CoolWebSearch Problems

Discussion in 'adware, spyware & hijack cleaning' started by lunchboxen, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. lunchboxen

    lunchboxen Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    2
    Seems I've been hijacked by the coolwebsearch spyware program. I've run Ad-Aware 6 and Spybot S&D numerous times, each time it still finds problems. Firstly, Each time I scan with Ad-Aware 6, it seems to repetitively find registry entries related to "possible browser hijack attempts" as well as A single file each time, listed in my System32 folder related to the CoolWebSearch program. I've run both spyware programs numerous times, and it does not seem to rid me of this problem. Below I have posted my HJT log, in hopes that someone may be able to help me. From reading the log myself, I do not notice anything out of the ordinary. However, each time I reboot my computer, or after a couple of hours go by, new registry entries appear in the log file. Regardless, below is the log, after cleaning by both Spybot and Ad-Aware. A second problem I have is a puzzling one. I also run Spybot S&D's resident program. Basically, it watches for important registry entry changes, and allows me to either block or allow them. Now, evey time it asks me to change these settings, ( usually upon exiting IE, or sometimes randomly) I ALWAYS press "Remember this decision" and "Deny change". However, these changes STILL take place. As puzzling as this is, I look forward to help from some of you more knowledgable folks. Thank you in advance for your help.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:45:44 AM, on 6/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\RamBooster\Rambooster.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
    O4 - HKLM\..\RunOnce: [AOLToolbarDirRemoval] cmd.exe /C rd "C:\Program Files\AOL Toolbar"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.8.5.21/popfu/popfu-ob-assets.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37655.7363657407
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab


    Again, Thank you in advance for helping me with this ongoing and perplexing issue.

    Andrew
     
  2. lunchboxen

    lunchboxen Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    2
    Well, it seems I've solved the issue myself. Thank you for NOT getting back to me in any sort of timely fashion. I suppose as I did not bump my own thread in a desperate manner, I shouldn't have been noticed, and it is my own fault. Oh well. GG WS... Hope to never see you again.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    lunchboxen,

    I am happy that you were able to resolve your problem on your own, after all getting a problem fixed is what it is all about. However, that is a pretty rude post you've just made here.

    If you haven't noticed, there are a very large number of hijack logs here and the people who volunteer their time to work these can't always get to them all quickly. Sometimes it does indeed take a day or two. Your post was less than 24 hours old, and it just hadn't been reached yet.
     
Thread Status:
Not open for further replies.