#1  
Old 01-April-2004, 03:39
lakingsfan
Guest
 
Posts: n/a
Unhappy CoolWWW

I am so frusterated. I have windows ME. I came home after my wife was online looking at whatever only to find our homepage has been changed to www.your-info.com or something of that sort. So I freak out and download Spy Sweeper and it keeps finding CoolWWW with 2 traces. I am able to delete it, then after I reboot or click on my windows media icon it goes back to the home page again and changes it to that search site. Rinse, repeat, reboot, same thing happens.

What do I do??? Do I need to a spyware remover or virus program to remove this? Neither seem to work, unless there is something else I am missing.

also I just notice it added 3 web sites to my favorites that I never nor my wife put on.
Reply With Quote
  #2  
Old 01-April-2004, 04:03
lakingsfan
Guest
 
Posts: n/a
Default

Update with perhaps better info. The exact site it keeps putting on my start page is: http://www.your-search.info/start.html

and it justdid it again!!!! When I reset!! I have used the trend virus scan which came up with nothing. It also adds a Free Strip Poker, Sex Drugs - Free, & Weight Loss! New favorites.

Any ideas of how I can get rid of this exact file? I read about others but seemed different.

Also, is all this doing is re-directing my home page or should I be worried about other things? Spy Sweeper only finds these CoolWWW with 2 traces. Adaware6 seems to find 14 of these and here is the log:


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Page.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Search_URL.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/start.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "http://www.your-search.info/start.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistant.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearch.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Page.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bar.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistant.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearch.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Page.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainDefault_Search_URL.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainDefault_Page_URL.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/start.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "http://www.your-search.info/start.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchSearchAssistant.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://www.your-search.info/search.html"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchCustomizeSearch.your-search.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.your-search.info/search.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://www.your-search.info/search.html"
Reply With Quote
  #3  
Old 01-April-2004, 04:41
lakingsfan
Guest
 
Posts: n/a
Default

One last idea. I checked my add/remove and all looks normal to me except I seem to have to Microsoft.net frameworks, one says 1.1 and the other says 1.0.31**. I thought I only had one of those before. I am afraid to remove since not sure what either does.
Reply With Quote
  #4  
Old 01-April-2004, 08:02
Pentyl
Guest
 
Posts: n/a
Default

Hi LAKF!

You can change the registry settings that Adaware found. (START - Run - Type "regedit", make apropriate changes. Make back up copy first!!)

BUT! Something made those changes in the first place and you need to make sure it's not still there. Run your anti virus. And DL and try A2 by Emisoft

You need to find the source. But it could be the case that some of the settings directs you to a homepage that makes the changes. In that case you need to check your security settings.

Finally, Colorado will win.
Reply With Quote
  #5  
Old 01-April-2004, 19:46
aquarius
Guest
 
Posts: n/a
Default Cool WWW

I am not too PC literate but just helped a friend out who managed to get some spyware installed on her system.
The first thing we did was look in her Start up programs under START, RUN, MSCONFIG. We found out what each of them did by using the following website: http://www.sysinfo.org/startuplist.php. Many of the list on her Start Up programs were kosher but quite a few were spyware.
We unticked them under the Start Up list. We then ran the Lavasoft program which highlighted several more. Finally, she is spyware free.
It could be that your spyware keeps coming back because it is set to run as a Start Up program.
Reply With Quote
  #6  
Old 01-April-2004, 20:32
Zer02004
Guest
 
Posts: n/a
Default

Download this and this and extract the archives to a folder.

Update and run CWSHredder and fix anything that it finds. Reboot and run it again until it gives the all clear.

Now install, update and run Spybot S&D. Fix anything that it finds, reboot and run again. Repeat this until it's all clear.

Now run HiJack This! and post a log file here.

If you've made any registry changes by hand and you find that you can't access the internet, run the LSP fix.
CoolWWW or at least some of it's variants cannot really be removed manually unless you absolutely know what you are doing.
Reply With Quote
  #7  
Old 01-April-2004, 21:29
lakingsfan
Guest
 
Posts: n/a
Default

What is CWSHredder? I have the otherones downloaded now, but can't find CWSHredder
Reply With Quote
  #8  
Old 01-April-2004, 21:50
Zer02004
Guest
 
Posts: n/a
Default

CWShredder is probably the only trusted method of removing coolwebsearch and it's variants. It's in the file that I pointed to.
Reply With Quote
  #9  
Old 01-April-2004, 21:52
lakingsfan
Guest
 
Posts: n/a
Default

nevermind, I found it..

Last edited by lakingsfan; 01-April-2004 at 21:58.
Reply With Quote
  #10  
Old 01-April-2004, 22:03
lakingsfan
Guest
 
Posts: n/a
Default

I ran the CWShredder. it found nothing. Ran Spybot and adaware and it still finds coolwww and my homepage still directs to the search site.

I have rebooted many times and the same thing
Reply With Quote
  #11  
Old 01-April-2004, 22:09
Zer02004
Guest
 
Posts: n/a
Default

Are you electing to clean anything that they find and have you updated both?



And the HJT! logfile?

Don't forget to uncheck "Automatically parse URLs" and to check "Disable Smilies in This Post" when posting your log.
Reply With Quote
  #12  
Old 01-April-2004, 22:44
lakingsfan
Guest
 
Posts: n/a
Default

Yes adware6, spybot, spysweeper and CWS are all updated. CWS still has never found anything wrong but the others always find, delete, I even delete from quarentine and it still comes back up on my home page and favorites when I reboot.
Here is the file from hijack:

Logfile of HijackThis v1.97.7
Scan saved at 1:43:19 PM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\MY DOCUMENTS\MY DELIVERIES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your-search.info/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.your-search.info/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your-search.info/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.your-search.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ASHAMPOO\ASHAMP~1\POPUP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...?37650.9728125
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1667ba5c...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
Reply With Quote
  #13  
Old 01-April-2004, 22:49
lakingsfan
Guest
 
Posts: n/a
Default

One thing I forgot to say is when this first came to notice, I notice if I clicked on my windows media player, AFTEr I changed my home page in IE options, it would put the search crap site back up as my home page. Also, when I clicked on the windows media icon, it never came up. So I releaded it and updated it and now that icon seems to work but still have all the other issues
Reply With Quote
  #14  
Old 02-April-2004, 00:07
Zer02004
Guest
 
Posts: n/a
Default

I've posted instructions on what to fix here.
Please report back regarding the AT&T question.

Once everything is fixed, reboot and post another logfile.

Last edited by Zer02004; 02-April-2004 at 00:37.
Reply With Quote
  #15  
Old 02-April-2004, 01:24
lakingsfan
Guest
 
Posts: n/a
Default

Thanks Zero! It seems to work, I did all you asked.

Here is the new log:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\MY DELIVERIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ASHAMPOO\ASHAMP~1\POPUP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37650.9728125
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


Look ok now? Do I need to worry about this thing still on my computer? I am worried why no virus program ever found it, just spyware if it is a trojan.

edit killed the smilies ~mem

Last edited by Memfis; 02-April-2004 at 05:14.
Reply With Quote
  #16  
Old 02-April-2004, 10:41
Zer02004
Guest
 
Posts: n/a
Default

I don't see anything out of place with this log.
Keep Spybot installed and updated and grab a copy of Ad-Aware and use them both regularly.
Reply With Quote
  #17  
Old 02-April-2004, 15:28
100reasons
Guest
 
Posts: n/a
Default

I kept a clipping from the Sunday Times the other month about start page hijacking - they recommended: www.pjwalczak.com/spguard and download his free StartPage Guard. Haven't tried it myself yet, wonder if Zer0 or anyone else has?
I still suffer from it periodically, running Ad-Aware & Spybot kills them off for a few days but then another pops in later.
Reply With Quote
  #18  
Old 02-April-2004, 17:59
Zer02004
Guest
 
Posts: n/a
Default

I must admit, I haven't heard of that one. Personally, I use Spysweeper, Spybot and Ad-Aware and carry out occasional checks with HJT!
Try these programs out by all means but be aware, there is a lot of deception at hand where the spyware market is concerned. Some applications that pose as anti spyware utilities are in fact conduits for all sorts of rubbish.

Read up on the various security forums such as spywareinfo.com and cexx.org etc.
Of course, there's plenty of info to be had here. :D

I hardly ever get any infections of any sort and I honestly can't remember the last one.
Maybe you have a downloader running that hasn't yet been eradicated. Run HJT! and post a logfile here if you like.
Reply With Quote
  #19  
Old 02-April-2004, 20:26
Mr Pedantic
Guest
 
Posts: n/a
Default Hi

Switch off your system restore, then run spybot restart your computer, then enable system restore again
Reply With Quote
  #20  
Old 09-April-2004, 01:56
Diego
Guest
 
Posts: n/a
Default

Go to this URL: http://bubdaddy.blogspot.com/
and read about free software for the removal of CoolWWW and other annoying bits of Adware, Malware, and Spyware
Reply With Quote
  #21  
Old 09-April-2004, 02:04
Diego
Guest
 
Posts: n/a
Default CoolWWW

I negelected to mention a most valuable piece of freeware in my previous post. Download HijackThis and learn immediately what kinds of trash have been hidden on your system.

HijackThis provides an almost instant scan of crapware and is part of the suite of free software I use to keep my computer free of things I have not chosen to install on it.

Diego
Reply With Quote
  #22  
Old 12-April-2004, 16:37
Diego
Guest
 
Posts: n/a
Default

I agree with Zero. I believe that one or more of the programs we all trust is a conduit for dungware like CoolWWW.

Everyday, I run all of the programs listed at http://bubdaddy.blogspot.com/ . Yesterday I checked AdAware twice for updates, and found a new update each time.

I suspect one or all of my sitemeters. To check my stats, I have to turn my popup killer off. That's the ONLY time I turn the popup killer off.

hmmmmmmmmm?

So far, by running all of those programs and checking daily for updates, I'm still free of CoolWWW and ALL other dungware.
Reply With Quote
  #23  
Old 30-April-2004, 03:31
Baboon
Guest
 
Posts: n/a
Default coolwww

Hi there,

I've got the same problems as lakingsfan had with coolwww and have followed the whole process until the reply of Zer0 2004 on the 2nd of April where it says:

"I've posted instructions on what to fix here".

Once I click on "here" I get to a faulty address but I would love to see the last instructions that obviously solved all problems.

Can Zer0 2004 or lakingsfan help?
Reply With Quote
  #24  
Old 30-April-2004, 09:44
Zer02004
Guest
 
Posts: n/a
Default

Hi Baboon, each solution will be different for each user so I tend to remove what's gone before.
Post a HijackThis! log here and I'll go through it for you.
Reply With Quote
  #25  
Old 30-April-2004, 15:25
Baboon
Guest
 
Posts: n/a
Default

Thanks Zer0,

Have just solved the problem by running Adware and Hijack.

Thanks anyway.
Reply With Quote
  #26  
Old 05-May-2004, 02:49
Diego
Guest
 
Posts: n/a
Default Cool WWW and all Spyware and Malware

By trying almost all of the anti-spyware that's out there singly and in almost every conceivable combination, it was inevitable that I should find a program called GhostSurf Pro. You can read about it and how to get it if you check the post dated April 21, 2004 at this site

http://bubdaddy.blogspot.com/

GhostSurf Pro has allowed me to regain control of my PC and has allowed me to PERMANENTLY eliminate ALL home page hijackers, and all spyware and all adware and all popups.

It enabled me to bar new intruders, and destroy all old files. It also enables one to surf the web using anonymous hubs, should one care to do that.

Excecpt for Lavasoft's free version of Ad-aware, I have eliminated ALL of the other free software including Cool Web Shredder, Spy Blaster, HIJack This, and about 7 others I still had on my PC.

If you scroll to the bottom of the page on the above site, there is a link to the company which makes GhostSurf Pro.

I would recommend that you purchase it only from the manufacturer, or you run the risk of paying for software which has been embedded with malicious code.

I ordered my copy direct;y from the manufacturer too!
Reply With Quote
  #27  
Old 05-May-2004, 13:11
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default

or just use mozilla ;)

its free :p
Reply With Quote
  #28  
Old 13-May-2004, 20:09
jmbersh
Guest
 
Posts: n/a
Default coolwww

I think I am infected with the same thing as Lakingsfan. I followed Zero's instructions:
1. rebooted
2. ran CWS until all clear
3. ran spybot until all clear
4. ran hijack this

below is my log file from hijack this...

thx for your help:


Logfile of HijackThis v1.97.7
Scan saved at 3:10:36 PM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Jeff\Desktop\hijackpack\hijackpack\Hijack This.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ohb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ohb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ohb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ohb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ohb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ohb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {28825BE6-F6BE-4ADD-8841-C3B27C62DED5} - C:\WINDOWS\System32\ohb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{546C0A7F-326D-4D25-A8F8-69C5D3CCD5ED}: NameServer = 66.252.170.3,66.252.161.40
Reply With Quote
  #29  
Old 06-June-2004, 11:26
Mumbledog
Guest
 
Posts: n/a
Smile CoolWWW

CoolWWW will cause popups to spawn but shouldn't change your homepage. Something else is doing that. Two free programs that are great for stopping hijacking are Spyware Guard and Zone Alarm.

Spyware Guard will warn you if something tries to change your homepage or add an BHO (Browser Helper Object) it then gives you a choice of letting the change occur or blocking it. This way, it gives you an idea about where and when the hijack attempt happens which indicates the culprit site or software. If you open a program and instantly get a hijack warning then you know that you need to delete and reinstall a fresh copy of the program. Same with a site, if you visit a site and get a hijack warning, then you know that site should go on your blacklist.

Zone Alarm is a great firewall. It lets you know if XYZ software is trying to contact the internet in the background, behind your back. You will have a choice, allow or deny. It will also let you cloak your PC from hackers in stealth mode and be hidden and protected from hackers. You can even apply a lock which prevents anything in or out.Give these a try and see what you think.
Reply With Quote
  #30  
Old 08-June-2004, 18:46
Lagarde
Guest
 
Posts: n/a
Post

Zer0 2004,

I too am having the same problem as lakinsfan. As directed, I've updated and run CWShredder then I ran Spybot. Both of the programs come up clear from my computer. Attached is my HiJack This! log file. Can you tell me what needs to be deleted?

Thanks!

Lagarde

Logfile of HijackThis v1.97.7
Scan saved at 12:18:07 PM, on 6/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\ACS495\MIXGHOST.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\RXMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\TBCTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NOVOSOFT\HANDY BACKUP\HBAGENT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\PLAYLIST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CAPM3LA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\CAPM3RS.EXE
C:\WINDOWS\SYSTEM\CAPM3SW.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\IADJIND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\IADJIND.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\IADJIND.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\IADJIND.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\IADJIND.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\IADJIND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACT!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {923AA70E-B8AD-11D8-A8B6-0010A8B84D69} - C:\WINDOWS\SYSTEM\IADJIND.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\TURTLE BEACH MONTEGO II QUADZILLA\AUDIOSTATION\VTRAY.EXE /s
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM\TBCTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\PROGRAM FILES\NOVOSOFT\HANDY BACKUP\hbagent.exe" -logon
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\SYSTEM\CAPM3LA.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...010.3950231482
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3137d783...p/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pinpoint.webex.com/client/la...ex/ieatgpc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
Reply With Quote
Reply

Tags
audio, computer, context menu, files, flash, free, hijack, hijacking, hijackthis, internet, key, line, make, messenger, music, online, remover, security, settings, software, speed, speedtouch, thomson, tools, virus, windows, zone, zonealarm

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 02:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Copyright İ1999-2014 The Scream!