MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Coolsearch.biz hijack
November 19, 2019, 02:24:51 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 19, 2019, 02:24:51 AM

Login with username, password and session length
 Featured Sites:
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Coolsearch.biz hijack  (Read 4568 times)
84Buff
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


Bookmark and Share

View Profile
« on: August 04, 2004, 07:37:26 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows 2000 5.00.2195 Ser Pack3
Problem Application Name & Version: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Problem Hardware Make & Model: Dell Latitude w/Intel PIII
Error Messages:


Hijacked by Coolsearch.biz.  Need some help.  Ran CWShredder, no luck.

Logfile of HijackThis v1.98.1
Scan saved at 12:56:42 PM, on 8/4/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\services\msxmidi.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\MS\SMS\BIN\pcmwin32.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Interwise\Student\pull.exe
C:\MS\SMS\BIN\climonnt.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\nunns\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Building Technologies
R3 - Default URLSearchHook is missing
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\winnt\iehr.dll (file missing)
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINNT\system32\services\2.01.00.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AUTOPCC] "C:\Program Files\OfficeScan NT\INTELLISTART.EXE" "X:\AntiVirus\OSCAN\AUTOUPD.EXE" /s
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\msoffice\Office\OSA9.EXE
O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.us.abatos.com
O15 - Trusted Zone: http://*.us.landisstaefa.com
O15 - Trusted Zone: http://*.sbt.siemens.com
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://sbt.interwise.com/na/English/ActiveX/IWsystemchecks.cab
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Infragistics ActiveTreeView Control) - http://inet16.sbt.siemens.com/esonline/cabs/SSTree.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} (Infragistics UltraGrid Control 2.0) - http://inet16.sbt.siemens.com/esonline/cabs/IGUltraGrid20.CAB
O16 - DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} (PictureLoader.Helpers) - http://inet16.sbt.siemens.com/esonline/cabs/pictureloader.cab
O16 - DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} (Infragistics Panel Control 4.0) - http://inet16.sbt.siemens.com/esonline/cabs/IGThreed40.cab
O18 - Protocol: its_disabled - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll
O18 - Protocol: ms-its_disabled - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: August 05, 2004, 12:11:59 AM »

I want to make sure that you are running the latest version of CWShredder
Download and save to desktop CWShredder

Ensure it is version 1.59.1
CWShredder


Download and Install the free version of Ad-Aware
After installation-CHECK FOR UPDATES

Disconnect from the Internet
With just CWShredder open--Let it FIX all problems
RESTART your computer

Open Ad-Aware

Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART your computer
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Do a Disk Cleanup

Post back with a fresh hijackthis log
Logged

 
84Buff
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


Bookmark and Share

View Profile
« Reply #2 on: August 05, 2004, 02:24:41 PM »

Thanks, Benditup.  So far, so good, after following your instructions.  Here's a new HJT log.

Logfile of HijackThis v1.98.1
Scan saved at 9:22:24 AM, on 8/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Interwise\Student\pull.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\nunns\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://landscape.us.abatos.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Building Technologies
R3 - Default URLSearchHook is missing
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\winnt\iehr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AUTOPCC] "C:\Program Files\OfficeScan NT\INTELLISTART.EXE" "X:\AntiVirus\OSCAN\AUTOUPD.EXE" /s
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\msoffice\Office\OSA9.EXE
O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.us.abatos.com
O15 - Trusted Zone: http://*.us.landisstaefa.com
O15 - Trusted Zone: http://*.sbt.siemens.com
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://sbt.interwise.com/na/English/ActiveX/IWsystemchecks.cab
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Infragistics ActiveTreeView Control) - http://inet16.sbt.siemens.com/esonline/cabs/SSTree.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} (Infragistics UltraGrid Control 2.0) - http://inet16.sbt.siemens.com/esonline/cabs/IGUltraGrid20.CAB
O16 - DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} (PictureLoader.Helpers) - http://inet16.sbt.siemens.com/esonline/cabs/pictureloader.cab
O16 - DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} (Infragistics Panel Control 4.0) - http://inet16.sbt.siemens.com/esonline/cabs/IGThreed40.cab

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: August 06, 2004, 04:51:57 AM »

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R3 - Default URLSearchHook is missing
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\winnt\iehr.dll (file missing)

Any 015 trusted site you don't recognize

RESTART your computer

You should install these 2 apps., they add extra security while
silently protecting you without running in the background
 
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
http://www.bleepingcomputer.com/forums/index.php?showtutorial=53

With both---Check for updates every couple of weeks

READ THIS
How did I get Infected

Take note: Under How did I get Infected, the latest Service Pack for Windows 2000 is SP4----You might consider getting ALL latest Critical
Updates and SP's
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page March 31, 2018, 12:01:08 AM