Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

COOLWWWSEARCH.AFF.WINSHOW Reloads Itself Endlessly.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Linkmaster » January 13th, 2006, 2:46 pm

Hang in there with me!! This thing is just being a "Bugger" !!

Open Windows Explorer, locate and Delete the following folders in BOLD : (if present)

C:\WINDOWS\Favorites\Sites about

Empty your Recycle Bin

Download StartDreck© by Nikolaus Rameis
Unzip it to your desktop
Run StartDreck.exe
Click Config (it's at the bottom)
Click Unmark all
Check these boxes only:

Registry * run keys
Registry * Browser helper objects
System/drivers * Running processes


Click ok.
Reboot and post the StartDreck log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA
Advertisement
Register to Remove

Unread postby rcobb5am7 » January 13th, 2006, 7:08 pm

"C:\WINDOWS\Favorites\Sites about " was not present.

The StarDrek log is:
StartDreck (build 2.1.7 public stable) - 2006-01-13 @ 16:40:00 (GMT -06:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 5.00.2919.6307
Logged in as Default at OEMCOMPUTER

»Registry
»Run Keys
»Current User
»Run
*FreeRAM XP="C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
»RunOnce
»Default User
»Run
*FreeRAM XP="C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*SystemTray=SysTray.Exe
*SoundFusion=RunDll32 cwcprops.cpl,CrystalControlWnd
*TpHotkey=C:\THINKPAD\tphkmgr.exe
*TrackPointSrv=daemon.exe
*ConfigSafe=C:\CFGSAFE\AUTOCHK.EXE
*IBMUltraBayHotSwapSound=c:\windows\SYSTEM\IBMBAYSN.EXE
*TP98UTIL=C:\THINKPAD\TP98.EXE /s
*Norton Auto-Protect=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
*NAV DefAlert=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
*Norton eMail Protect=C:\Program Files\Norton AntiVirus\POPROXY.EXE
*ConMgr.exe="C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
»RunOnce
»RunServices
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*HP Port Resolver=C:\WINDOWS\SYSTEM\hpbpro.exe
*HP Status Server=C:\WINDOWS\SYSTEM\hpboid.exe
*SchedulingAgent=mstask.exe
*KB891711=c:\windows\SYSTEM\KB891711\KB891711.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*NetscapeMarkup=C:\PROGRA~1\NETSCAPE\COMMUN~1\PROGRAM\NETSCAPE.EXE "%1"
+.html
*NetscapeMarkup=C:\PROGRA~1\NETSCAPE\COMMUN~1\PROGRAM\NETSCAPE.EXE "%1"
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=c:\windows\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
»Files
»Autostart Folders
»Current User
*C:\Start_Files_bundle\StartUp\Iomega Startup Options.lnk
»Default User
*C:\Start_Files_bundle\StartUp\Iomega Startup Options.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FFCFACE7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF7B9F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF6C0F=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF15C7=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFF2487=C:\WINDOWS\SYSTEM\HPBPRO.EXE
+FFFF362B=C:\WINDOWS\SYSTEM\HPBOID.EXE
+FFFEC0CF=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE5A7B=c:\windows\SYSTEM\KB891711\KB891711.EXE
+FFFE4E8B=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFE606F=C:\WINDOWS\EXPLORER.EXE
+FFFD8C23=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFDA4B3=C:\WINDOWS\RUNDLL32.EXE
+FFFD52A7=C:\THINKPAD\TPHKMGR.EXE
+FFFD49B3=C:\WINDOWS\SYSTEM\DAEMON.EXE
+FFFD48B7=C:\CFGSAFE\AUTOCHK.EXE
+FFFD63F3=C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
+FFFD100F=C:\THINKPAD\TPONSCR.EXE
+FFFCDE73=C:\THINKPAD\TP98.EXE
+FFFCC8AB=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
+FFFC82FF=C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
+FFFCE7AF=C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
+FFFD2DDB=C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
+FFFA1403=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF99C67=C:\PROGRAM FILES\ZIPITFAST2\ZIPITFAST.EXE
+FFF8F157=C:\WINDOWS\TEMP\ZTVA213\STARTDRECK.EXE
»NT Services
»Application specific
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 14th, 2006, 1:00 pm

First,
If you have AVG and Norton you need to only have ONE of them running.
You can use the other as a Manual scan for backup

Second,
Open Internet Explorer
Click on Favorites
Delete Search the Web.url (or similar)
Close Internet Explorer

Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\Favorites\Search the Web.url

Empty your Recycle Bin

Third,
Download Hoster© by funkytoad

Open up the Host program
Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files
Click Restore orginal host files
Close program

Download SpywareBlaster© by Javacool Software.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.


Run SpywareBlaster
Click on Check for updates
Click on the "Enable All Protection" link under Quick Tasks
Exit the program
SpywareBlaster need not remain open for its protection to be active!

Let me know if it shows again !!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 14th, 2006, 4:09 pm

I followed your instructions and also used SpyBot and found and deleted Coolwwwsearch.aff.winshow.

Didn't find C:\WINDOWS\Favorites\Search the Web.url file.

I also ran ActiveScan and the log is below. That is the apparently empty file that I'm not able to delete (not allowed)


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\My Documents\cr5@earthlink.net\Cookies\anyuser@terra.com[1].txt

---------------------
After all this, I ran SpyBot again and din't yet find Coolwwwsearch.aff.winshow.

So, let's see what happens in the next few days.

Thanks very much for your help.

If I need to re-engage this thread and contact you, what is the procedure?

rcobb5am7
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 14th, 2006, 4:54 pm

When this is closed a procedure for reopening will be posted!!

Here are a few tools that I recommend for protecting your system and keeping your system clean !!

Real Time Prevention
SpywareBlaster© by Javacool Software
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
IESpyad© by EHowes : This will add several hundred Restricted Sites to the Restricted site zone in IE.

CCleaner© by CCleaner.com is a good app to clean out temp files, cookies, etc

Spyware Scanners:
Ad-aware SE© by Lavasoft Scans your system for spyware and other threats
a² Scanner© by Emsi Software : Scans for Malware and Trojans on your system.

Good Free Antivirus Programs:
AVG© by Grisoft
Avast© by ALWIL Software
NOTE:Remember always have just 1 antivirus program running at a time. Having more than one running causes a conflict between the programs !! You can use one as a backup to run manually

Windows Update:
It's also very important to keep your system up to date to avoid unnecessary security risks
Windows Update

Firewalls:
If you have an "always on " internet connection, such as DSL or Cable, I recommend a Firewall.
A firewall will make your pc invisible to the outside world and will filter the outgoing and incoming traffic on your pc.
For a good idea of how vulnerable your system(s) are go to GRC
Scroll down to "Shields Up" Click on "Proceed" Then click on "Common Ports"to scan your ports.
Very good Firewalls :
ZoneAlarm Firewall© by Zone Labs
Sunbelt Kerio Personal Firewall© by Sunbelt

These next steps are optional, but will provide the greatest protection
Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness.
Alternative Browsers:
[url=http://www.spreadfirefox.com/?q=affiliates&id=16458&t=82[url=http://www.spreadfirefox.com/?q=affiliates&id=16458&t=82]FireFox© by Mozilla[/url]
Opera© by Opera Software ASA

Java Plug-in© Sun Microsystems. It's much more secure than Microsoft's Java Virtual Machine .

Always keep your Antivirus & Spyware Removal Tools current with the latest definitions and updates !!

Using these tools and keeping them updated will reduce the risk of future infections!!

Do you have any questions??
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 15th, 2006, 9:12 am

All of your summary sounds like excellent advice, which I will save for future use. Thanks.

Unfotunately, this morning I ran SpyBot and CoolwwwSearch.aff.winshow is present again!

Any thoughts?

rcobb5am7
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 15th, 2006, 1:31 pm

Is it located in the same Folder??

Show Hidden Files :
Open My Computer
Select the View menu and click Folder Options
Select the View Tab
In the Hidden files section select Show all files
Click OK

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Open Windows Explorer, locate and Delete the contents of the following folders in BOLD : (if present)

C:\My Documents\cr5@earthlink.net\Cookies
C:\WINDOWS\Favorites (removing the contents of this one will remove all your favorites)


Empty your Recycle Bin

Run CWShredder again

Run About:Buster

Reboot to Normal Mode

Run Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop

Post a fresh HijackThis log, the Kaspersky Scan Txt and the About:Buster log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 16th, 2006, 11:12 am

Not Good!

The CoolWWWSearch.aff.winshow appeared in the same file.
Below are the logs you requested. I edited the Kaspersky Scan log due to its overall length and repitition of the Bayfraud trojan.
-------------------------------------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 8:50:14 AM, on 1/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\THINKPAD\TPHKMGR.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TPONSCR.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\PROGRAM FILES\ZIPITFAST2\ZIPITFAST.EXE
C:\WINDOWS\TEMP\ZTV1153\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - User Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... n_ansi.cab

------------------------------------



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 16, 2006 07:19:42
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/01/2006
Kaspersky Anti-Virus database records: 171499
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 34521
Number of viruses found: 5
Number of infected objects: 90
Number of suspicious objects: 0
Duration of the scan process: 10729 sec

Infected Object Name - Virus Name
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From... Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From...
Infected: Trojan-Spy.HTML.Bayfraud.ib
.
.
.
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From "caroline kehne" <ckehne@accglobal.net>][Date Wed, 21 Apr 1999 17:43:38 -0400]/UNNAMED/[From "MGFISH" <mgfish@comcast.net>][Date Wed, 15 Dec 2004 10:52:47 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay/[From "caroline kehne" <ckehne@accglobal.net>][Date Wed, 21 Apr 1999 17:43:38 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay Infected: Trojan-Spy.HTML.Bayfraud.ib
c:\Program Files\Norton AntiVirus\Quarantine\09A22B91.exe Infected: not-a-virus:AdWare.Win32.JumpGate.a
c:\Program Files\Norton AntiVirus\Quarantine\0C1528DF.exe Infected: not-a-virus:AdWare.Win32.JumpGate.a
c:\Program Files\Norton AntiVirus\Norton AntiVirus\Quarantine\2C024774.pif Infected: Email-Worm.Win32.Magistr.b
c:\Program Files\Norton AntiVirus\Norton AntiVirus\Quarantine\6B2776A8 Infected: Net-Worm.Win32.Nimda
c:\My Download Files\zipset2.exe/data Infected: not-a-virus:AdWare.Win32.ShowBehind.a
c:\My Download Files\zipset2.exe Infected: not-a-virus:AdWare.Win32.ShowBehind.a
---------------------------------------



AboutBuster 6.0
Scan started on [1/15/06] at [4:39:37 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:39:51 PM

-------------------------
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 16th, 2006, 11:55 am

What file ?? The favorites folder??

In the Kaspersky scan are all the infections in the same folder ?? (Ebay) ??
Did you answer any of those emails with any Personal information??

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Open Windows Explorer, locate and Delete the following Files or Folders in BOLD : (if present)

c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay <the entire ebay folder
C:\My Download Files\zipset2.exe

With Windows Explorer still open, locate, highlight, and [color=red]Delete
the contents of the following Folders in BOLD : (if present)

C:\My Documents\cr5@earthlink.net\Cookies
C:\WINDOWS\Favorites (removing the contents of this one will remove all your favorites)[/color]

Empty your Recycle Bin

Empty the Norton Quarantine folder as well
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 16th, 2006, 10:11 pm

What file ?? The favorites folder??
------Yes, The C:\WindowsFavorites\Search the Web.url

In the Kaspersky scan are all the infections in the same folder ?? (Ebay) ??
------No, the last few infections are elsewhere: Download Files and Norton Quarantine.

Did you answer any of those emails with any Personal information??
------I doubt it...I'm pretty careful.

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter
--------FYI, my system doesn't go to Safe Mode by using F8...I have to hold down CTRL key steadily.


Open Windows Explorer, locate and Delete the following Files or Folders in BOLD : (if present)

c:\WINDOWS\Application Data\Mozilla\Profiles\rcobb\pfxv9t06.slt\Mail\mail\Ebay <the entire ebay folder
C:\My Download Files\zipset2.exe
-----Done.

With Windows Explorer still open, locate, highlight, and Delete the contents of the following Folders in BOLD : (if present)

C:\My Documents\cr5@earthlink.net\Cookies
C:\WINDOWS\Favorites (removing the contents of this one will remove all your favorites)

--------These were deleted in yesterday's go-round.

Empty your Recycle Bin

Empty the Norton Quarantine folder as well
------Both Done.

As far I can see, we accomplished a lot, as shown below...but I just ran SpyBot and this turned up once again: CoolWWWSearch.Aff.Winshow: Bad Favorite (File, nothing done) C:\WINDOWS\Favorites\Search the Web.url

I had fixed (deleted) at least once today, right before I followed all your instructions.

Any ideas about what is going on?
---------------
Logfile of HijackThis v1.99.1
Scan saved at 7:47:16 PM, on 1/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\THINKPAD\TPHKMGR.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\THINKPAD\TPONSCR.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ZIPITFAST2\ZIPITFAST.EXE
C:\MY DOCUMENTS\HIJACK THIS LOGS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - User Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... n_ansi.cab

----------

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 16, 2006 19:46:39
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/01/2006
Kaspersky Anti-Virus database records: 171540
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 37101
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 7675 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

-----------------------------

AboutBuster 6.0
Scan started on [1/16/06] at [7:52:21 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:53:30 PM

----------------
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 17th, 2006, 8:26 am

Your log is clean!!

Empty your favorites from Netscape!!

Empty All of your Temporary Internet files !!

Does the CoolWWWSearch.Aff.Winshow cause popups??

Go into C:\Windows\Favorites
Right click on Search the Web.url
Select rename and rename it to Search the Web.old

Go into Spybot, recovery and delete the previous found items there.
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rcobb5am7 » January 18th, 2006, 8:00 am

Linkmaster,
I followed most of your directions, but have an idea I'm working on...
Will return within 24 hours.
Thanks.
rcobb5am7
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby rcobb5am7 » January 19th, 2006, 10:04 am

Hello Linkmaster,

I think I am finally rid of the CoolWWWSearch.aff.winshow!

The Kaspersky WebScanner log is clean, as are several SpyBot scans done over the past day..

Eventually I noted a pattern that SpyBot would pick up a reloaded Coolwwwsearch file each time after I would go online. Apparently my Earthlink dial up network had become corrupted and would load the Coolwwwsearch file each time I would load my dial up connection.

So, I cleaned-up and deleted a lot of related files and reloaded the Earthlink software. I have used it under varied circumstances during the past 1/2 day and have seen no new evidence of CoolWWWSearch's presence! I only hope it remains this way.

Thank you so much for seeing me through this process...we jointly were able to detect and remove numerous negative items from my computer. Your help was invaluable!

I can begin living a normal life again...

Be well.
rcobb5am7
rcobb5am7
Regular Member
 
Posts: 15
Joined: January 8th, 2006, 10:47 am
Location: IL

Unread postby Linkmaster » January 19th, 2006, 10:57 am

You are very welcome !!

I'm glad it is resolved !!

You be well also !!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby NonSuch » January 20th, 2006, 6:32 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27301
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 52 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware