CoolWebSearch - Help Required

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nminter, Jun 29, 2004.

  1. nminter

    nminter Private E-2

    Hi



    Am having extreme difficulty ridding XP Professional machine of CoolWebSearch.



    Norton

    Identifies threat as Adware.Iefeats



    SpyBot - Search & Destroy

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-2391709686-115412439-2982193001-1013\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-2391709686-115412439-2982193001-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-06-16 Includes\Cookies.sbi
    2004-06-16 Includes\Dialer.sbi
    2004-06-17 Includes\Hijackers.sbi
    2004-06-16 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-06-16 Includes\Malware.sbi
    2004-06-16 Includes\Revision.sbi
    2004-06-16 Includes\Security.sbi
    2004-06-16 Includes\Spybots.sbi
    2004-06-16 Includes\Tracks.uti
    2004-06-16 Includes\Trojans.sbi


    CWShredder
    Says system is clean

    HiJackThis
    [Note: this R0/R1s return, even after fix, different URLs every time]
    Logfile of HijackThis v1.97.7
    Scan saved at 11:15:42, on 29/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MICROS~2\MSSQL$~1\binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    C:\WINDOWS\system32\winnc.exe
    C:\WINDOWS\atlvf.exe
    C:\Documents and Settings\Admin\Desktop\Downloads\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zavza.dll/sp.html#35759
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zavza.dll/index.html#35759
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zavza.dll/index.html#35759
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zavza.dll/sp.html#35759
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zavza.dll/index.html#35759
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zavza.dll/sp.html#35759
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Admin\Application Data\Mozilla\Profiles\default\ureyy0pe.slt\prefs.js)
    O2 - BHO: (no name) - {ADCD2861-F951-CBB0-CD36-3C98A6A42196} - C:\WINDOWS\system32\winjt32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winnc.exe] C:\WINDOWS\system32\winnc.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    O4 - HKLM\..\RunOnce: [atlvf.exe] C:\WINDOWS\atlvf.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Toggle AccessibilityToolbar toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: &AccessibilityToolbar toolbar (HKLM)
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29258cd32e922638e206/netzip/RdxIE601.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9D7F22C-F002-4E4C-92F3-872A1837F10D}: NameServer = 194.74.65.68 194.72.9.38

    StartUpList
    StartupList report, 29/06/2004, 11:20:58
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Admin\Desktop\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MICROS~2\MSSQL$~1\binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    C:\WINDOWS\system32\winnc.exe
    C:\WINDOWS\atlvf.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Admin\Desktop\StartupList.exe
    --------------------------------------------------
    Listing of startup folders:
    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    --------------------------------------------------
    Checking Windows NT UserInit:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    --------------------------------------------------
    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    nForce Tray Options = sstray.exe /r
    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    GSICONEXE = gsicon.exe
    DSLAGENTEXE = dslagent.exe USB
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    winnc.exe = C:\WINDOWS\system32\winnc.exe
    --------------------------------------------------
    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    atlvf.exe = C:\WINDOWS\atlvf.exe
    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    (Default) =
    ATI Launchpad = "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    ATI Remote Control = C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    --------------------------------------------------
    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*
    Shell & screensaver key from Registry:
    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*
    Policies Shell key:
    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*
    --------------------------------------------------

    Enumerating Browser Helper Objects:
    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\system32\winjt32.dll - {ADCD2861-F951-CBB0-CD36-3C98A6A42196}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    --------------------------------------------------
    Enumerating Task Scheduler jobs:
    Norton AntiVirus - Scan my computer - Admin.job
    Symantec NetDetect.job
    --------------------------------------------------
    Enumerating Download Program Files:
    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab
    [AccountTracking Profile Manager Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\accounttracking.dll
    CODEBASE = http://moneymanager.egg.com/activex/accounttracking.cab
    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://software-dl.real.com/29258cd32e922638e206/netzip/RdxIE601.cab
    [RealArcadeRdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
    CODEBASE = http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    --------------------------------------------------
    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*
    Windows NT checkdisk command:
    BootExecute = autocheck autochk *
    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\Admin\LOCALS~1\Temp\GLB1A2B.EXE|||A
    --------------------------------------------------
    Enumerating ShellServiceObjectDelayLoad items:
    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    --------------------------------------------------
    End of report, 7,110 bytes
    Report generated in 0.047 seconds
    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Would appreciate some advice

    TIA

    Nik Minter
     
    nminter, Jun 29, 2004
    #1
  2. nminter

    nminter Private E-2

    nminter, Jun 29, 2004
    #2
  3. nminter

    nminter Private E-2

    nminter, Jun 29, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    It did not remove it because you did not start in safe mode then. The dll is loaded by Windows, you can not delete a file that is in use. Hence safe mode is probably required for removal or knowledge of how to terminate runing programs. Updated the removal page with those instructions as another route. Thanks.
     
    Last edited: Jun 29, 2004
    Major Attitude, Jun 29, 2004
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds