D7E0DB93F26E0FC53733A160)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (filesize 390256 bytes, MD5 924EAE29D7E0DB93F26E0FC53733A160)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll (filesize 1339392 bytes, MD5 9D98D9DCBA63C8A2200912090211D531)
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://be.trendmicro-europe.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132297209889
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://209.67.146.68/ePlayer/2_0/ACNePlayer.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB392C65-DFEE-4319-9C1E-C42A425A312D}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeC:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\system32\ZoneLabs\vsmon.exe
He who has heard the same thing told by 12,000 eye-witnesses has only 12,000 probabilities, which are equal to one strong probability, which is far from certain.
- Voltaire

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 24 December 2005 - 12:15 PM

Log looks ok - I have those same entries and one of the valid tools has placed them there - prolly SpyBot

I suggest you get these

MS AntiSpy - http://www.microsoft.com/downloads/details...&displaylang=en (XP and W2K only)


If you are worried about CWS the run this to make sure

DownLoad http://www.intermute.com/spysubtract/cwshr...r_download.html
Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix"
============

Also do this to flush out things

Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users