I've Got Evil Coolwebsearch Malware

Hello, I've been infected by some kind of evil coolwebsearch malware, and it is driving me insane. I have removed it with adaware6 and CWEsherder, but the damn thing keeps comming back. It changes my IE home page to about:blank, which is some kind of search page, and then the old you've got spyware popups happen. Any help would be greatly appreciated.

here is part of the adaware log:

CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1



and this is the Hijackthis log:


Logfile of HijackThis v1.97.7
Scan saved at 6:08:25 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Micro Center\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3922D5B1-2B03-430E-9FA0-A601E396189B} - C:\WINDOWS\System32\aijl.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.3806597222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25E70C63-7CDC-4A5D-911E-57B749A9CE99}: NameServer = 208.190.196.2 208.190.196.3


If you need anything else let me know.

 

Hi MrBob,

First make sure Windows and IE are fully updated.

Download and unzip: http://www.rokop-security.de/main/download.php?op=getit&lid=59
Then close as many programs as possible and click *Desinfektion starten*

Your computer wil reboot and start with the same program.
Close it and run HijackThis again. Post the new log.

Regards,

Pieter

 

Thanks for responding, I updated the system yesterday before posting and forgot to mention it. I ran the program and it didn't find any thing.

Here is the Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 12:55:39 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Micro Center\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.16.100:3128
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3922D5B1-2B03-430E-9FA0-A601E396189B} - C:\WINDOWS\System32\aijl.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.3806597222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

-------------------------------------------------------

Here is the log for SPhjFix, I ran it twice:

5/25/2004 12:52:55 PM SPhjFix started v1.07
5/25/2004 12:52:55 PM Stealth-String not found -> Programm terminated
5/25/2004 12:55:56 PM SPhjFix started v1.07
5/25/2004 12:55:56 PM Stealth-String not found -> Programm terminated

----------------------------------------------------------


Adaware found four items this time:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, May 25, 2004 12:58:40 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R298 20.04.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R298 20.04.2004
Internal build : 229
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref
Total size : 1067557 Bytes
Signature data size : 1049356 Bytes
Reference data size : 18137 Bytes
Signatures total : 23569
Target categories : 10
Target families : 455

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:70 %
Total physical memory:523764 kb
Available physical memory:364332 kb
Total page file size:1231572 kb
Available on page file:1104900 kb
Total virtual memory:2097024 kb
Available virtual memory:2058592 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


5-25-2004 12:58:40 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-25-2004 5:54:04 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 5:54:11 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 5:54:11 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 9/18/2002 11:21:34 PM
Last accessed : 5/25/2004 5:54:11 PM
Last modified : 8/29/2002 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 5:54:11 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 9/18/2002 11:20:48 PM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 8/29/2002 12:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 5:54:11 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/18/2002 11:21:43 PM
Last accessed : 5/25/2004 5:54:32 PM
Last modified : 8/29/2002 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 5:54:11 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/18/2002 11:21:43 PM
Last accessed : 5/25/2004 5:54:32 PM
Last modified : 8/29/2002 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 5:54:12 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 9/18/2002 11:21:41 PM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 8/29/2002 12:00:00 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-25-2004 5:54:12 PM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 5/31/2003 3:10:28 PM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 11/13/2002 9:44:02 PM

#:9 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-25-2004 5:54:17 PM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 4/30/2003 4:51:40 AM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 11/15/2002 12:41:26 AM

#:10 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 5:54:17 PM
BasePriority : Normal
FileSize : 92 KB
FileVersion : 6.13.10.4041
ProductVersion : 6.13.10.4041
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 40.41
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 40.41
Created on : 8/27/2002 1:47:00 PM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 8/27/2002 1:47:00 PM

#:11 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ThreadCreationTime : 5-25-2004 5:54:18 PM
BasePriority : Normal
FileSize : 893 KB
FileVersion : 3.7.143
ProductVersion : 3.7.143
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 5/19/2003 4:16:35 PM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 3/14/2003 8:36:18 AM

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-25-2004 5:54:25 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/18/2002 11:20:32 PM
Last accessed : 5/25/2004 5:54:34 PM
Last modified : 8/29/2002 12:00:00 PM

#:13 [soundman.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-25-2004 5:54:26 PM
BasePriority : Normal
FileSize : 45 KB
FileVersion : 5.0.02
ProductVersion : 5.0.02
Copyright : Copyright (c) 2001-2002 Avance Logic, Inc.
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
OriginalFilename : ALSMTray.exe
ProductName : Avance Sound Manager
Created on : 9/18/2002 11:22:42 PM
Last accessed : 5/25/2004 5:54:26 PM
Last modified : 9/13/2002 12:57:43 PM

#:14 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-25-2004 5:54:26 PM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.08.01
ProductVersion : 1.08.01
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 7/28/2003 3:33:43 PM
Last accessed : 5/25/2004 5:54:29 PM
Last modified : 5/20/2003 12:34:10 PM

#:15 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 5-25-2004 5:54:27 PM
BasePriority : Normal
FileSize : 1476 KB
FileVersion : 4.7.0041
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2001
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 9/18/2002 11:36:15 PM
Last accessed : 5/25/2004 5:54:34 PM
Last modified : 8/20/2002 10:08:38 PM

#:16 [zonealarm.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 5-25-2004 5:54:27 PM
BasePriority : Normal
FileSize : 609 KB
FileVersion : 3.7.143
ProductVersion : 3.7.143
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : ZoneAlarm
InternalName : zonealarm
OriginalFilename : zonealarm.exe
ProductName : ZoneAlarm
Created on : 5/19/2003 4:16:37 PM
Last accessed : 5/25/2004 5:54:27 PM
Last modified : 3/14/2003 8:37:26 AM

#:17 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-25-2004 5:54:27 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 12:05:35 AM
Last accessed : 5/25/2004 5:54:27 PM
Last modified : 8/30/2003 12:05:35 AM

#:18 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-25-2004 5:54:28 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 4:14:56 PM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 8/29/2003 4:14:56 PM

#:19 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 5:54:28 PM
BasePriority : Normal
FileSize : 23 KB
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
Copyright : Copyright (C) Creative Technology Ltd. 1998-2001
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
OriginalFilename : DevLdr32.exe
ProductName : Creative Ring3 NT Inteface
Created on : 5/1/2003 9:16:23 PM
Last accessed : 5/25/2004 5:10:24 PM
Last modified : 8/18/2001 3:36:42 AM

#:20 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-25-2004 5:58:34 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 4/28/2004 4:44:26 AM
Last accessed : 5/25/2004 5:58:34 PM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : micro center@zedo[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Micro Center\Cookies\

Created on : 5/25/2004 2:13:29 AM
Last accessed : 5/25/2004 6:00:01 PM
Last modified : 5/25/2004 2:13:30 AM



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 2


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 2




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 4


1:05:57 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:07:17:281
Objects scanned :111468
Objects identified :4
Objects ignored :0
New objects :4


Hope this helps, thanks.

 

Well it's definitely present.

Follow the instructions here: http://forums.subratam.org/index.php?showtopic=583

Regards,

Pieter

 

Sorry for the delay in replying, I was able to remove it and then I got real busy. Anyway, I tried that program you suggested and It didn't work. However it did identify the .dll file that was responsible it was the AIJl.dll. Anyway I was to the point where I was willing to reformat. So in safe mode I ran Hijack this and deleted everything with aijl.dll listed in it. Then I went and deleted C:windows/system32/aijl.dll (proir to this I was unable to delete it). After that I ran adware and CWSshredder and my system was and still is clean.

Thanks for your help, I still have the dllfix submit.zip file and if you want a copy of it let me know where to email it.

Also here is the Hijack this log after I cleaned the system:

Logfile of HijackThis v1.97.7
Scan saved at 10:44:16 PM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Micro Center\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.3806597222
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25E70C63-7CDC-4A5D-911E-57B749A9CE99}: NameServer = 208.190.196.2 208.190.196.3