I've Got Evil Coolwebsearch Malware

Discussion in 'adware, spyware & hijack cleaning' started by MrBob, May 24, 2004.

Thread Status:
Not open for further replies.
  1. MrBob

    MrBob Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    Hello, I've been infected by some kind of evil coolwebsearch malware, and it is driving me insane. I have removed it with adaware6 and CWEsherder, but the damn thing keeps comming back. It changes my IE home page to about:blank, which is some kind of search page, and then the old you've got spyware popups happen. Any help would be greatly appreciated.

    here is part of the adaware log:

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1



    and this is the Hijackthis log:


    Logfile of HijackThis v1.97.7
    Scan saved at 6:08:25 PM, on 5/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Micro Center\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3922D5B1-2B03-430E-9FA0-A601E396189B} - C:\WINDOWS\System32\aijl.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: ATI TV (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.3806597222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{25E70C63-7CDC-4A5D-911E-57B749A9CE99}: NameServer = 208.190.196.2 208.190.196.3


    If you need anything else let me know.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi MrBob,

    First make sure Windows and IE are fully updated.

    Download and unzip: http://www.rokop-security.de/main/download.php?op=getit&lid=59
    Then close as many programs as possible and click *Desinfektion starten*

    Your computer wil reboot and start with the same program.
    Close it and run HijackThis again. Post the new log.

    Regards,

    Pieter
     
  3. MrBob

    MrBob Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    Thanks for responding, I updated the system yesterday before posting and forgot to mention it. I ran the program and it didn't find any thing.

    Here is the Hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:55:39 PM, on 5/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Documents and Settings\Micro Center\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aijl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.16.100:3128
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3922D5B1-2B03-430E-9FA0-A601E396189B} - C:\WINDOWS\System32\aijl.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: ATI TV (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.3806597222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    -------------------------------------------------------

    Here is the log for SPhjFix, I ran it twice:

    5/25/2004 12:52:55 PM SPhjFix started v1.07
    5/25/2004 12:52:55 PM Stealth-String not found -> Programm terminated
    5/25/2004 12:55:56 PM SPhjFix started v1.07
    5/25/2004 12:55:56 PM Stealth-String not found -> Programm terminated

    ----------------------------------------------------------


    Adaware found four items this time:

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Tuesday, May 25, 2004 12:58:40 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R298 20.04.2004
    ______________________________________________________

    Reffile status:
    =========================
    Reference file loaded:
    Reference Number : 01R298 20.04.2004
    Internal build : 229
    File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref
    Total size : 1067557 Bytes
    Signature data size : 1049356 Bytes
    Reference data size : 18137 Bytes
    Signatures total : 23569
    Target categories : 10
    Target families : 455

    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium IV
    Memory available:70 %
    Total physical memory:523764 kb
    Available physical memory:364332 kb
    Total page file size:1231572 kb
    Available on page file:1104900 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2058592 kb
    OS:

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file


    5-25-2004 12:58:40 PM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 5-25-2004 5:54:04 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 5-25-2004 5:54:11 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-25-2004 5:54:11 PM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 9/18/2002 11:21:34 PM
    Last accessed : 5/25/2004 5:54:11 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-25-2004 5:54:11 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 9/18/2002 11:20:48 PM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-25-2004 5:54:11 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 9/18/2002 11:21:43 PM
    Last accessed : 5/25/2004 5:54:32 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-25-2004 5:54:11 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 9/18/2002 11:21:43 PM
    Last accessed : 5/25/2004 5:54:32 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:7 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-25-2004 5:54:12 PM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 9/18/2002 11:21:41 PM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:8 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 5-25-2004 5:54:12 PM
    BasePriority : Normal
    FileSize : 309 KB
    FileVersion : 1.03.4
    ProductVersion : 1.03.4
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Event Manager Service
    InternalName : ccEvtMgr
    OriginalFilename : ccEvtMgr.exe
    ProductName : Event Manager
    Created on : 5/31/2003 3:10:28 PM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 11/13/2002 9:44:02 PM

    #:9 [navapsvc.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ThreadCreationTime : 5-25-2004 5:54:17 PM
    BasePriority : Normal
    FileSize : 113 KB
    FileVersion : 9.05.1015
    ProductVersion : 9.05.1015
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    OriginalFilename : NAVAPSVC.EXE
    ProductName : Norton AntiVirus
    Created on : 4/30/2003 4:51:40 AM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 11/15/2002 12:41:26 AM

    #:10 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-25-2004 5:54:17 PM
    BasePriority : Normal
    FileSize : 92 KB
    FileVersion : 6.13.10.4041
    ProductVersion : 6.13.10.4041
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 40.41
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 40.41
    Created on : 8/27/2002 1:47:00 PM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 8/27/2002 1:47:00 PM

    #:11 [vsmon.exe]
    FilePath : C:\WINDOWS\system32\ZoneLabs\
    ThreadCreationTime : 5-25-2004 5:54:18 PM
    BasePriority : Normal
    FileSize : 893 KB
    FileVersion : 3.7.143
    ProductVersion : 3.7.143
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : TrueVector Service
    InternalName : vsmon
    OriginalFilename : vsmon.exe
    ProductName : TrueVector Service
    Created on : 5/19/2003 4:16:35 PM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 3/14/2003 8:36:18 AM

    #:12 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 5-25-2004 5:54:25 PM
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 9/18/2002 11:20:32 PM
    Last accessed : 5/25/2004 5:54:34 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:13 [soundman.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 5-25-2004 5:54:26 PM
    BasePriority : Normal
    FileSize : 45 KB
    FileVersion : 5.0.02
    ProductVersion : 5.0.02
    Copyright : Copyright (c) 2001-2002 Avance Logic, Inc.
    CompanyName : Avance Logic, Inc.
    FileDescription : Avance Sound Manager
    InternalName : ALSMTray
    OriginalFilename : ALSMTray.exe
    ProductName : Avance Sound Manager
    Created on : 9/18/2002 11:22:42 PM
    Last accessed : 5/25/2004 5:54:26 PM
    Last modified : 9/13/2002 12:57:43 PM

    #:14 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 5-25-2004 5:54:26 PM
    BasePriority : Normal
    FileSize : 53 KB
    FileVersion : 1.08.01
    ProductVersion : 1.08.01
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client CC App
    InternalName : ccApp
    OriginalFilename : ccApp.exe
    ProductName : Common Client
    Created on : 7/28/2003 3:33:43 PM
    Last accessed : 5/25/2004 5:54:29 PM
    Last modified : 5/20/2003 12:34:10 PM

    #:15 [msmsgs.exe]
    FilePath : C:\Program Files\Messenger\
    ThreadCreationTime : 5-25-2004 5:54:27 PM
    BasePriority : Normal
    FileSize : 1476 KB
    FileVersion : 4.7.0041
    ProductVersion : Version 4.7
    Copyright : Copyright (c) Microsoft Corporation 1997-2001
    CompanyName : Microsoft Corporation
    FileDescription : Messenger
    InternalName : msmsgs
    OriginalFilename : msmsgs.exe
    ProductName : Messenger
    Created on : 9/18/2002 11:36:15 PM
    Last accessed : 5/25/2004 5:54:34 PM
    Last modified : 8/20/2002 10:08:38 PM

    #:16 [zonealarm.exe]
    FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
    ThreadCreationTime : 5-25-2004 5:54:27 PM
    BasePriority : Normal
    FileSize : 609 KB
    FileVersion : 3.7.143
    ProductVersion : 3.7.143
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : ZoneAlarm
    InternalName : zonealarm
    OriginalFilename : zonealarm.exe
    ProductName : ZoneAlarm
    Created on : 5/19/2003 4:16:37 PM
    Last accessed : 5/25/2004 5:54:27 PM
    Last modified : 3/14/2003 8:37:26 AM

    #:17 [sgmain.exe]
    FilePath : C:\Program Files\SpywareGuard\
    ThreadCreationTime : 5-25-2004 5:54:27 PM
    BasePriority : Normal
    FileSize : 352 KB
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    Copyright : Copyright (C) 2002-2003 Javacool Software LLC
    FileDescription : SpywareGuard
    InternalName : sgmain
    OriginalFilename : sgmain.exe
    ProductName : SpywareGuard
    Created on : 8/30/2003 12:05:35 AM
    Last accessed : 5/25/2004 5:54:27 PM
    Last modified : 8/30/2003 12:05:35 AM

    #:18 [sgbhp.exe]
    FilePath : C:\Program Files\SpywareGuard\
    ThreadCreationTime : 5-25-2004 5:54:28 PM
    BasePriority : Normal
    FileSize : 228 KB
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
    FileDescription : SG Browser Hijacking Protection
    InternalName : sgbhp
    OriginalFilename : sgbhp.exe
    ProductName : SG Browser Hijacking Protection
    Created on : 8/29/2003 4:14:56 PM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 8/29/2003 4:14:56 PM

    #:19 [devldr32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-25-2004 5:54:28 PM
    BasePriority : Normal
    FileSize : 23 KB
    FileVersion : 1, 0, 0, 17
    ProductVersion : 1, 0, 0, 17
    Copyright : Copyright (C) Creative Technology Ltd. 1998-2001
    CompanyName : Creative Technology Ltd.
    FileDescription : DevLdr32
    InternalName : DevLdr
    OriginalFilename : DevLdr32.exe
    ProductName : Creative Ring3 NT Inteface
    Created on : 5/1/2003 9:16:23 PM
    Last accessed : 5/25/2004 5:10:24 PM
    Last modified : 8/18/2001 3:36:42 AM

    #:20 [ad-aware.exe]
    FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 5-25-2004 5:58:34 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 4/28/2004 4:44:26 AM
    Last accessed : 5/25/2004 5:58:34 PM
    Last modified : 7/13/2003 2:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : micro center@zedo[2].txt
    Category : Data Miner
    Comment :
    Object : C:\Documents and Settings\Micro Center\Cookies\

    Created on : 5/25/2004 2:13:29 AM
    Last accessed : 5/25/2004 6:00:01 PM
    Last modified : 5/25/2004 2:13:30 AM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    1 entries scanned.
    New objects :0
    Objects found so far: 2




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/html


    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/plain


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 4


    1:05:57 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:07:17:281
    Objects scanned :111468
    Objects identified :4
    Objects ignored :0
    New objects :4


    Hope this helps, thanks.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
  5. MrBob

    MrBob Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    Sorry for the delay in replying, I was able to remove it and then I got real busy. Anyway, I tried that program you suggested and It didn't work. However it did identify the .dll file that was responsible it was the AIJl.dll. Anyway I was to the point where I was willing to reformat. So in safe mode I ran Hijack this and deleted everything with aijl.dll listed in it. Then I went and deleted C:windows/system32/aijl.dll (proir to this I was unable to delete it). After that I ran adware and CWSshredder and my system was and still is clean.

    Thanks for your help, I still have the dllfix submit.zip file and if you want a copy of it let me know where to email it.

    Also here is the Hijack this log after I cleaned the system:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:44:16 PM, on 6/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Micro Center\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: ATI TV (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.3806597222
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{25E70C63-7CDC-4A5D-911E-57B749A9CE99}: NameServer = 208.190.196.2 208.190.196.3
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    run hjt & fix
    O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

    and then delete c:\program files\pl.exe if it still exists

    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    Read here https://www.wilderssecurity.com/showthread.php?t=27971 for info on how to tighten your security settings and how to help prevent future attacks.

    & go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.