PLEASE, I really need help with COOL WEB

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by battlefield, Jun 28, 2004.

  1. battlefield

    battlefield Private E-2

    IE browser is set to res://fodsc.dll/index.html#12802 and i cannot get that to change at all


    would my hijack log file help someone to see what my problem is, adware, spybot and norton ran several times all updated and still i am jacked Logfile of HijackThis v1.97.7
    Scan saved at 1:26:08 AM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\netou.exe
    C:\WINDOWS\system32\iemr32.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jason\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodsc.dll/sp.html#12802
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodsc.dll/index.html#12802
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodsc.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodsc.dll/sp.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fodsc.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fodsc.dll/sp.html#12802
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {687935EA-83F2-0A00-630D-743E4F5D9B6C} - C:\WINDOWS\crzq.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [suserk] C:\WINDOWS\System32\suserk.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [netou.exe] C:\WINDOWS\system32\netou.exe
    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/gam...ts/y/dot4_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download....ctl_0_0_0_1.ocx
    O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
    O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/...uncherSetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7942.3883564815
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.c...eX/FileXfer.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
     
    battlefield, Jun 28, 2004
    #1
  2. battlefield

    battlefield Private E-2

    Please someone help out here, i know everyone else needs help too, but please look at my log and assist
     
    battlefield, Jun 28, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Read the threads, they all have the same variant as you, res://C:\WINDOWS\fodsc.dll/ or similar, my telling you what lines to remove is useless, they come right back. System Restore is a good bet, HSRemove on front page might be worth a shot or reading the other threads.
     
    Major Attitude, Jun 28, 2004
    #3
  4. battlefield

    battlefield Private E-2

    Major, thanks for the tip, i used hsremove just now, and it seems to have worked the miricle..... only thing is when i run adware now, it keeps finding coolwebseach in system32 though???? where is this rooted at?
     
    battlefield, Jun 28, 2004
    #4
  5. don77

    don77 Private E-2

    Download and install APM from:http://www.diamondcs.com.au/index.php?page=apm
    Reboot,
    Restart HJT,     make sure that IE and all open windows are closed and run Hijack This again. Check the below entries and click on Fix Checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodsc.dll/sp.html#12802
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodsc.dll/index.html#12802
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodsc.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodsc.dll/sp.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fodsc.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fodsc.dll/sp.html#12802
    O2 - BHO: (no name) - {687935EA-83F2-0A00-630D-743E4F5D9B6C} - C:\WINDOWS\crzq.dll
    O4 - HKLM\..\Run: [suserk] C:\WINDOWS\System32\suserk.exe

    O4 - HKLM\..\Run: [netou.exe] C:\WINDOWS\system32\netou.exe
    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe








    Dont reboot yet though. Run APM and in the upper window select explorer.exe. In the lower window find and rightclick the BHO from your HijackThis log (C:\WINDOWS\crzq.dll ) and select Unload DLL and click OK on the prompts that follow.



    Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files http://www.xtra.co.nz/help/0,,4155-1916458,00.html search for and delete the following in BOLD


    C:\WINDOWS\System32\suserk.exe

    C:\WINDOWS\system32\netou.exe
    C:\WINDOWS\System32\wnsintsv.exe




    Reboot now and run AdAware    .

    Reboot again and post a new log.
     
    don77, Jun 28, 2004
    #5
  6. battlefield

    battlefield Private E-2

    Dont reboot yet though. Run APM and in the upper window select explorer.exe. In the lower window find and rightclick the BHO from your HijackThis log (C:\WINDOWS\crzq.dll ) and select Unload DLL and click OK on the prompts that follow.
    ??????????

    my apm does not ahve a selection of unload dll?????????????
     
    battlefield, Jun 28, 2004
    #6
  7. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Update, see top thread in this forum for proper removal via Ad-Aware and Hijack This. The latest Ad-Aware gets the infection gone with all but a few traces. :)
     
    Major Attitude, Jun 28, 2004
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds