COOL WEB SEARCH - RES:// HIJACK ! please help me !

Discussion in 'adware, spyware & hijack cleaning' started by Bdawg99, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. Bdawg99

    Bdawg99 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    1
    I CANNOT GET RID OF THIS COOL WEB SEARCH VIRUS. I will donate a signifigant amount of money to this website if someone will please take the time to tell me how to remove this . Thank you

    here is my HIJACK FINDINGS :


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\appwv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NETSTATT.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\winor.exe
    C:\Program Files\America Online 9.0c\waol.exe
    C:\Program Files\America Online 9.0c\shellmon.exe
    C:\Program Files\America Online 9.0c\aolwbspd.exe
    C:\Documents and Settings\Owner.YOUR-O0KWKW9JWC.000\My Documents\Three\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ciajr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ciajr.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {B82F7027-29C0-F4B5-B656-3805CE1E8738} - C:\WINDOWS\system32\winor.dll
    O4 - HKLM\..\Run: [Yahoo Messenger] NETSTATT.EXE
    O4 - HKLM\..\Run: [winor.exe] C:\WINDOWS\system32\winor.exe
    O4 - HKCU\..\RunOnce: [Yahoo Messenger] NETSTATT.EXE
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BD05CFBB-EF3C-4AA0-A2E1-1DDCBACFEC42}: NameServer = 205.188.146.146
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Could you please download appinit.zip

    Unzip it so that both files (regread.exe and runread.exe) are in the same folder then double click on runread.exe to run it.
    After it's been run there will be a "regread.log" file in the same folder you unzipped it to. Please open that file with notepad or similar editor and post the contents here.
     
Thread Status:
Not open for further replies.