Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

COOLWWWSEARCH.AFF.WINSHOW Reloads Itself Endlessly.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

COOLWWWSEARCH.AFF.WINSHOW Reloads Itself Endlessly.

Unread postby rcobb5am7 » January 8th, 2006, 10:56 am

I am running Win 98SE (updated on Microsoft site), Netscape 6.2 with dialup connections. I have used Adaware (only "non-negligible" found) and SpyBot (regularly Coolwwwsearch.aff.winshow found and removed only to reappear again) and AVG antivirus (no viruses found).

Please advise how to eliminate COOLWWWSEARCH.AFF.WINSHOW.

Below is my Hijack This file.

Thanks. rcobb5am7

Logfile of HijackThis v1.99.0
Scan saved at 1:21:25 PM, on 1/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\THINKPAD\TPHKMGR.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\THINKPAD\TPONSCR.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOWNLOAD FILES\HIJACK THIS LOGS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - User Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL
Advertisement
Register to Remove

Unread postby Linkmaster » January 8th, 2006, 12:16 pm

Hi rcobb5am7, Welcome to MalWare Removal !!

Where does Spybot say the file is located??

Can you post the Spybot log for me, so we can see where to go from here ??

Thanks 8)
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Re: COOLWWWSEARCH.AFF.WINSHOW Reloads Itself Endlessly.

Unread postby rcobb5am7 » January 9th, 2006, 10:43 am

Hello Linkmaster,
I appreciate the welcoming response!
SpyBot indicates the file is a " Bad Favorite (File, nothing done)
C:\WINDOWS\Favorites\Search the Web.url"
I will post the SpyBot report below, though there doesn't seem to be enough available space to include all of it.
Thanks. rcobb5am7


--- Search result list ---
CoolWWWSearch.Aff.Winshow: Bad Favorite (File, nothing done)
C:\WINDOWS\Favorites\Search the Web.url


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-08-19 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-30 Includes\Cookies.sbi (*)
2005-12-30 Includes\Dialer.sbi (*)
2005-12-30 Includes\Hijackers.sbi (*)
2005-12-30 Includes\Keyloggers.sbi (*)
2005-12-30 Includes\Malware.sbi (*)
2005-12-30 Includes\Revision.sbi (*)
2005-12-30 Includes\Security.sbi (*)
2005-12-30 Includes\Spybots.sbi (*)
2005-12-30 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-30 Includes\PUPS.sbi (*)



--- System information ---
Windows 98 (Build: 2222) A
/ DirectX: Windows Update 904706
/ Windows Media Player: Windows Media Update 885492
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution


--- Startup entries list ---
Located: HK_LM:Run, AVG7_AMSVR
command: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
file: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
size: 318976
MD5: f23275b6104732688be895112adbacd4

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
file: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE
size: 338432
MD5: 4e87855221e91513647dda62db6b7f6f

Located: HK_LM:Run, AVG7_EMC
command: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
file: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
size: 263680
MD5: 9599c15e10b16738a3b9402ad22a90f5

Located: HK_LM:Run, ConfigSafe
command: C:\CFGSAFE\AUTOCHK.EXE
file: C:\CFGSAFE\AUTOCHK.EXE
size: 10784
MD5: 7fc96cde47efc5951a725d4d03bd61b2

Located: HK_LM:Run, ConMgr.exe
command: "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
file: C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
size: 290816
MD5: 770f202d5ff88b646c6b936038e3bd78

Located: HK_LM:Run, IBMUltraBayHotSwapSound
command: c:\windows\SYSTEM\IBMBAYSN.EXE
file: c:\windows\SYSTEM\IBMBAYSN.EXE
size: 29696
MD5: 1d74317be3f67616d3f804937bf96031

Located: HK_LM:Run, NAV DefAlert
command: C:\PROGRA~1\NORTON~1\DEFALERT.EXE
file: C:\PROGRA~1\NORTON~1\DEFALERT.EXE
size: 53248
MD5: 235bfe081b7bef048eb36df309d22039

Located: HK_LM:Run, Norton Auto-Protect
command: C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
file: C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
size: 49152
MD5: fc34fa5d1906faab6abfe2ff0b4df397

Located: HK_LM:Run, Norton eMail Protect
command: C:\Program Files\Norton AntiVirus\POPROXY.EXE
file: C:\Program Files\Norton AntiVirus\POPROXY.EXE
size: 77824
MD5: 192511d27a93d7b0d3f1ce9353d45af2

Located: HK_LM:Run, ScanRegistry
command: c:\windows\scanregw.exe /autorun
file: c:\windows\scanregw.exe
size: 86016
MD5: f123231689e2ab2fa5c636b99314501f

Located: HK_LM:Run, SoundFusion
command: RunDll32 cwcprops.cpl,CrystalControlWnd
file:

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\SYSTEM\SysTray.Exe
size: 27648
MD5: c7e1448ef194081ca615b2601e9751fd

Located: HK_LM:Run, TP98UTIL
command: C:\THINKPAD\TP98.EXE /s
file: C:\THINKPAD\TP98.EXE
size: 170496
MD5: c0dbd1c2088e04adb28f85b9161d4fc2

Located: HK_LM:Run, TpHotkey
command: C:\THINKPAD\tphkmgr.exe
file: C:\THINKPAD\tphkmgr.exe
size: 34304
MD5: 97826a429ede9d6d3f5968c2926761e8

Located: HK_LM:Run, TrackPointSrv
command: daemon.exe
file: C:\WINDOWS\SYSTEM\daemon.exe
size: 183296
MD5: 417460d53a9134fcc971157fac4b8472

Located: HK_LM:RunServices, HP Port Resolver
command: C:\WINDOWS\SYSTEM\hpbpro.exe
file: C:\WINDOWS\SYSTEM\hpbpro.exe
size: 77824
MD5: b262b25f76e16bfc4601e1456e05b759

Located: HK_LM:RunServices, HP Status Server
command: C:\WINDOWS\SYSTEM\hpboid.exe
file: C:\WINDOWS\SYSTEM\hpboid.exe
size: 61440
MD5: 3e99ffcedc39d8d57bae6f1754bef6f9

Located: HK_LM:RunServices, KB891711
command: c:\windows\SYSTEM\KB891711\KB891711.EXE
file: c:\windows\SYSTEM\KB891711\KB891711.EXE
size: 9088
MD5: cbd841775a04e82b2828fc301aafee70

Located: HK_LM:RunServices, SchedulingAgent
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 110352
MD5: 368b7f9d87e507c0b2924e86a579508b

Located: HK_LM:RunServices, ScriptBlocking
command: "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
file: C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
size: 54408
MD5: 3db0459e2661531bfe88ae0a182d019a

Located: HK_LM:Run, ConMgr.exe (DISABLED)
command: "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
file: C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
size: 290816
MD5: 770f202d5ff88b646c6b936038e3bd78

Located: HK_LM:Run, HP Network Registry Agent (DISABLED)
command: C:\WINDOWS\SYSTEM\hpnra.exe
file: C:\WINDOWS\SYSTEM\hpnra.exe
size: 45056
MD5: c01c859636dd8b9b9e942740b121cbae

Located: HK_LM:Run, HP Proxy Server (DISABLED)
command: C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
file: C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
size: 525
MD5: f3bb0182141795eba4ce0fd0a655f080

Located: HK_LM:Run, HP Status (DISABLED)
command: C:\WINDOWS\SYSTEM\HPSTATUS.EXE
file: C:\WINDOWS\SYSTEM\HPSTATUS.EXE
size: 106496
MD5: d233f3864b52909b440e6ad45da47cd4

Located: HK_LM:Run, IrMon (DISABLED)
command: IrMon.exe
file: C:\WINDOWS\SYSTEM\IrMon.exe
size: 135168
MD5: 06607bd392a972f46a26b323edd733d3

Located: HK_LM:Run, LoadPowerProfile (DISABLED)
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:Run, LTWinModem1 (DISABLED)
command: ltmsg.exe 9
file: C:\WINDOWS\SYSTEM\ltmsg.exe
size: 104448
MD5: b10f8406b080b4a5fead923398ed2582

Located: HK_LM:Run, LTWinModem3 (DISABLED)
command: ltmsg.exe 7
file: C:\WINDOWS\SYSTEM\ltmsg.exe
size: 104448
MD5: b10f8406b080b4a5fead923398ed2582

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
file: C:\WINDOWS\SYSTEM\QTTASK.EXE
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, StillImageMonitor (DISABLED)
command: C:\WINDOWS\SYSTEM\STIMON.EXE
file: C:\WINDOWS\SYSTEM\STIMON.EXE
size: 114688
MD5: 3a395315c2d9e63c0ce4704afa404ffa

Located: HK_LM:Run, TaskMonitor (DISABLED)
command: c:\windows\taskmon.exe
file: c:\windows\taskmon.exe
size: 28672
MD5: f795110611101279aa15997801abaca0

Located: HK_LM:RunServices, LoadPowerProfile (DISABLED)
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:RunServices, SchedulingAgent (DISABLED)
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 110352
MD5: 368b7f9d87e507c0b2924e86a579508b

Located: HK_CU:Run, FreeRAM XP
command: "C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
file: C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
size: 1353728
MD5: 73900e227172cd8579d05f66d3fb7678

Located: Startup (user), Iomega Startup Options.lnk
command: C:\Tools_95\IMGSTART.EXE
file: C:\Tools_95\IMGSTART.EXE
size: 14848
MD5: 092d95609e0a55d7150b6a270a20b571



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 11/3/03 2:17:44 PM
Date (last access): 1/9/06
Date (last write): 11/3/03 2:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 8/19/05 4:26:14 PM
Date (last access): 1/9/06
Date (last write): 5/31/05 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Internet Explorer Classes for Java (Internet Explorer Classes for Java)
DPF name: Internet Explorer Classes for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\iejava.cab
info link:
info source: Patrick M. Kolla

{00000161-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\msaudio.inf
Codebase: http://codecs.microsoft.com/codecs/i386/msaudio.cab
description: Microsoft Audio Codec
classification: Legitimate
known filename: MSAUDIO.CAB
info link:
info source: Patrick M. Kolla

{3334504D-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\mpeg4ax.inf
Codebase: http://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
description: Microsoft MPEG4 Video Codec
classification: Legitimate
known filename: MPEG4AX.CAB
info link:
info source: Patrick M. Kolla

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02)
DPF name: Java Runtime Environment 1.3.1_02
CLSID name: Java Plug-in 1.3.1_02
Installer:
Codebase: http://java.sun.com/products/plugin/1.3 ... 02-win.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\
Long name: NPJava131_02.dll
Short name: NPJAVA~1.DLL
Date (created): 1/28/04 6:55:20 AM
Date (last access): 1/9/06
Date (last write): 11/26/01 10:24:30 PM
Filesize: 53338
Attributes: archive
MD5: CAFFD6C4A881EB5E8AEDE346343C2796
CRC32: 2E8A0377
Version: 1.3.1.2

{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1)
DPF name: Java Runtime Environment 1.3.1
CLSID name: Java Plug-in 1.3.1
Installer:
Codebase: http://java.sun.com/products/plugin/1.3 ... 31-win.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\JavaSoft\JRE\1.3.1\bin\
Long name: NPJava131.dll
Short name: NPJAVA~1.DLL
Date (created): 12/5/02 3:33:40 PM
Date (last access): 1/9/06
Date (last write): 5/6/01 11:14:22 AM
Filesize: 53338
Attributes: archive
MD5: 8D7694975F0E5C1F153AADD68A460887
CRC32: 2AD23CCB
Version: 1.3.1.0

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02)
DPF name: Java Runtime Environment 1.3.1_02
CLSID name: Java Plug-in 1.3.1_02
Installer:
Codebase: http://java.sun.com/products/plugin/1.3 ... 02-win.cab
description:
classification: Legitimate
known filename: npjava131_02.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\
Long name: NPJava131_02.dll
Short name: NPJAVA~1.DLL
Date (created): 1/28/04 6:55:20 AM
Date (last access): 1/9/06
Date (last write): 11/26/01 10:24:30 PM
Filesize: 53338
Attributes: archive
MD5: CAFFD6C4A881EB5E8AEDE346343C2796
CRC32: 2E8A0377
Version: 1.3.1.2

{9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class)
DPF name:
CLSID name: Update Class
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/C ... 5807638889
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\
Long name: iuctl.dll
Short name: IUCTL.DLL
Date (created): 8/21/03 4:47:54 PM
Date (last access): 1/9/06
Date (last write): 8/21/03 4:47:54 PM
Filesize: 162400
Attributes:
MD5: DB2F1F57D3057FEBC19C61AB9AA77198
CRC32: 5A03D776
Version: 5.3.3790.13

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdat ... /opuc3.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name: OPUC.DLL
Date (created): 11/17/05 11:12:26 PM
Date (last access): 1/9/06
Date (last write): 11/17/05 11:12:26 PM
Filesize: 533504
Attributes:
MD5: 24F3058766D5FC3FD0F37F6D6EE6FE9B
CRC32: F1FAEDE3
Version: 12.0.3208.1014



--- Process list ---
PID: -3166265 (2121260491) C:\WINDOWS\SYSTEM\KERNEL32.DLL
size: 471040
MD5: 375B0813980AE17DCC689E913AB9DD7B
PID: -34625 (-3166265) C:\WINDOWS\SYSTEM\MSGSRV32.EXE
size: 11920
MD5: 15020A139F22CDBF9C70AA8D80F6AE0E
PID: -36793 (-34625) C:\WINDOWS\SYSTEM\SPOOL32.EXE
size: 45056
MD5: DB3BEE092F0E90CF799D69F99C001DAE
PID: -59329 (-36793) C:\WINDOWS\SYSTEM\MPREXE.EXE
size: 28672
MD5: 562D04789250A81CE629D60646A0D191
PID: -80513 (-59329) C:\WINDOWS\SYSTEM\HPBPRO.EXE
size: 77824
MD5: B262B25F76E16BFC4601E1456E05B759
PID: -70361 (-59329) C:\WINDOWS\SYSTEM\HPBOID.EXE
size: 61440
MD5: 3E99FFCEDC39D8D57BAE6F1754BEF6F9
PID: -72041 (-59329) C:\WINDOWS\SYSTEM\MSTASK.EXE
size: 110352
MD5: 368B7F9D87E507C0B2924E86A579508B
PID: -110857 (-59329) c:\windows\SYSTEM\KB891711\KB891711.EXE
size: 9088
MD5: CBD841775A04E82B2828FC301AAFEE70
PID: -105017 (-70361) C:\WINDOWS\SYSTEM\RPCSS.EXE
size: 20480
MD5: CE9C4007585F538F769CC80F01D09D33
PID: -79829 (-34625) C:\WINDOWS\SYSTEM\mmtask.tsk
size: 1184
MD5: 38BAE36E67C8B1AE3ABC077837953B89
PID: -156969 (-34625) C:\WINDOWS\EXPLORER.EXE
size: 180224
MD5: B22B28F61B1BB06723019307F0FAACFC
PID: -129925 (-156969) C:\WINDOWS\SYSTEM\SYSTRAY.EXE
size: 27648
MD5: C7E1448EF194081CA615B2601E9751FD
PID: -177305 (-156969) C:\WINDOWS\RUNDLL32.EXE
size: 24576
MD5: 3857D93AA630ABBD63467DB4AEFFCE2C
PID: -189333 (-156969) C:\THINKPAD\TPHKMGR.EXE
size: 34304
MD5: 97826A429EDE9D6D3F5968C2926761E8
PID: -193137 (-156969) C:\WINDOWS\SYSTEM\DAEMON.EXE
size: 183296
MD5: 417460D53A9134FCC971157FAC4B8472
PID: -180449 (-156969) C:\CFGSAFE\AUTOCHK.EXE
size: 10784
MD5: 7FC96CDE47EFC5951A725D4D03BD61B2
PID: -187273 (-156969) C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
size: 29696
MD5: 1D74317BE3F67616D3F804937BF96031
PID: -204953 (-189333) C:\THINKPAD\TPONSCR.EXE
size: 50176
MD5: 558ACFCF6994E5B239E193A95995D0EF
PID: -114477 (-156969) C:\THINKPAD\TP98.EXE
size: 170496
MD5: C0DBD1C2088E04ADB28F85B9161D4FC2
PID: -176401 (-156969) C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
size: 49152
MD5: FC34FA5D1906FAAB6ABFE2FF0B4DF397
PID: -240901 (-156969) C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
size: 77824
MD5: 192511D27A93D7B0D3F1CE9353D45AF2
PID: -289305 (-156969) C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
size: 290816
MD5: 770F202D5FF88B646C6B936038E3BD78
PID: -184413 (-156969) C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
size: 338432
MD5: 4E87855221E91513647DDA62DB6B7F6F
PID: -296517 (-156969) C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
size: 263680
MD5: 9599C15E10B16738A3B9402AD22A90F5
PID: -324237 (-156969) C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
size: 318976
MD5: F23275B6104732688BE895112ADBACD4
PID: -318981 (-156969) C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
size: 1353728
MD5: 73900E227172CD8579D05F66D3FB7678
PID: -396981 (-129925) C:\WINDOWS\SYSTEM\WMIEXE.EXE
size: 16384
MD5: 3DFE9CA6728C02CCD8309DC66B1DFEB1
PID: -514849 (-289305) C:\WINDOWS\SYSTEM\RNAAPP.EXE
size: 45056
MD5: 04F808EF7BEF391DEAE249EEEB7947E3
PID: -538821 (-514849) C:\WINDOWS\SYSTEM\TAPISRV.EXE
size: 122880
MD5: E411A84B98C3A2CB4CA23B9FFE772F80
PID: -562081 (-499741) C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
size: 5619616
MD5: DCBB8A5DD8EA8B9C4F6D704FB20D54BC
PID: -578253 (-156969) C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
size: 380928
MD5: B40A5FEDE541D72D91E53C95A1D9028D
PID: -554257 (-156969) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
size: 4393096
MD5: 09CA174A605B480318731E691DC98539


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 1/9/06 8:37:51 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.earthlink.net/partner/more/m ... earch.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.earthlink.net/partner/more/m ... earch.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://start.earthlink.net/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://start.earthlink.net/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.earthlink.net/partner/more/m ... earch.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\First Home Page
http://start.earthlink.net/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.earthlink.net/search/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.earthlink.net/search/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://start.earthlink.net/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://start.earthlink.net/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.earthlink.net/search/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.earthlink.net/partner/more/m ... earch.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.osp
GUID: {FF017DE1-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\mswsosp.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\mswsosp.dll
DB protocol: MS.w95.spi.*

Protocol 1: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 2: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 3: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 4: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: c:\windows\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Protocol 5: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: c:\windows\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.



--- Uninstall list ---
(DXM_Runtime)

(ICW)

Microsoft Internet Explorer 5 and Internet Tools (IE40)
uninstall cmd: rundll32 setupwbv.dll,IE5Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"

(DirectDrawEx)

(IE5BAKEX)

(SchedulingAgent)

(MobileOptionPack)

(MSJavaVM)

(MSTASK)

(VGX)

(MSWALLET)

(ComicChat)

NetMeeting 3.0 (NetMeeting)

Microsoft Outlook Express 5 (OutlookExpress)
uninstall cmd: "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /UNINSTALL /PROMPT

(AddressBook)
uninstall cmd: "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT

(WebPost)

(Branding)

ThinkPad Configuration (ThinkPad Configuration)
uninstall cmd: C:\WINDOWS\IsUninst.exe -fC:\THINKPAD\Uninst.isu -cC:\THINKPAD\tpinst32.dll

IBM TrackPoint Support (TrackPoint)
uninstall cmd: rundll setupx.dll,InstallHinfSection DefaultUninstall 132 c:\windows\INF\tp4.inf

Access ThinkPad (Access ThinkPad)
uninstall cmd: C:\WINDOWS\uninst.exe -f"C:\Ibmtools\Access ThinkPad\DeIsL1.isu" -c"C:\Ibmtools\Access ThinkPad\bin\AccUtils.dll

ConfigSafe (ConfigSafe)
uninstall cmd: C:\WINDOWS\ILUNINST.EXE C:\CFGSAFE

IBM Update Connector (IBM Update Connector)
uninstall cmd: "C:\IBMTOOLS\UPDATER\JRE\bin\jre.exe" -cp "c:\IBMTOOLS\UPDATER" uninstall -idb "c:\IBMTOOLS\UPDATER\install.idb"

IBM Global Network Dialer (IBM Global Network Dialer)
uninstall cmd: C:\PROGRA~1\IBMGLO~1\UNWISE.EXE C:\PROGRA~1\IBMGLO~1\INSTALL.LOG "IBM Global Network Dialer"

PC-Doctor for Windows (PCDoctor)
uninstall cmd: C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG

ThinkPad on the Net (ThinkPad on the Net)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\ibmtools\thinknet\DeIsL1.isu

ThinkPad UltraBay Hot/Warm Swap Driver (IBMBAY)
uninstall cmd: RunDll setupx.dll,InstallHinfSection Uninstall_ubay 2 c:\windows\INF\ibmbay.inf

Norton AntiVirus 2001 (Norton AntiVirus)
uninstall cmd: "C:\WINDOWS\NAVUSTUB.EXE" C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Norton AntiVirus\nav95.isu" -c"C:\Program Files\Norton AntiVirus\NAVINS95.DLL"

RingCentral Fax (RingCentral Fax)
uninstall cmd: C:\PROGRA~1\RZS\RCPRO\uninst\rc_unins.exe -fC:\PROGRA~1\RZS\RCPRO\uninst\rc_unins.ins

Intel SpeedStep technology Applet (Intel SpeedStep technology Applet)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\SYSTEM\Intel(R) SpeedStep(TM) technology Applet.isu"

(Chl99)

DVDExpress (DVD Express A/V Pak)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu"

Iomega Tools for Windows 95 (Iomega95)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\Tools_95\DeIsL1.isu -c"C:\Tools_95\Uninst.dll

Visioneer PaperPort 5.1 (Visioneer PaperPort 5.1)
uninstall cmd: C:\PAPRPORT\UnInstal.exe C:\WINDOWS\uninst.exe -fC:\PAPRPORT\DATA\DeIsL1.isu

Quicken Deluxe 98 (Quicken Deluxe 98)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\QUICKENW\DeIsL1.isu

Microsoft Office 97, Professional Edition (Office8.0)
uninstall cmd: C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF

LiveReg (Symantec Corporation) 2.1.5.1502 (LiveReg)
install location: C:\Program Files\Common Files\Symantec Shared\LiveReg
uninstall cmd: C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSETUP.EXE /REMOVE
publisher: Symantec Corporation

Rescue Disk (Norton Rescue)

(fontcore)

(IEData)

(IE4Data)

(IE_EXTRA)

(ICWIconFix)

(ShockwaveFlash)

QuickTime (QuickTime)
uninstall cmd: C:\WINDOWS\unvise32qt.exe C:\WINDOWS\SYSTEM\QuickTime\Uninstall.log

EarthLink 5.0 (EarthLink 5.0)
uninstall cmd: C:\Program Files\EarthLink 5.0\EUNINSTALL.EXE /UC:\Program Files\EarthLink 5.0\SETUP.CFG

National Geographic Maps (Any files created by the program will be left on your system.) (Uninstall National Geographic Maps)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\NGMAPS\DeIsL1.isu

Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
uninstall cmd: C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\98\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\98\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html

Windows Media Player system update (9 Series) (WMP7)
uninstall cmd: C:\PROGRA~1\WINDOW~1\setup_wm.exe /Uninstall

HP PrecisionScan Pro 3.0 3.0.2.0000 ({22DAFE84-E618-11D3-B2A7-080009FB4A19})
version: 50331650
version (major): 3
estimated size: 71199
install date: 20021204
install source: E:\HPPSPRO\
uninstall cmd: MsiExec.exe /I{22DAFE84-E618-11D3-B2A7-080009FB4A19}
publisher: Hewlett-Packard
help link: http://www.hp.com/cposupport/eschome.html
help telephone: 208-323-2551

Corel Applications (Corel Applications)
uninstall cmd: C:\WINDOWS\Corel\Uninst32.exe

OmniForm 4.0 (OmniForm 4.0)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Caere\OmniForm\Uninst.isu" -c"C:\Program Files\Caere\OmniForm\OfSetup.dll"

Scan Manager 5.1 5.1 ({81D62C32-0984-11D3-86CD-00105AD33021})
version: 83951616
version (major): 5
version (minor): 1
estimated size: 6307
install date: 20021204
install source: E:\CAERE\OMNIFORM\SCANMGR\
uninstall cmd: MsiExec.exe /I{81D62C32-0984-11D3-86CD-00105AD33021}
publisher: ScanSoft, Inc.

WebShop (WebShop)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Boomerang Software\WebShop\Uninst.isu"

Data Access Objects (DAO) 3.5 (Data Access Objects (DAO) 3.5)
uninstall cmd: C:\Program Files\Common Files\MICROSOFT SHARED\DAO\Remove.EXE C:\WINDOWS\UNINST.E
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 9th, 2006, 9:41 pm

You may wish to print out a copy of these instructions to follow while you complete this procedure

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download and Install CCleaner© by CCleaner.com

Download and Install CWShredder© by Trend Micro Inc.
Update CWShredder
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Show Hidden Files :
Open My Computer
Select the View menu and click Folder Options
Select the View Tab
In the Hidden files section select Show all files
Click OK

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run CWShredder
Open CWShredder and click I AGREE
Click Fix and then Next, Make sure you let it fix all CWS Remnants

Run CCleaner
NOTE CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner

SETUP
Open CCleaner
DO NOT USE THE ISSUES FEATURE!!!!

Select Cleaner (on left)
Windows tab :
Under Internet Explorer, uncheck Cookies if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit)
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla

Select Options (on left)
Settings :
All options in this section are Optional. You may check any or all of these depending on your preferences!!
Advanced :
Uncheck "Only delete files in Windows Temp folders older than 48 hours"
Hit OK

Select Cleaner again
Then click on Run Cleaner
Put check in box to not show message again.
It will automatically clean.

Close out CCleaner

Reboot your computer into Normal Mode

Run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan

Reboot, run HijackThis and post a fresh HijackThis log along with the Active Scan log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Re: Coolwwwsearch.aff.winshow

Unread postby rcobb5am7 » January 10th, 2006, 1:31 pm

As requested, after intermediate steps, here are fresh Hijack This log and ActiveScan log:

rcobb5am7
------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 11:14:39 AM, on 1/10/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\THINKPAD\TPHKMGR.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\THINKPAD\TPONSCR.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACK THIS LOGS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - User Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab

--------------------------------------


Incident Status Location

Adware:adware/searchaid Not disinfected C:\WINDOWS\Favorites\Search the Web.url
Spyware:Cookie/PayCounter Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\boa38\xrejd6k6.slt\cookies.txt[]
Spyware:Cookie/Com.com Not disinfected C:\My Documents\cr5@earthlink.net\Cookies\anyuser@terra.com[1].txt
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 10th, 2006, 7:48 pm

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\Favorites\Search the Web.url
C:\WINDOWS\Application Data\Mozilla\Profiles\boa38\xrejd6k6.slt\cookies.txt[]
C:\My Documents\cr5@earthlink.net\Cookies\anyuser@terra.com[1].txt


Empty your Recycle bin

Try Spybot again and see if the alert show up again.
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 11th, 2006, 11:41 am

I followed your instructions, however the "Search the Web.url" file and "anyuser@terra.com[1].txt could be found during a search, but were not found simply visually checking the paths in Windows Explorer. When I found the files using Windows Explorer and Search within it, and used the delete key, the message said "cannot delete file. file system error (1026)"

I was able to find and delete the contents of the "cookies.txt[]" file.

So, Spybot still shows the Coolwwwsearch.aff.winshow spyware file.

I also ran ActiveScan and it found the following (again):

Incident Status Location

Adware:adware/searchaid Not disinfected C:\WINDOWS\Favorites\Search the Web.url
Spyware:Cookie/Com.com Not disinfected C:\My Documents\cr5@earthlink.net\Cookies\anyuser@terra.com[1].txt

How can these files exist, but not be found in Windows Explorer and not be able to be deleted either?
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 11th, 2006, 11:52 am

Open My Computer
Select the View menu and click Folder Options
Select the View Tab
In the Hidden files section select Show all files
Click OK

Right-click the Recycle Bin, and then click Properties
If you use one setting for all drives, click to clear the Do not move files to the Recycle Bin Remove files immediately when deleted check box, and then click OK.

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\Favorites\Search the Web.url
C:\My Documents\cr5@earthlink.net\Cookies\anyuser@terra.com[1].txt


IMPORTANT : Right-click the Recycle Bin, and then click Properties click the Do not move files to the Recycle Bin Remove files immediately when deleted check box, and then click OK
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 11th, 2006, 5:47 pm

Okay, followed instructions.
Was able to find and delete the "Search the Web. url" file.

The "anyuser@terra.com[1].txt" will not be deleted! When trying to delete it, I get a message that "cannot delete file; file system error (1026)". When checking the properties of this file I find that it seems to be empty with 0 bytes! The only way I could even find the file was by doing a Search while in Windows Explorer, searching for "anyuser!terra.com[1].txt", while on the path of C:\Windows\~earthlink.net\Cookies\. Otherwise, in the Explorer window, no such file is displayed in that specific "Cookies" folder. Yes, I did make the changes suggested, to show all files.

Upon rebooting, and running Spybot, I find no evidence of Coolwwwsearch.aff.winshow.

So thank you for your efforts to get me this far!

To complete the problem, Is there anything you can suggst that will delete the "anyuser@terra.com[1].txt" file?
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 11th, 2006, 10:25 pm

Download ATF (Atribune Temp File) Cleaner© by Atribune

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu

Run Panda's ActiveScan and perform a full system scan

Post a fresh HijackThis log along with a fresh Panda Scan log
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 12th, 2006, 12:19 pm

ATF Cleaner won't run...the message is "currently unsupported" and "run-time error '76' path not found". Should this application be as small as I find it? The download was only 35 Kb.

Also, the malware file CoolwwwSearch.aff.winshow is back!

A reminder: I am running Nestcape 6.2, although I had to use IE to run ActiveScan since it won't run otherwise.
----------
ActiveScan log

Incident Status Location

Adware:adware/searchaid Not disinfected C:\WINDOWS\Favorites\Search the Web.url
Spyware:Cookie/Com.com Not disinfected C:\My Documents\cr5@earthlink.net\Cookies\anyuser@terra.com[1].txt

----------
HijackThis

Logfile of HijackThis v1.99.0
Scan saved at 10:14:16 AM, on 1/12/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\THINKPAD\TPHKMGR.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\THINKPAD\TPONSCR.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\MY DOCUMENTS\HIJACK THIS LOGS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - User Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 12th, 2006, 12:46 pm

OK, My mistake on the ATF only 2000 and XP supported

We will get rid of this!!

What is this folder?? Did you create it ??
C:\My Documents\cr5@earthlink.net

Lets do this :

Download HijackThis 1.99.1© by Merijn
Put it in the same folder as your current HijackThis. Remove the older version

Run a fresh HijackThis log and post it here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 12th, 2006, 4:02 pm

As to what C:\My Documents\cr5@earthlink.net is... It is a file that has subfolders for Cookies (a Shell Favorite Folder), Favorites, FTP?, and mailbox. The Cookies file contains copies of all of my overall My Documents folders. As far as I can see,it is a complete up to date copy of the folders/files in the My Documents directory. Not clear on its origin, but was created in '02. Beyond that I am not sure...can only make some guesses.



Logfile of HijackThis v1.99.1
Scan saved at 1:42:59 PM, on 1/12/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\THINKPAD\TPHKMGR.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TPONSCR.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\MY DOCUMENTS\HIJACK THIS LOGS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - User Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 12th, 2006, 9:09 pm

Your HijackThis log is clean!!

Download and Install Ad-aware SE© by Lavasoft
NOTE: If you have a previous version of Ad-Aware installed, during the installation of the new version (1.06) you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version

Close ALL windows except Ad-Aware SE.

Click on the world icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Close Adaware SE

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run CWShredder
Click I Agree, then Fix and then Next, let it fix everything it asks about

Run Ad-AwareSE

Click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window:

General Button :
Safety & Settings: Check (Green) all three.

Tweak Button :
Cleaning Engine : UNcheck "Always try to unload modules before deletion"

Click Proceed

Click "Scan Now" at left

Deselect : "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.

Select "Search for low-risk threats"

Select "Perform full system scan"

Click Next

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click Next and OK to remove

Close AdawareSE

REBOOT and let me know if CoolwwwSearch.aff.winshow coms back!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 13th, 2006, 1:55 pm

Completed your instructions:
Coolwwwsearch.aff.winshow is again present!

By the way, I have used CWShredder for a month or two and never has it found anything.

What's next?
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware