Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Coolwebsearch Please


  • Please log in to reply
4 replies to this topic

#1 chessking327

chessking327

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 19 February 2006 - 09:57 AM

i have the coolwebsearch :thumbsup: and it wont let go of my system! need help please..

i have win XP Pro and using firefox 1.5.0.1. I have run spybot (updated to the newset version), ad aware (also updated), cw shredder v2.19 , hijack this v1.99.1, updated windows via automatic updates, but it keeps coming back

spybot finds it every time- says it fixes it, but comes back again shortly. cw shredder every time finds only the file called "cws.hiddendll"- says it is removed, but a rescan immediately after again finds it again.
hijack this is as follows...

(Moderator edit: moved post to HJT Forum for team review. jgweed)
**********************************************
Logfile of HijackThis v1.99.1
Scan saved at 9:55:07 AM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\windows\winsysban8.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
c:\windows\winsysban9.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\hpsw.exe
C:\download\hijackthis\HijackThis.exe

O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [winsysban] c:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] c:\windows\gimmygames9.exe
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139968909953
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC841BD4-FA49-402A-A7F5-01F0EC359448}: NameServer = 192.168.8.1
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\jlsh400.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

*************************************

I dont know what else to do here to get rid of it. Any help is greatly appreciated. Thanks very much.

Edited by jgweed, 19 February 2006 - 11:44 AM.


BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 23 February 2006 - 11:38 AM

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 chessking327

chessking327
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 23 February 2006 - 08:17 PM

ok, thanks very much for your help.

here is the report from ewido.....


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:08:04 PM, 2/23/2006
+ Report-Checksum: 41C6D6D6

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-220523388-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-220523388-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.265:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.266:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.282:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.304:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.308:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.310:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.311:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.312:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.314:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.315:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.346:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.347:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.350:C:\Documents and Settings\Bill Campbell\Application Data\Mozilla\Firefox\Profiles\qq4a2aoc.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Cookies\bill campbell@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Cookies\bill campbell@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Cookies\bill campbell@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Cookies\bill campbell@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Local Settings\Temp\F4B10.tmp/titno.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Local Settings\Temporary Internet Files\Content.IE5\0DUVQT8N\gimmygames10[1].exe -> Trojan.VB.ajj : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Local Settings\Temporary Internet Files\Content.IE5\0DUVQT8N\winsysban9[1].exe -> Hijacker.VB.ld : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Local Settings\Temporary Internet Files\Content.IE5\67AJAPU1\gimmygames9[1].exe -> Downloader.VB.ww : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Local Settings\Temporary Internet Files\Content.IE5\8RF7AW55\winsysupd10[1].exe -> Downloader.VB.wg : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Local Settings\Temporary Internet Files\Content.IE5\W7WVQNW5\winsysban10[1].exe -> Hijacker.VB.ld : Cleaned with backup
C:\Documents and Settings\Bill Campbell\Local Settings\Temporary Internet Files\Content.IE5\W7WVQNW5\winsysupd9[1].exe -> Downloader.VB.wy : Cleaned with backup
C:\Program Files\Jalmp\jalmp.dll -> Adware.Suggestor : Cleaned with backup
C:\Program Files\Jalmp\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\gimmygames10.exe -> Trojan.VB.ajj : Cleaned with backup
C:\WINDOWS\gimmygames9.exe -> Downloader.VB.ww : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\ffrgf.dll -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\hpsw.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\wgse.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\system32\whCC-CLICK.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\winsysban10.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysban7.exe -> Hijacker.VB.le : Cleaned with backup
C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
C:\WINDOWS\winsysban9.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysupd10.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd7.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\winsysupd9.exe -> Downloader.VB.wy : Cleaned with backup


::Report End







and here is the log from hijack this after running ewido...


Logfile of HijackThis v1.99.1
Scan saved at 8:13:38 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10a.exe
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139968909953
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC841BD4-FA49-402A-A7F5-01F0EC359448}: NameServer = 192.168.8.1
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\jlsh400.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 23 February 2006 - 08:30 PM

DownLoad http://www.intermute.com/spysubtract/cwshr...r_download.html
Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix"

Download About:Buster from:
http://www.majorgeeks.com/download4289.html
Double click aboutbuster.exe, Click begin removal, click yes to shutdown IE, click Start, then click OK.

Fix these with HJT – mark them, close IE, click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)

O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10a.exe

O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll

O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\jlsh400.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\PROGRAM FILES\Jalmp
C:\windows\gimmygames10a.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 chessking327

chessking327
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 26 February 2006 - 01:48 PM

MFDnSC,

thanks.. here's what happened...

first of all it doesnt seem to be hijacking me anymore- so thats great. I tried all of what you said above
for hijack this except for the following lines...


O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

the reason i didnt do those lines was because they referenced, or i thought they are realted to Trixie
which is a program i want to keep. if you still think they are a danger or should be removed please let me know.

also the following line was no longer listed in a hijack this scan...

O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll


for cw shredder..

previously cw shredder (same version of the program) was constantly finding only CWS.hiddendll - it would say it was removed, but after scanning again, it would just repeat the message every time (saying it found it and removed it). After i followed your last post there- now it is not even finding that one, so thats more good news.

for about buster

about buster never found any infections. also it crashed at the end of the program with an
error that said comctl32.ocx was not found

Also i think you were right about the gimmygames and jamlp- i have no idea what those were, or how they got there. there was also some gimmygames.dat files at the same location that i deleted as well.




here is a new scan with hijack this...
***************************************
Logfile of HijackThis v1.99.1
Scan saved at 1:43:46 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\download\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139968909953
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC841BD4-FA49-402A-A7F5-01F0EC359448}: NameServer = 192.168.8.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


****************************************************

So things look good - at least better than before, although this spyware seems to keep coming back.

It seemed to me that the more effective tools were ewido( it found about 130+ items originally , and then only abut 6 cookies after everything was done), cw shredder (except for the CWS.hiddendll it could not remove), and hijack this (if you know how to use it).
the less effective tools seemed to be aboutbuster.
ad aware and spybot seem generally good but they were not able to get this cool www search problem.

i will keep an eye on it and post again if it looks like it has returned. Thank you very much for your help-
:thumbsup: Bill

Edited by chessking327, 26 February 2006 - 02:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users