Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91846 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please Help Me Get Rid Of Coolwww Permanently


  • Please log in to reply
9 replies to this topic

#1 pullinghairout

pullinghairout

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 July 2004 - 01:58 AM

i have spy sweeper and it detects coolwww and interupts me constently to restore the page to my true page. but it is not getting rid of the adware. i've removed it deleted it quarantined it. somebody help :wall:

    Advertisements

Register to Remove


#2 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 14 July 2004 - 02:08 AM

u]
Scanning in Spybot Search and Destroy:
[/u]

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ and download and install the Updates.

5. Next click the button ‘Check for Problems’

6. When Spybot is complete, it will be showing ‘RED’ (RED) entries ‘BLACK’ entries and ‘GREEN’ (GREEN) entries in the window

7. Make certain there is a check mark beside all of the RED (RED) entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED (RED) entries.

9. REBOOT to complete the scan.

Scanning in Ad-Aware :

1. Download and Install Ad-Aware , keeping the default options. However you will need to change some of the settings before your first scan

2. Close ALL windows except Ad-Aware

3. Go to Start > Programs > Lavasoft and click on AdAware 6 to open the program

4. Look at the icons on the top right of the page and click on the ‘world’ and let AdAware update the spyware reference list

5. Once the update is finished click on the ‘Gear’ icon (second from the left) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected:

*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

2) Click on the ‘Scanning’ button on the left and select :

*Scan Within Archives
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file

3)Under ‘Click here to select drives + folders’, choose:

*All of your hard drives

4) Click on the ‘Advanced’ button on the left and select:

*Include additional process information
*Include additional file information
*Include environment information
*Include additional object details

5) Click the ‘Tweak’ button and select:

6)Under the ‘Scanning Engine’:

*Unload recognized processes during scanning
*Include basic Ad-aware settings in logfile
*Include additional Ad-aware settings in logfile

7)Under the ‘Cleaning Engine’:

*Let Windows remove files in use at next reboot


6. Click on ‘Proceed’ to save the settings.

7. Click ‘Start’

*on the next screen choose ‘Activate in-depth Scan’ at the bottom of the page
*then choose:'Use Custom Scanning Options'

8. Click ‘Next’ and AdAware will scan your hard drive(s) with the options you have selected and clean automatically. .

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware found

Finally after running both Spybot SD and Ad-Aware, SCAN with HijackThis and POST your logfile in the same thread using ‘Add Reply’. Do not attempt to fix anything in HijackThis yourself!

Here's how to post a Hijack This log

Download "HijackThis" here
When downloading, choose "save to disk" and NOT open!

Now create a new folder for it, C:\Hijackthis, for example.
After unzipping the file to C:\Hijack This, you'll end up with the file itself, which is Hijackthis.exe, and that's the one you'll need to doubleclick.'

When the program launches, hit the "Scan" button
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, and save the log anywhere you like.

Now if you doubleclick the log file.Go to Edit > Select all, then to Edit > copy.
Now you've copied the entire text to the Windows Clipboard (this happens behind your back.)

Next, go back to this forum thread, and click "Post Reply".
In an empty area click your RIGHT mouse button, and choose 'Paste' from the context menu.
There's your Hijack This log. This is what we need to look at.

Edited by little eagle, 14 July 2004 - 02:09 AM.


#3 pullinghairout

pullinghairout

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 July 2004 - 03:49 AM

Logfile of HijackThis v1.98.0
Scan saved at 2:47:21 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ContentWatch\Updater\cwupdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ContentWatch\PopupProtect\PP.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Wendy Henson\Local Settings\Temp\Temporary Directory 1 for hijackthis..zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D507C3C5-4307-49B6-928F-BACE36468C23} - C:\WINDOWS\System32\fhcg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [CWU_AutoStartup] C:\Program Files\ContentWatch\Updater\cwupdate.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PopupProtect.lnk = C:\Program Files\ContentWatch\PopupProtect\PP.exe
O4 - Global Startup: Register.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\Register.exe
O4 - Global Startup: WPChanger.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix:
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwa...eanup3Proj1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O18 - Filter: text/html - {061CFE1B-EEE9-463E-9373-BB8ABC7C662B} - C:\WINDOWS\System32\fhcg.dll
O18 - Filter: text/plain - {061CFE1B-EEE9-463E-9373-BB8ABC7C662B} - C:\WINDOWS\System32\fhcg.dll

#4 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 14 July 2004 - 10:41 AM

Before we get started on a long fix. You are running windows XP which allows you to move to a
old restore point before the infection. If you can remember when about blank started. See if you
have a restore point about a week before that. To do that hit
Start>control panel>Preformanceand Manintence>System Restore
click restore my computer to an earlier time.

If you can't do that then follow the step below.

If you used Spybot - Search & Destroy or another program to lock your IE Home page if you did you need to disable it.

Then Download About:buster from http://downloads.sub...AboutBuster.zip and unzip it to your desktop.

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds. It should give you a log at this point, copy it to a text file and save it.

Reboot your computer in normal mode, and post the log from About:buster and a new log from Hijackthis.

#5 pullinghairout

pullinghairout

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 July 2004 - 01:49 PM

i have already tried to restore to a earlier date when i did not have the problem. along with the stupid home page they kept hijacking onto my computer they sent me a virus called mtwirl. norton could not quarantine or destroy the virus. fortunatly spy sweeper was able to. but the problem continued even after i restored to a time before they did this.

#6 pullinghairout

pullinghairout

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 July 2004 - 02:33 PM

Logfile of HijackThis v1.98.0
Scan saved at 1:32:32 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ContentWatch\Updater\cwupdate.exe
C:\Program Files\ContentWatch\PopupProtect\PP.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Wendy Henson\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D507C3C5-4307-49B6-928F-BACE36468C23} - C:\WINDOWS\System32\fhcg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [CWU_AutoStartup] C:\Program Files\ContentWatch\Updater\cwupdate.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PopupProtect.lnk = C:\Program Files\ContentWatch\PopupProtect\PP.exe
O4 - Global Startup: Register.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\Register.exe
O4 - Global Startup: WPChanger.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix:
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwa...eanup3Proj1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O18 - Filter: text/html - {061CFE1B-EEE9-463E-9373-BB8ABC7C662B} - C:\WINDOWS\System32\fhcg.dll
O18 - Filter: text/plain - {061CFE1B-EEE9-463E-9373-BB8ABC7C662B} - C:\WINDOWS\System32\fhcg.dll

#7 pullinghairout

pullinghairout

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 July 2004 - 02:34 PM

-- Scan 1 -------- About:Buster Version 1.27 Error Removing! : C:\WINDOWS\System32\fhcg.dll Attempted Clean Of Temp folder. Pages Reset... Done!

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 15 July 2004 - 07:50 AM

Please run CWShredder. Once downloaded, open it and hit the "Fix ->" button.
Wait while it scans your PC. It will then list what you're infected with. Hit "Next" Again and you're finished.
Reboot your PC and post a new log.


Make sure that you have all windows closed but CWShredder when you run it.

#9 pullinghairout

pullinghairout

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 15 July 2004 - 01:41 PM

Logfile of HijackThis v1.98.0
Scan saved at 12:37:29 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ContentWatch\Updater\cwupdate.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ContentWatch\PopupProtect\PP.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Wendy Henson\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\WENDYH~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C2D55BBD-A2C4-4C76-80FD-15192969E0E5} - C:\WINDOWS\System32\fhcg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [CWU_AutoStartup] C:\Program Files\ContentWatch\Updater\cwupdate.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PopupProtect.lnk = C:\Program Files\ContentWatch\PopupProtect\PP.exe
O4 - Global Startup: Register.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\Register.exe
O4 - Global Startup: WPChanger.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix:
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwa...eanup3Proj1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O18 - Filter: text/html - {7B555E9E-304A-4F94-AED9-8FE235FC7805} - C:\WINDOWS\System32\fhcg.dll
O18 - Filter: text/plain - {7B555E9E-304A-4F94-AED9-8FE235FC7805} - C:\WINDOWS\System32\fhcg.dll

Hey btw thank you so much for helping me. please continue to help. Your aide is so greatly appreciated

#10 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 16 July 2004 - 06:20 AM

http://www.pandasoft...x?idvirus=48563
Please try the link above.

Then start off by closing all programs and clearing IE Cache, TEMP, etc. Instructions here

Next, run disk defragmenter on your HD containing your WINDOWS directory. It will stop and say that it couldn't continue due to a certain file. This is the infected file. (eg. wmd.dll) Post back if disk defragmenter does not run with the name of the file and a new log.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users