still gettin highjacked...coolwebsearch.com, etc.

Discussion in 'adware, spyware & hijack cleaning' started by s15dynamics, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. s15dynamics

    s15dynamics Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    6
    im still learning so be patient. as of now i have gotten rid of a lot of things just by reading the posts on this forum, but i have yet to get rid of the web browser high jacker. A little while ago i couldnt change my wallpaper or keep my homepage because of system error #384, but ive almost cleaned all of it by using spy bot, highjackthis, and most recently CWshredder. here is what my log show as of now:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:12:05 PM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ieim.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\atloy.exe
    C:\WINDOWS\System32\wpabaln.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HI-jackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kjdts.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
    O2 - BHO: (no name) - {60CF4492-119D-A24C-4318-B79E3CA3AE85} - C:\WINDOWS\atlko32.dll
    O4 - HKLM\..\Run: [ieim.exe] C:\WINDOWS\system32\ieim.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl



    this is after i cleaned up a lot of crap. dont get me wrong, it has gotten a lot better, but not enough. any suggestions. oh yeah i keep gettin pop-ups like your "IN DANGER". the usual. thank you for any suggestions.
     
  2. s15dynamics

    s15dynamics Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    6
    whenever i use adaware 6.0 it always shows coolsearch in the registry....it wont seem to go away when i delete it. i guess im just impressed by the people who make these programs to fight away all the spyware products that try to eliminate them. crazy stuff.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi s15dynamics,

    It wil probably have changed filenames by the timeyou read this, but here goes:

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop this process:
    C:\WINDOWS\system32\ieim.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kjdts.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
    O2 - BHO: (no name) - {60CF4492-119D-A24C-4318-B79E3CA3AE85} - C:\WINDOWS\atlko32.dll
    O4 - HKLM\..\Run: [ieim.exe] C:\WINDOWS\system32\ieim.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\atlko32.dat
    C:\WINDOWS\system32\kjdts.dll
    C:\WINDOWS\system32\ieim.exe
    + the one that the service started. You can find that just above the box where you changed the Startup Type

    Regards,

    Pieter
     
  4. s15dynamics

    s15dynamics Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    6
    thank you very much sir! i believe i have gotten rid of it, but im still a little iffy....my homepage is no longer under control and other things seem to be running smoothly. question? when you told me to delete those files, or .dll's in safe mode, i assumed you meant to physically go into my c:/ windows, system 32 and actually delete it by sending it to the trash?? thats what i did with one file, couldnt find the rest even with the fresh log of highjack this. also, where is the "Network security" in the services.msc program? i cant find it. i thought that i would have to reset the settings on it, like going into the properties and enabling it again? is it important? will it affect anything later on?? thanks again, you were very helpful!
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Could you post a new HijackThis log please?

    These things change names all the time and if your log and the fix were too far apart, some things may still be active. Especially since you stated you could not find some of the files.

    Regards,

    Pieter
     
  6. s15dynamics

    s15dynamics Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    6
    here's the new log:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wpabaln.exe
    C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
    C:\Program Files\GoGoData.com\GoGoData Ad Buster\GoGoTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HI-jackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Ad Buster\GoGoTray.exe
    O9 - Extra 'Tools' menuitem: GoGoData AdBuster (HKLM)
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)


    The only thing is with this log everything is alright...It's weird because when I use spybot and adaware 6.0 they seem to pick up on hidden files:

    Spy Bot says there are 5 problems and they all deal with Registry changes : HKEY_USERS.....etc. internet settings/zone, as for the adaware 6.0 all it shows is data mining which seem to just be cookies. spybot seems to be the most effective right now in establishing what problems there are, but it cant seem to eradicate them. they arent a real big nusance right now, because everything is working fine, but its just not right =) thanks again sir for your help.
     
  7. s15dynamics

    s15dynamics Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    6
    hold on.....i just downloaded a pop-up blocker called gogodata or whatever it seemed to be legit cause i got it off of download.com, but the log shows it as a BHO. I know those cant be good? right? well, anyways, i was just wondering about that. thanks again
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    BHO's can be good. :)
    Honestly. Almost half of them is.
    Respected programs like Symantec, AdShield, SpywareGuard and Spybot S&D use them.
    And it is only logical for any popup- or adblocker to use a BHO.

    Is this the one you installed: http://gogodata.com/product.htm ?

    Regards,

    Pieter
     
  9. s15dynamics

    s15dynamics Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    6
    Thanks for explaining the BHO's a little more thorough. I still have hidden files on my computer though, although not enough to mess up anything big it's still a bother to get pop-ups once in a while saying your computer is in danger. Spy Bot says there are 5 problems and they all deal with Registry changes : HKEY_USERS.....etc. internet settings/zone. Everytime i fix the problem with either spy bot or adaware 6.0 they just never seem to completely go away. Spy bot seems to go through gator and coolwebsearch files all the time when i see it scanning. o_O O well, as long as its not really hurting me or messing with my settings. What do you suggest? thanks
     
Thread Status:
Not open for further replies.