Can someone help a girl out? (Coolweb prob)

Okay, I've tried multiple times to get rid of the coolweb hijacker that has infested my machine. I've been to several web forums, and each has a different idea of how to purge your system of this insidious program.
I've done the obvious, which is look at endless forum-postings on dozens of sites in an effort to find someone with a coolweb problem that mimicked mine - with no luck.

The okay, the bad & the worse:

I'm running a Windows XP machine that I don't have Admin rights to (it's my brothers). He's overseas, so I have no way of getting the Admin password. What does this mean? It means not only am I restricted in what I can download (some freeware downloads okay ex. hijackthis, while other software won't ex. ADware, Spysweeper, etc.), but I CANNOT boot into Safe Mode.

I'm ready and prepared to fix this thing, but I'll need someone to walk me through it. I realize I'll have to start from scratch.
Instead of posting everything I've already done (which is extensive), I’ll wait for someone to tell me where they want me to start....

Many thanks for your help in advance,
Jennifer

 

Our tutorial offers good insight in how to rid pc's of common spyware problems but in order to be completely efffective, you'll need to boot into safe mode.

Take a look at the tutorial and see if you can accomplish even some of those tasks.
I can't guarantee anything since safe mode is not an option.

http://forums.majorgeeks.com/showthread.php?t=35407
READ ME FIRST: Basic Spyware, Trojan And Virus Removal

 

I've tried what I could in the tutorials. Correct me if I'm wrong, but is it important to boot into Safe Mode because that disables all processes except those that are absolutely critical?
If you want, I can start listing the things I've done to try and solve my coolweb problem....

Thanks,
Jennifer

 

yes, safe mode does that.
Please list your attempts so we don't repeat ourselves

 

Okay, to start with I went through all of the generic instructions here (at this website) in an attempt to catch anything I missed. I also ran CWShredder, and Spysweeper - the only freeware my machine will run. Things like Stinger crash my system.

I have a WindowsXP machine and as I said I was unable to boot into Safe mode, so I did all of the following without actually being in Safe mode, with no adverse impact:

I searched through the registry and followed (some of) the steps contained here:
http://www.kephyr.com/spywarescanner/library/coolwebsearch.xpsystem/index.phtml?source=app

In Regedit I located:

'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, I deleted the value called 'xpsystem'

Then I deleted:

'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}'

Then I deleted:

'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}'

The KEPHYR website suggested I delete the program called services.exe located in my WIN32 folder (not to be confused with the one in my System folder - which is apparently a program integral to the running of Windows). That said, another services.exe file existed in a folder called: C:\WINXP\inet73kmd. Very suspicious. All the ini/dll/exe files in that folder had a creation date of 09/11 - which is when the problem started happening!

Something told me this was the root of the problem but ….

1.)I couldn't delete the malware services.exe file located in C:\WINXP\inet73kmd ("critical process" message).

2.)Spysweeper kept identifying the file as malware, and quarantining, it but it kept reappearing.

3.)I could not boot into Safe mode

Next step:

I tried renaming the services.exe file in C:\WINXP\inet73kmd to something else, but noticed that several minutes later a new services.exe file had populated that same folder - leading me to believe this insidious malware has the capability of regenerating itself!

What to do?

I read a great article at: http://www.cexx.org/ which mentioned that some spyware is clever enough to imbed itself in your registry, etc., and one way to get rid of it is to trick it. The folder C:\WINXP\inet73kmd not only contained the services.exe program, but 3 dll’s and 5 ini files.
I created empty, dummy ini and dll files (same naming conventions) using WordPad and then created a dummy services.exe file. I deleted the ini & dll files in C:\WINXP\inet73kmd (which surely would have regenerated themselves) and placed the dummies in that folder, then renamed the malware services.exe file to “shitware.exe” and replaced it with my dummy services.exe file. What the CounterExploitation website suggested, and it seems to have worked, is that some malware programs may have a trigger that will essentially go out and look for its files, and if not they are not there, recreate them. By placing the dummy files in C:\WINXP\inet73kmd I was hoping that upon reboot the trigger would go out looking for its files, find the dummies, get tricked, and then stops its process, assuming the services.exe will go about its hellish business.

When I rebooted my computer I got a registry error message, essentially stating that it could not recognize a registry entry, and then I got a dll error – but low-and-behold, my homepage was not hijacked back to searchportal.info/sawaporn, and and I was able to surf without problem for about 2 days .... but then WHAM. I was smacked with this thing again!

This time, when I looked in Task Manager I noticed Notepad.exe was running, and I could not stop it. Coincidentally, on or about September 11th was about the time that I was no longer able to use Notepad. Services.exe, by the way, was no longer being detected by hijackthis, but notepad.exe was (coincidentally, the services.exe file was the same size and the notepad.exe file - 212kb and both had the same creation date).
I tried to do the same thing I did with the notepad.exe file as I did with the services.exe file, to no avail.

You want the hijack this log?

 

I will post the hijackthis log as soon as I can. Right now my computer at home is not working (!).

I have come to the conclusion that I will most likely be unable to fix this computer without the Admin password.
At least half the programs suggested (on this site) for the Aaout;blank "roblem" - I cannot run because I need Admin rights to download, or they need to be run in Safe Mode.

I'm going to give this one last shot. when I return home tonight I'll try and get my computer up and running - it keeps failing on the bootup.

 

NT Admin password change works the same for XP? I'm on an XP machine.

Anyway, here's my hijackthis log. Thanks.

 

Here it is, sorry for overlooking the obvious....:

Logfile of HijackThis v1.98.2
Scan saved at 9:59:18 PM, on 9/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\Explorer.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\kt\Local Settings\Temporary Internet Files\Content.IE5\89OV7D6E\HijackThis[1].exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINXP\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINXP\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{335CC5F5-7D10-40BC-9BB5-7703D263D53F}: NameServer = 199.45.32.43,207.69.188.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{335CC5F5-7D10-40BC-9BB5-7703D263D53F}: NameServer = 199.45.32.43,207.69.188.185

 

New HJT log followed by process cxplorer log. By the way, look at the "Nameserver" IP address in my hijackthis log, is that the website redirect? Pleas ehelp this girtl out!!!!





************************
Process PID CPU Description Company Name
System Idle Process 0 97
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
SMSS.EXE 464
CSRSS.EXE 528
WINLOGON.EXE 552
services.exe 596
svchost.exe 772
svchost.exe 836
svchost.exe 936
svchost.exe 964
spoolsv.exe 1128
navapsvc.exe 1436
NISUM.EXE 1464
nvsvc32.exe 1508
SYMPROXYSVC.EXE 1632
NISSERV.EXE 1708
lsass.exe 608
Explorer.EXE 1804 Windows Explorer Microsoft Corporation
IAMAPP.EXE 128 IAMAPP.EXE Symantec Corporation
ATRACK.EXE 808 Alert Tracker Symantec Corporation
navapw32.exe 164 Norton AntiVirus Agent Symantec Corporation
SOUNDMAN.EXE 172 Avance Sound Manager Avance Logic, Inc.
Directcd.exe 160 DirectCD Application Roxio
iexplore.exe 204 Internet Explorer Microsoft Corporation
iexplore.exe 500 Internet Explorer Microsoft Corporation
WINZIP32.EXE 664 WinZip Executable WinZip Computing, Inc.
procexp.exe 1384 3 Sysinternals Process Explorer Sysinternals
regedit.exe 700 Registry Editor Microsoft Corporation
notepad.exe 1200 Notepad Microsoft Corporation

Process: svchost.exe Pid: 772

Type Name

 

Uber,
You need to run HJT from its own folder. Do not run it from a temp direcotry, desktop , any folder under documents and settings or from an archive.

Please also upload your logs as text attachments from this point.
Thank you.