Coolwebsearch removal difficulty

Bullit · 05-05-2004, 09:39 AM

Hi all,

having trouble removing coolwebsearch browser hijacker
I have used the coolwebshredder to remove it but it keeps coming back.

My virus scan shows a clean machine.
Adaware shows clean
pestpatrol shows the reinfections but not the causing file

I think it is to do with my winlogon.exe - would like to get a new version of this and put it in? that possible?

any other suggestions?

Lobos · 05-05-2004, 09:50 AM

Download AdAware 6 181 from here: http://www.lavasoftusa.com/
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

Then......

Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

Then.........

Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot"

Then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu)

Then
Download Spybot - Search & Destroy from http://security.kolla.de

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED

reboot
Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to its own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click Scan. When the scan is finished (it only takes a second), the scan button will change to Save Log. Click on Save Log and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

Bullit · 05-05-2004, 02:49 PM

excellent. I have managed to find the blighters. This is a great post and I'm sure I'll be refering to it in the future.

Thanks wolf

Lobos · 05-05-2004, 03:13 PM

Your welcome Bull

glad to be of help

Bullit · 05-05-2004, 04:24 PM

I ran the hijackthis.exe
what's all the "%74%6f%72%65%7b%30%34%31%39%61%66%65%62%" in the internet explore settings?

Logfile of HijackThis v1.97.7
Scan saved at 22:19:59, on 05/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\AltoSoftware\AltoMemoryBooster\AltoMBsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Documents and Settings\My Documents\Downloads\other tools\coolwebpageshredder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30%

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessi onal.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [AltoMB_service] C:\Program Files\AltoSoftware\AltoMemoryBooster\AltoMBsrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - DefaultPrefix:
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

Bullit · 05-05-2004, 05:08 PM

removed the %72% junk anyway

Lobos · 05-05-2004, 06:01 PM

run
CWShredder
make sure its updated first
Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")

reboot

Lobos · 05-05-2004, 08:02 PM

after you run CWShredder

run hjt put a check next to this close all browsers and hit fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2
0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%
74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37
%31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6
1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30%
30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2
0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%
74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37
%31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6
1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30%
30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2
0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%
74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37
%31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6
1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30%
30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2
0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%
74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37
%31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6
1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30%
30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2
0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%
74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37
%31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6
1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30%
30%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2
0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%
74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37
%31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6
1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30%
30%

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

reboot into safe mode

make sure
delete

C:\Program Files\Q330994.exe

Bullit · 05-06-2004, 06:59 PM

C:\Program Files\Q330994.exe

that was it - missed that one sittin there

this has been the most hoops i have had to jump thru because of malware like this

dang

05-05-2004, 09:39 AM	#1 (permalink)
Bullit Junior Techie Join Date: Nov 2003 Posts: 58	Coolwebsearch removal difficulty Hi all, having trouble removing coolwebsearch browser hijacker I have used the coolwebshredder to remove it but it keeps coming back. My virus scan shows a clean machine. Adaware shows clean pestpatrol shows the reinfections but not the causing file I think it is to do with my winlogon.exe - would like to get a new version of this and put it in? that possible? any other suggestions?

05-05-2004, 09:50 AM	#2 (permalink)
Lobos Ultra Techie Join Date: Apr 2004 Posts: 617	Download AdAware 6 181 from here: http://www.lavasoftusa.com/ Before you scan with AdAware, check for updates of the reference file by using the "webupdate". Then ........ Make sure the following settings are made and on -------"ON=GREEN" From main window :Click "Start" then " Activate in-depth scan" Then...... Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files" Then......... Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot" Then...... click "proceed" to save your settings. Now to scan it´s just to click the "Scan" button. When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu) Then Download Spybot - Search & Destroy from http://security.kolla.de After installing, first press Online, and search for, put a check mark at, and install all updates. Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED reboot Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to its own folder (not temporary files or the desktop). Close all open windows and open HIJACK THIS. Click Scan. When the scan is finished (it only takes a second), the scan button will change to Save Log. Click on Save Log and save it to NotePad. Copy the entire log and paste it here. DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise. __________________ AdAware \| Spybot S&D 1.4 \| spyware guard & spyware blaster \| How did I get infected in the first place By Tony Klein If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD

05-05-2004, 03:13 PM	#4 (permalink)
Lobos Ultra Techie Join Date: Apr 2004 Posts: 617	Your welcome Bull glad to be of help __________________ AdAware \| Spybot S&D 1.4 \| spyware guard & spyware blaster \| How did I get infected in the first place By Tony Klein If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD

05-05-2004, 06:01 PM	#7 (permalink)
Lobos Ultra Techie Join Date: Apr 2004 Posts: 617	run CWShredder make sure its updated first Run it, press 'Fix', and allow it to fix all it finds. And remember to click "Fix" (Not "Scan only") reboot __________________ AdAware \| Spybot S&D 1.4 \| spyware guard & spyware blaster \| How did I get infected in the first place By Tony Klein If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

05-05-2004, 02:49 PM	#3 (permalink)
Bullit Junior Techie Join Date: Nov 2003 Posts: 58	excellent. I have managed to find the blighters. This is a great post and I'm sure I'll be refering to it in the future. Thanks wolf

05-05-2004, 04:24 PM	#5 (permalink)
Bullit Junior Techie Join Date: Nov 2003 Posts: 58	I ran the hijackthis.exe what's all the "%74%6f%72%65%7b%30%34%31%39%61%66%65%62%" in the internet explore settings? Logfile of HijackThis v1.97.7 Scan saved at 22:19:59, on 05/05/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe C:\Program Files\Trend Micro\Internet Security\PCClient.exe C:\Program Files\Trend Micro\Internet Security\pccguide.exe C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE C:\Program Files\AltoSoftware\AltoMemoryBooster\AltoMBsrv.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe C:\Program Files\Trend Micro\Internet Security\tmproxy.exe C:\Program Files\Trend Micro\Internet Security\PccPfw.exe C:\Documents and Settings\My Documents\Downloads\other tools\coolwebpageshredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE" O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessi onal.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" O4 - HKCU\..\Run: [AltoMB_service] C:\Program Files\AltoSoftware\AltoMemoryBooster\AltoMBsrv.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O13 - DefaultPrefix: O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

05-05-2004, 05:08 PM	#6 (permalink)
Bullit Junior Techie Join Date: Nov 2003 Posts: 58	removed the %72% junk anyway

05-05-2004, 08:02 PM	#8 (permalink)
Lobos Ultra Techie Join Date: Apr 2004 Posts: 617	after you run CWShredder run hjt put a check next to this close all browsers and hit fix R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe reboot into safe mode make sure delete C:\Program Files\Q330994.exe

05-06-2004, 06:59 PM	#9 (permalink)
Bullit Junior Techie Join Date: Nov 2003 Posts: 58	C:\Program Files\Q330994.exe that was it - missed that one sittin there this has been the most hoops i have had to jump thru because of malware like this dang