Hi guys,
I have the Coolwebsearch Trojan 100% postive. I've used All updated Adaware, MS Antispyware and Spybot SD.
They've all found something related to CWS, and it deletes it all, but after reboot, its all back... I think its
due to a file called se.dll in local settings/temp/. Ive also used two other scanners specifically made for
CWS. Called CWSshredder, and HS Remove. They both find files to do with CWS. I remove all the stuff it finds then, I open IE explorer to see if that stupid search page is still there, my google is back but MS Antispyware says that se.dll is trying to change my homepage to the about:blank garbage. I know someone will say boot into safe mode and do something or other, but sorry I can't lol, My ps/2 ports are broken NO CLUE WHY!! lmfao. And so anyways, just because I love all you Techies so much heres my HJT log
So yeah, I've had this lil bugger for bout 5 days now, and i absolutley hate it, lol. SO i await you're suggestions Thanks guys
BTW!
I had just installed AVG before I scanned with AVG so...
DOUBLE BTW!
AVG found Trojan startpage.19.j in the first 20 files..... i better close IE lol
I have the Coolwebsearch Trojan 100% postive. I've used All updated Adaware, MS Antispyware and Spybot SD.
They've all found something related to CWS, and it deletes it all, but after reboot, its all back... I think its
due to a file called se.dll in local settings/temp/. Ive also used two other scanners specifically made for
CWS. Called CWSshredder, and HS Remove. They both find files to do with CWS. I remove all the stuff it finds then, I open IE explorer to see if that stupid search page is still there, my google is back but MS Antispyware says that se.dll is trying to change my homepage to the about:blank garbage. I know someone will say boot into safe mode and do something or other, but sorry I can't lol, My ps/2 ports are broken NO CLUE WHY!! lmfao. And so anyways, just because I love all you Techies so much heres my HJT log
Code:
Logfile of HijackThis v1.99.1
Scan saved at 3:10:04 PM, on 05/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Xfire\Xfire.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\E5HYRU1G\avg70free_322a531[1].exe
D:\DOCUME~1\Jeff\LOCALS~1\Temp\RarSFX1\avgsetup.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71595DB4-139A-41FA-BFBA-24AEF16BA504} - D:\WINDOWS\System32\enef.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - D:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url]http://www.symantec.com/techsupp/asa/LSSupCtl.cab[/url]
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - [url]http://ppupdates.ca.com/downloads/scanner/axscanner.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - [url]http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/SymAData.cab[/url]
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - [url]http://messenger.zone.msn.com/binary/WoF.cab31267.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url]
O18 - Filter: text/html - {F278EB08-1269-4E3F-918C-8E4D75393E24} - D:\WINDOWS\System32\enef.dll
O18 - Filter: text/plain - {F278EB08-1269-4E3F-918C-8E4D75393E24} - D:\WINDOWS\System32\enef.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
So yeah, I've had this lil bugger for bout 5 days now, and i absolutley hate it, lol. SO i await you're suggestions Thanks guys
BTW!
I had just installed AVG before I scanned with AVG so...
DOUBLE BTW!
AVG found Trojan startpage.19.j in the first 20 files..... i better close IE lol