cool web lucky serahc again, Hijack this log

Discussion in 'adware, spyware & hijack cleaning' started by markusjd, Nov 12, 2003.

Thread Status:
Not open for further replies.
  1. markusjd

    markusjd Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    18
    Hi, I seem to have caught the lucky search/coolweb etc bug again. Have tried: adaware, stinger, pozaclean, norton, coolwebshredder but no luck. Have already deleted anything with 'cool' in from my hijack this file but after reboot its back...heres my log....thanks!!!!!


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NILaunch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Tiscali\tkonnect\tkonnect.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\mark\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.250.57.28/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://cool-homepage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.250.57.28/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://cool-homepage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.57.28/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\msigaj.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{445FFD32-191A-477A-861F-CDD12FAAF34B}: NameServer = 212.74.112.67 212.74.114.129

    thanks for your help!

    Mark
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi markusjd,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.250.57.28/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://cool-homepage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.250.57.28/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://cool-homepage

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.57.28/

    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\msigaj.dll

    Then reboot and it should stay away.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.