Yet another CoolWebSearch hijack - PLEASE HELP

Discussion in 'adware, spyware & hijack cleaning' started by jguay, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. jguay

    jguay Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    To All :

    I have been hijacked by what appears to be the CoolWebSearch pest - when I launch IE the start page is is "Search For..." and when you 'view source' I found the HTML form being submitted to http://searchx.cc/search.php

    I have downloaded and updated :
    - Adaware 6, Build 6.181
    - Hijack This, v1.97.7
    - CWShredder, v1.57.0
    - SpyBot-S&D 1.2

    I have run these programs in different combinations, both in regular and Safe mode, with no lasting results. Each tool seems to be cleaning out things and deleting files and such, but the problem keeps coming back somtimes within hours.

    Attached is my Hijack This log. Please, someone, help me rid myself of this pest.

    Thank you very much, in advance.

    -------------------------------------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 7:49:53 AM, on 4/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\UMCSTUB.EXE
    C:\WINDOWS\System32\gearsec.exe
    C:\iPlanet\Servers\bin\https\bin\ns-httpd.exe
    C:\iPlanet\Servers\bin\https\bin\ns-httpd.exe
    C:\iPlanet\Servers\bin\https\bin\ns-httpd.exe
    C:\iPlanet\Servers\bin\https\bin\ns-httpd.exe
    C:\iPlanet\Servers\bin\https\bin\httpd.exe
    C:\SYSMGT\TNGEAV\InoRpc.exe
    C:\iPlanet\Servers\bin\https\bin\httpd.exe
    C:\iPlanet\Servers\bin\https\bin\httpd.exe
    C:\iPlanet\Servers\bin\https\bin\httpd.exe
    C:\SYSMGT\TNGEAV\InoRT.exe
    C:\SYSMGT\TNGEAV\InoTask.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nutsrv4.exe
    C:\oracle\ora92\bin\omtsreco.exe
    C:\WINDOWS\Explorer.EXE
    C:\SYSMGT\TNGEAV\realmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\XVision\Common files\Vision\vservice.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\PROGRA~1\XVision\COMMON~1\Vision\dbserv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Lotus\Notes\NLNOTES.EXE
    C:\Program Files\Lotus\Notes\naldaemn.EXE
    C:\Program Files\Lotus\Notes\nwrdaemn.EXE
    C:\Program Files\Lotus\Notes\nupdate.EXE
    C:\Program Files\Lotus\Notes\namgr.EXE
    C:\Program Files\Lotus\Notes\nhldaemn.EXE
    E:\jjg\downloads\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kank.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kank.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kank.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kank.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kank.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kank.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JGUAY\Application Data\Mozilla\Profiles\default\gm5lcuen.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JGUAY\Application Data\Mozilla\Profiles\default\gm5lcuen.slt\prefs.js)
    O1 - Hosts: 151.207.109.70 zeus zeus.uspto.gov
    O1 - Hosts: 151.207.109.92 etc-n01 etc-n01.uspto.gov
    O1 - Hosts: 20.4.201.167 linux
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {29C85CB5-FFCC-4161-8962-0EE1997B5746} - C:\WINDOWS\System32\kank.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Realtime Monitor] C:\SYSMGT\TNGEAV\realmon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe
    O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
    O4 - HKLM\..\Run: [AMOClient] "C:\sysmgt\tngam\agents\umclogin.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Vision Services.lnk = C:\Program Files\XVision\Common files\Vision\vservice.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi jguay,

    Start with the following:
    Go here:
    http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
    And download "Xfind.zip" from there.
    Unzip, run the 'find.bat' inside.
    Wait till it terminates and find 'log.txt' inside which
    you'd need to attach into your next reply.

    Regards,

    Pieter
     
  3. jguay

    jguay Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    First of all, thank you very much for your reply.

    I did as you requested, except when running 'find.bat', it generates a file named 'file.txt'. In any case, the contents are below :

    C:\WINDOWS\System32\KBDD.DLL +++ File read error

    the file does not seem to exist when browsing via Windows Explorer (and I have it set to show ALL hidden/system files via Tools/Folder Options/View/Show Hidden Files And Folders ).

    What is my next step?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A few steps this time.

    Download http://tools.zerosrealm.com/pv.zip and unzip it to the desktop
    In the folder you will find runme.bat
    Doubleclick it and choose option 7

    Then download, unzip and run:
    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\System32\KBDD.DLL

    Note: One will not find the malicious core .dll if one searches for it using
    windows explorer or the file search engine. It is hidden, so that is why the copy and paste part is important.

    IMPORTANT: Click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". Then it should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    Run CWShredder again and AdAware as described here https://www.wilderssecurity.com/showthread.php?t=15913

    Post back with a new HijackThis log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.