CoolWebSearch and about:blank

Discussion in 'Malware Help (A Specialist Will Reply)' started by MirBelleJardin, Jan 13, 2005.

  1. MirBelleJardin

    MirBelleJardin Private E-2

    Hi there,

    I'm appealing to you once again--you've helped me in the past. I've picked up the about:blank thing, which adaware is calling CoolWebSearch. I've run all of the mandatory 4 steps on the READ THIS page at least twice in the past two weeks (in safe mode, etc). These steps did not eradicate the problem. I've also been running (every day) Adaware and Microsoft anti-spyware to remove a bunch of the stuff and make my computer at least functional. I'm desperate and ready to post my HiJack this log.

    Thanks,

    MirBelle
     
    MirBelleJardin, Jan 13, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Jan 13, 2005
    #2
  3. MirBelleJardin

    MirBelleJardin Private E-2

    Here's my logfile.
     

    Attached Files:

    MirBelleJardin, Jan 14, 2005
    #3
  4. Quinndrew5

    Quinndrew5 Corporal

    Quinndrew5, Jan 14, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not install HJT where requested. You need to fix this before continue. You have HJT here:
    C:\Documents and Settings\AJ\Desktop\stuff\HijackThis.exe

    You also DID NOT SHUT DOWN ALL BROWSERS before using HJT. This is crititcal - every time you use HJT - exit browsers first. You must follow directions.
     
    chaslang, Jan 14, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    Not yet! Other problems must be fixed first and some software may have to be uninstalled before trying to fix the HSA hijack.

    MirBelleJardin,

    You need to uninstall Microsoft Antispyware. And then reboot. It is going to make it harder to fix some of these problems. In addition, this product is not ready for prime time yet. It has problems with False detections and some other issues.

    I'm going to skip some stuff related to HSA in your log and work on other problems first.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.
     
    chaslang, Jan 15, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After following the directions from my previous two posts, do the below.

    Make sure you have downloaded About:Buster and HSremove given in the READ ME FIRST sticky.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\appof.exe
    C:\WINDOWS\system32\iphb32.exe
    C:\WINDOWS\System32\wvsvc.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [d3ir32.exe] C:\WINDOWS\system32\d3ir32.exe
    O4 - HKLM\..\Run: [5B.tmp] C:\DOCUME~1\AJ\LOCALS~1\Temp\5B.tmp.exe 0 10001
    O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
    O4 - HKLM\..\Run: [ipae.exe] C:\WINDOWS\system32\ipae.exe
    O4 - HKLM\..\Run: [apilp32.exe] C:\WINDOWS\system32\apilp32.exe
    O4 - HKLM\..\Run: [winnt.exe] C:\WINDOWS\system32\winnt.exe
    O4 - HKLM\..\Run: [iphb32.exe] C:\WINDOWS\system32\iphb32.exe
    O4 - HKLM\..\Run: [Starting up] wvsvc.exe
    O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
    O4 - HKLM\..\RunOnce: [appof.exe] C:\WINDOWS\appof.exe
    O4 - HKCU\..\Run: [cwusRkH5e] stiplat.exe
    O4 - HKCU\..\Run: [Starting up] wvsvc.exe
    O15 - Trusted Zone: *.awmdabest.com <--- these next 4 may be gone already
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
    O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\mska32.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\appof.exe
    C:\WINDOWS\system32\iphb32.exe
    C:\WINDOWS\System32\wvsvc.exe
    C:\WINDOWS\system32\d3ir32.exe
    C:\WINDOWS\system32\ipae.exe
    C:\WINDOWS\system32\apilp32.exe
    C:\WINDOWS\system32\winnt.exe
    C:\WINDOWS\system32\stiplat.exe
    C:\WINDOWS\system32\wvsvc.exe
    C:\Documents and Settings\AJ\Local Settings\Temp <-- delete everything in this folder including any subfolders.
    C:\Program Files\DeskAd Service <--- the whole folder

    Run HSremove then run About:Buster (save the AB log to a file).

    Now reboot in normal mode and post a new HJT log and the AB log.
     
    chaslang, Jan 15, 2005
    #7
  8. MirBelleJardin

    MirBelleJardin Private E-2

    Hi Chaslang,

    It didn't work. I ran into a couple of snags, perhaps that's why.

    First, after Fixing the selected files in HiJackThis, I couldn't find these files:
    C:\WINDOWS\appof.exe
    C:\WINDOWS\system32\iphb32.exe
    C:\WINDOWS\System32\wvsvc.exe
    C:\WINDOWS\system32\d3ir32.exe
    C:\WINDOWS\system32\ipae.exe
    C:\WINDOWS\system32\apilp32.exe
    C:\WINDOWS\system32\winnt.exe
    C:\WINDOWS\system32\stiplat.exe
    C:\WINDOWS\system32\wvsvc.exe

    Second, i couldn't delete all of the files and subfolders in

    C:\Documents and Settings\AJ\Local Settings\Temp.

    It seems that there are files the computer won't let me delete, even though they don't seem to appear in the folders. The computer can't find them. Also, the computer wouldn't let me delete index.dat because another person was using it. So I deleted as much from this folder as I could, but I didn't get it all.

    Finally, I've been having a problem with my AOL IM that started around the same time as the virus. I can sign on properly, but whenever I try to IM anyone or they try to IM me, it signs me off. Is this related?

    Thanks,

    MirBelle
     

    Attached Files:

    MirBelleJardin, Jan 15, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! We made some progress. Let's keep going! It sometimes take repetition to cleanup these infections especially HSA hijacks. Print these instructions of save them locally because you must be offline with browsers closed until I say to reopen and come back here.

    Go offline and exit browsers now before continuing!

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\appof.exe
    C:\WINDOWS\System32\wvsvc.exe
    C:\WINDOWS\system32\iphb32.exe

    Make sure you tell me if you have any problems finding or kill any of these! If you don't find them, they may have renamed themselves since you last posted. That means next time you post you HJT log (at the end of these steps), DO NOT REBOOT until you here from me. You can disconnect from the Internet but no reboots.

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {9034944E-1F01-F8F2-E8EC-80E14D8E7FD0} - C:\WINDOWS\ntxw32.dll
    O4 - HKLM\..\Run: [Starting up] wvsvc.exe
    O4 - HKLM\..\Run: [iphb32.exe] C:\WINDOWS\system32\iphb32.exe
    O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
    O4 - HKLM\..\RunOnce: [appof.exe] C:\WINDOWS\appof.exe
    O4 - HKCU\..\Run: [Starting up] wvsvc.exe
    O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\mska32.exe (file missing)

    After clicking Fix, exit HJT.

    Okay this will sound crazy but it is necessary! I want you to physically pull the power plug to your PC. The key here is that we do not want to allow Windows to shut down gracefully. That is how this infection is spreading itself. Wait a minute and then plug the power back in but when booting up, boot to safe mode.

    Use Windows Explorer to delete (if found - tell me the results):
    C:\WINDOWS\system32\xelyl.dll
    C:\WINDOWS\ntxw32.dll
    C:\WINDOWS\System32\wvsvc.exe
    C:\WINDOWS\system32\iphb32.exe
    C:\WINDOWS\appof.exe

    Some of these may not be found if the filenames have changed since you last posted.

    Run HSremove then run about:Buster (save the AB log to a file).Now immediately reboot in normal mode and get a new HJT log.
    Now run your browser and come here and post the HJT and the AB logs.
     
    chaslang, Jan 16, 2005
    #9
  10. MirBelleJardin

    MirBelleJardin Private E-2

    Hi Chaslang,

    That seems to have helped a lot. My AOL IM is working again, and the about:blank page is not coming up.

    I had no problem killing the three processes.

    WHen I went to check the HJT things, it seems that "xelyl" in the following lines had switched to "xmoj", because the lines were identical except for the replacement of those letters. I deleted the lines with xmoj.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xelyl.dll/sp.html#14044

    Also, the following line changed, but I did not record what it changed to. I deleted it anyway:

    O2 - BHO: (no name) - {9034944E-1F01-F8F2-E8EC-80E14D8E7FD0} - C:\WINDOWS\ntxw32.dll

    When I went to find the exe files, I could not find:
    C:\WINDOWS\system32\xelyl.dll
    C:\WINDOWS\ntxw32.dll

    I also searched for "xmoj" but couldn't find any file with that in its name.

    I did find and delete:
    C:\WINDOWS\System32\wvsvc.exe
    C:\WINDOWS\system32\iphb32.exe
    C:\WINDOWS\appof.exe

    I will leave my computer on and await your instructions. Thanks!

    Mirbelle
     

    Attached Files:

    MirBelleJardin, Jan 16, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that log looked clean. How does a current log look after doing some surfing? If the problem is back, post a new log and do not reboot.
     
    chaslang, Jan 16, 2005
    #11
  12. MirBelleJardin

    MirBelleJardin Private E-2

    It appears to be behaving very well. No about:blank page, no pop-ups, and the AOL IM is working also. System instability also seems fine.

    I haven't restarted the computer yet, here's a HJT log.

    Thanks for your help!

    Mirbelle
     

    Attached Files:

    MirBelleJardin, Jan 16, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You look clean but you are insufficiently protected. I don't even see an anitvirus applications.

    Please see and follow the steps in the below link to help aoid future problems:
    How to Protect yourself from malware!
     
    chaslang, Jan 17, 2005
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds