still gettin highjacked...coolwebsearch.com, etc.

im still learning so be patient. as of now i have gotten rid of a lot of things just by reading the posts on this forum, but i have yet to get rid of the web browser high jacker. A little while ago i couldnt change my wallpaper or keep my homepage because of system error #384, but ive almost cleaned all of it by using spy bot, highjackthis, and most recently CWshredder. here is what my log show as of now:

Logfile of HijackThis v1.97.7
Scan saved at 9:12:05 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ieim.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\atloy.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HI-jackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kjdts.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
O2 - BHO: (no name) - {60CF4492-119D-A24C-4318-B79E3CA3AE85} - C:\WINDOWS\atlko32.dll
O4 - HKLM\..\Run: [ieim.exe] C:\WINDOWS\system32\ieim.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl



this is after i cleaned up a lot of crap. dont get me wrong, it has gotten a lot better, but not enough. any suggestions. oh yeah i keep gettin pop-ups like your "IN DANGER". the usual. thank you for any suggestions.

 

whenever i use adaware 6.0 it always shows coolsearch in the registry....it wont seem to go away when i delete it. i guess im just impressed by the people who make these programs to fight away all the spyware products that try to eliminate them. crazy stuff.

 

Hi s15dynamics,

It wil probably have changed filenames by the timeyou read this, but here goes:

Click Start > Run > Services.msc > OK
In the services window find Network Security Service.
Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

Then open TaskManager and stop this process:
C:\WINDOWS\system32\ieim.exe

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kjdts.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kjdts.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kjdts.dll/sp.html#96676
O2 - BHO: (no name) - {60CF4492-119D-A24C-4318-B79E3CA3AE85} - C:\WINDOWS\atlko32.dll
O4 - HKLM\..\Run: [ieim.exe] C:\WINDOWS\system32\ieim.exe

Then reboot into safe mode and delete:
C:\WINDOWS\atlko32.dat
C:\WINDOWS\system32\kjdts.dll
C:\WINDOWS\system32\ieim.exe
+ the one that the service started. You can find that just above the box where you changed the Startup Type

Regards,

Pieter

 

thank you very much sir! i believe i have gotten rid of it, but im still a little iffy....my homepage is no longer under control and other things seem to be running smoothly. question? when you told me to delete those files, or .dll's in safe mode, i assumed you meant to physically go into my c:/ windows, system 32 and actually delete it by sending it to the trash?? thats what i did with one file, couldnt find the rest even with the fresh log of highjack this. also, where is the "Network security" in the services.msc program? i cant find it. i thought that i would have to reset the settings on it, like going into the properties and enabling it again? is it important? will it affect anything later on?? thanks again, you were very helpful!

 

Could you post a new HijackThis log please?

These things change names all the time and if your log and the fix were too far apart, some things may still be active. Especially since you stated you could not find some of the files.

Regards,

Pieter

 

here's the new log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wpabaln.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\Program Files\GoGoData.com\GoGoData Ad Buster\GoGoTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HI-jackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Ad Buster\GoGoTray.exe
O9 - Extra 'Tools' menuitem: GoGoData AdBuster (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)


The only thing is with this log everything is alright...It's weird because when I use spybot and adaware 6.0 they seem to pick up on hidden files:

Spy Bot says there are 5 problems and they all deal with Registry changes : HKEY_USERS.....etc. internet settings/zone, as for the adaware 6.0 all it shows is data mining which seem to just be cookies. spybot seems to be the most effective right now in establishing what problems there are, but it cant seem to eradicate them. they arent a real big nusance right now, because everything is working fine, but its just not right =) thanks again sir for your help.

 

hold on.....i just downloaded a pop-up blocker called gogodata or whatever it seemed to be legit cause i got it off of download.com, but the log shows it as a BHO. I know those cant be good? right? well, anyways, i was just wondering about that. thanks again

 

BHO's can be good.
Honestly. Almost half of them is.
Respected programs like Symantec, AdShield, SpywareGuard and Spybot S&D use them.
And it is only logical for any popup- or adblocker to use a BHO.

Is this the one you installed: http://gogodata.com/product.htm ?

Regards,

Pieter

 

Thanks for explaining the BHO's a little more thorough. I still have hidden files on my computer though, although not enough to mess up anything big it's still a bother to get pop-ups once in a while saying your computer is in danger. Spy Bot says there are 5 problems and they all deal with Registry changes : HKEY_USERS.....etc. internet settings/zone. Everytime i fix the problem with either spy bot or adaware 6.0 they just never seem to completely go away. Spy bot seems to go through gator and coolwebsearch files all the time when i see it scanning. O well, as long as its not really hurting me or messing with my settings. What do you suggest? thanks