log from hijackthis: coolwebsearch keep coming

Discussion in 'adware, spyware & hijack cleaning' started by aksel, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. aksel

    aksel Guest

    coolwebsearch keeps coming, spyware blaster wont start (virus may have damaged executable)

    here is log from adaware 6.0:

    Logfile of HijackThis v1.97.7
    Scan saved at 20:31:23, on 25-04-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\WIDCOMM\Bluetooth-software\bin\btwdins.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Documents and Settings\aks\Application Data\ctsa.exe
    C:\Program Files\Global Audio Control\Global Audio Control.exe
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\Avant Browser\iexplore.exe
    C:\Program Files\Avant Browser\aHTTP.exe
    C:\Program Files\Avant Browser\aHTTP.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\abdoda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\abdoda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\abdoda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\abdoda.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\abdoda.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\abdoda.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.terma.com;<local>
    F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {E5A66E1C-174D-495C-AE2A-EA3498AA5EEA} - C:\WINDOWS\System32\abdoda.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Roat] C:\Documents and Settings\aks\Application Data\ctsa.exe
    O4 - Global Startup: Global Audio Control.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Bloker alle billeder fra den samme server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Marker forekomster af ord på denne side - C:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Søg på ord - C:\Program Files\Avant Browser\Search.htm
    O8 - Extra context menu item: Tilføj til AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Åben alle links på denne side... - C:\Program Files\Avant Browser\OpenAllLinks.htm
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://triton/tsweb/msrdp.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37991.1991550926
    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lystrup.terma.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lystrup.terma.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lystrup.terma.com

  2. Unzy

    Unzy Registered Member

    Nov 2, 2003

    Ok, instructions will be somewhat complex, follow them exactly :

    Start with the following:

    Go here:
    And download "Xfind.zip" from there.
    Unzip, run the 'find.bat' inside.
    Wait till it terminates and find 'log.txt' inside which
    you'd need to attach into your next reply.

    Next, do this:
    open the registry from start/run/regedit
    And expand the following:
    RightClick the 'filter' key, choose 'export' name it and save it somewhere

    Navigate to this key next:
    Microsoft\Windows NT\CurrentVersion\Windows
    Find this value on the right panel:
    "Appint_Dlls"< RightClick and rename to:
    Close regedit, reopen it to the same key, Hilite the
    'Windows' key there,
    Export it the same way and save.

    Lastly, navigate to:
    Browser Helper Objects<
    Export that Subfolder the same way.
    And proceed to do the following:

    RightClick Security/permissions on 'Browser Helper Objects'
    in 'advanced, de-select (uncheck) the
    "inherit from parent...permissions" lower box.
    Hit ok' and 'remove' on next prompts.

    That will prevent it from spreading further.

    Into your next reply, navigate to the reg files
    you saved, RightClick each>edit, copy the
    contents and post here, along with new hijackthis log.

    So waht you need to post next is :

    -Windows key
    -Browser Helper objects key
    -Filter key

    Good luck


Thread Status:
Not open for further replies.