I think my computer is infected with something similar to the 'coolwebsearch' spyware. I get 'Home Search' as webpage (about:blank), and I get a lot more pop-up ads then I used too. Ad-aware and Spybot can't get rid of it; it seems like it re-installes itself every time the anti-spyware programs take care of it. Any ideas? Here's my HJT log: Logfile of HijackThis v1.97.7 Scan saved at 15:37:37, on 12/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\winqr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Telemeter 3.0\telemeter3.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\??rss.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\sdkkk.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Bart\Mijn documenten\Anti-virus\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {6A46F6C4-6BA6-BB1F-242A-77FF5088C696} - C:\WINDOWS\system32\javalu.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Telemeter 3.0] "C:\Program Files\Telemeter 3.0\telemeter3.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [cria32.exe] C:\WINDOWS\system32\cria32.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [sdkkk.exe] C:\WINDOWS\sdkkk.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Mkr] C:\WINDOWS\System32\??rss.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
Thanks a lot! Can't believe it turned out to be that easy. This spyware has been getting on my nerves for two weeks now, and all I had to do is run that buster thing... Can't believe I didn't come across this earlier... Thanks again!
Crap... Seems like that nasty spyware is still there; it just took a bit longer for it to come back this time. Can't find C:\WINDOWS\winqr32.exe either... Is that a problem?
check your msconfig/startup to see if winqr32.exe is there & with a checkmark in front of it, if so uncheck the box. do a search for winqr32.exe on your harddrive & run ad-aware se & spybot in safemode but delete all cookies, windows temp & temporary intrernet before running those programs
Hey Put a tick in and remove the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 Ok, thats just to start off with. You are using a old version of HiJackThis Can you download the latest version and re-post your log. Also have a read of the first post on this thread and run Adaware, Spybot and run an Online Virus scan. http://forums.afterdawn.com/thread_view.cfm/128251 CJC
Thanks a lot for helping me with all this, I really appreciate it. There should be more people out there like you all. Right now, I'm going through some steps described on http://www.bleepingcomputer.com/forums/topict3341.html Almost done with the whole process, but I don't know if it will have solved the problem. Came accross some errors... Anyway, let me just finish that up first, and then I'll post a fresh HJT log here. Hopefully you experts can tell me then that my pc is clean... Thanks again for your willingness to help people like me!
Here it is... The problem isn't solved, though. I'm affraid the virus will just re-install itself again. Spybot and Ad-aware keep bringing stuff up, too. Any ideas? I appreciate your help! Logfile of HijackThis v1.98.2 Scan saved at 0:21:04, on 13/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Telemeter 3.0\telemeter3.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\??rss.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\winqr32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ieul32.exe C:\WINDOWS\explorer.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Bart\Mijn documenten\Anti-virus\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ksuuv.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {6A46F6C4-6BA6-BB1F-242A-77FF5088C696} - C:\WINDOWS\system32\javalu.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Telemeter 3.0] "C:\Program Files\Telemeter 3.0\telemeter3.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ieul32.exe] C:\WINDOWS\system32\ieul32.exe O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKCU\..\Run: [Mkr] C:\WINDOWS\System32\??rss.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Ok, download another program called Adware away, which is a free 5 day trial available from http://www.download.com/Adware-Away/3000-8022_4-10342100.html?tag=lst-0-1 Open up Adware Away Now click on the Scan Button, and this will do a scan on some potential security issues. It will also see if there is a keylogger installed. 3/4 of the way through this scan, it will say detect keylogger, make sure you press ENTER and not click on the button. Once it has complete, click Next Generally it will have a few SERVICE: xxx -- Not Necessary, you dont relaly need to worry about that, and usually there is a C:\Windows\System32\userinit.exe, you dont need to worry about that either. If there is anything else, put a tick then go Fast Fix. Now on the left hand side click on Remove Hijackers. Down the bottom it will have Scan All Once it has scanned it will show something like Totally Found [xx] Malware Objects! Scan About:Blank Hijacker ... Start Scan About:Blank Hijacker ... Finished Scan About:Blank Hijacker (Real blank page ) ... Start Found [10] About:Blank Hijacker (Real blank page ) Objects. Scan About:Blank Hijacker (Real blank page ) ... Finished Scan About:Blank Hijacker Variant 5 ... Start Found [0] About:Blank Hijacker Variant 5 Objects. Remove About:Blank Hijacker Variant 5 ... Finished Now, find About:Blank Hijacker (Real blank page ) in the top right hand box, then select Remove. You will now see something like Remove About:Blank Hijacker (Real blank page ) ... Start The following operation will make your desktop disappear, don't worry about it. Totally [10] About:Blank Hijacker (Real blank page ) Objects were removed. Remove About:Blank Hijacker (Real blank page ) ... Finished Click on Scan All again, and it should now say - Totally Found [0] Malware Objects! Move onto the next one, which is Remove Adwares, do the same to Adwares, Spywares and Trojan & Worms. That should fix your problem. Once you have done that, go in and change your homepage, restart and see if it changes. CJC [Edit] Stupid comptuer locked up and had to restart, so had to re-type the whole post Also Forgot the link
Sorry you had to re-type all that... Seems like even the computers of the pro's don't coopperate every now and then Thanks a lot for your help! I went through all the steps; found 2 'Hijacker entries' (about:blank hijacker variant 5) and 1 'Adware entry' (TSA Adware). No spyware or Trojan & Worms were found. I got rid off all that, reset my homepage, deleted the unwanted links in 'my favorites' that kept comming back, and everything seems to run smoothly now! Just to be sure, I'll let some anti-virusscanners run. Don't expect any trouble, but you never know... I'll keep you up to date! Thanks again! (if you let me know your address, I'll send you a special Christmas/Thank you card )
Bad news... Maybe this whole process wasn't as succesful as I first thought/hoped. I ran various virusscanners, and most of them still picked stuff up - TrendMicro's HouseCall: 81 infected files; 'deleted' those - Bitdefender's Online Scan: 140 infected - Norton Anti Virus came up clean - Spybot: Still the same DSO exploit thing, nothing else - Ad-Aware: 79 new critical objects; 'deleted' those (I saved this log just in case) Where do I go from here? Thanks!
Hey Ok, You have ran a few virus scans, try running Housecall again now and see if it finds anything. You might of just been getting rid of all the crap that has come back between trying things. Spybot has a problem with the DSO Exploit, have a read of: http://www.safer-networking.org/en/faq/36.html As for Adaware, what type of files were they? My computer still gets a bit of Adware, mainly Tracking Cookies that Adaware picks up, from going to various sites. CJC
Ad-aware still came up with some nasty CoolwebSearch entries. I downloaded AboutBuster (http://www.downloads.subratam.org/AboutBuster.zip), and that thing seemed to work just fine. I ran housecall again; no virusses were detected! Ad-aware still brings up 8 critical objects, though. Maybe those'll dissapear on a next scan... I'd like to believe that the spyware is delteted for good this time. I guess I'll just have to wait and see if my computer keeps functioning the way it should. Thanks a lot for your help and the tips, I'm very grateful to all the people that have the heart to help others! Thanks again!
Hey Regards to CoolWebSearch http://www.spy-bot.net/CoolWebSearch.asp Have a read of there, there is some instructions for the differnt types to remove them. Are the 8 that Adaware finds all Cool Web Search ? CJC
Hi CJC, The 8 entries I was talking about are 'just' tracking cookies. The AboutBuster took care of the CoolwebSearch thing first. Then I scanned with Ad-aware, and it didn't bring anymore coolwebsearch entries up, just tracking cookies. I'm down to 2 of those, after another scan... I'd say my PC is pretty much healthy again, not? I'll let you know if something pops up again. You never know, right? But hopefully I won't have to bug you with my problems anymore. Thanks again for your great help!
Hey Ahh, when i scan i always get some tracking cookies here and there. Looks like you are all clean. Glad i could of helped, and if you have any more problems, post away. Dont forget to have a look around the forum and if you can help somebody aswell, go for it CJC
