Spyware - Coolwebsearch

Help! It's the hair-bear bunch!

Moderator: larchy

Spyware - Coolwebsearch

Postby Toothpick on Wed Jun 30, 2004 4:28 pm

Toothpick
Forum Regular
 
Posts: 411
Joined: Sat Mar 13, 2004 2:48 pm
I dont have a clue how the fuck I've been infected with this. And well frankly I don't care as soon as I am shot of it Im changing browser.

I've tried everything.

Adware, with decent serach and kill settings.
Search and destroy.
CoolWebShredder
Hijack this

All of them find fuck all. Or if they do find something and destroy it, its right back there.

I have a constant running process thats spying on me (hi there! I hate you!) and wont go away. constantly changes names. I've got rid of some of it but the rest wont go away. It not longer fucks up my favorites and hijacks my browser but its still there. Slowing down my PC.

Also when it starts up, 1 process loads, which im guessing results in another 10 or so loading until I run out of ram, at which point they will all close. Names such as Nemo32 Akin32 or summat. Its all from those russian cunts.

Running win2k all up to date now.

Logs from hijack this.

Logfile of HijackThis v1.98.0
Scan saved at 16:31:04, on 30/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sdkzh32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp5\winampa.exe
C:\WINDOWS\appdm32.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Toothpick\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FBD7A3E5-5601-4992-2152-5DFA235095A9} - C:\WINDOWS\system32\netch32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NetScroll] C:\Program Files\KYE\Genius NetScroll Optical Mouse Driver\gnetmous.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp5\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\system32\CSRSS.EXE /i
O4 - HKLM\..\Run: [appdm32.exe] C:\WINDOWS\appdm32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Help moi please.

Postby Toothpick on Wed Jun 30, 2004 4:33 pm

Toothpick
Forum Regular
 
Posts: 411
Joined: Sat Mar 13, 2004 2:48 pm
I know, well can guess which ones from the log need to go.

O2 - BHO: (no name) - {FBD7A3E5-5601-4992-2152-5DFA235095A9} - C:\WINDOWS\system32\netch32.dll

Is a defo

O4 - HKLM\..\Run: [appdm32.exe] C:\WINDOWS\appdm32.exe I dunno what the fuck that is or the toolbar one.

I can delete them but they just come back.

This is seriously annoying.
Image

Postby larchy on Wed Jun 30, 2004 5:30 pm

User avatar
larchy
Site Admin
R2 where are you?
 
Posts: 8756
Joined: Wed Sep 10, 2003 3:48 pm
Location: lalala I can't hear you
steamID: larchy
antispam1: Yes
orientation: Yes
Start>Run>regedit

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run, RunOnce and RunServices. Delete anything in the right hand pane under these keys that you don't want to load when Windows starts.

Also check in HKEY_CURRENT_USER\Software... etc...\RunOnce

Postby Toothpick on Wed Jun 30, 2004 10:53 pm

Toothpick
Forum Regular
 
Posts: 411
Joined: Sat Mar 13, 2004 2:48 pm
I'll take a good look tommorow. just got in from work. I think everyone should check for this as its fucking hard to get rid of, even worse if you leave it.

Just get ad-ware with newest deifinition. Obv only applys to IE junkies.
Image

Postby Defrag on Thu Jul 01, 2004 1:01 am

User avatar
Defrag
Forum Guru
I play Klingon boggle
 
Posts: 4122
Joined: Fri Nov 21, 2003 7:54 pm
Location: Scotland
Try running your spyware proggies in safe mode -- it can sometimes get rid of stuff that refuses to budge in normal mode.

Postby Toothpick on Thu Jul 01, 2004 7:48 am

Toothpick
Forum Regular
 
Posts: 411
Joined: Sat Mar 13, 2004 2:48 pm
This is fucked :/

Its running on startup without any mention in the registory that I can find. It doesnt (or didnt on this anyway) run all the crazy zillions this time as I removed an entry from the reg.

Safe mode doesnt seem to work. Might be because of those zillions I try it zillion free.

Why do I get the feeling its mocking me?
Image

Postby Toothpick on Thu Jul 01, 2004 10:54 am

Toothpick
Forum Regular
 
Posts: 411
Joined: Sat Mar 13, 2004 2:48 pm
My thanks to both of you, between adware, safe mode, reg editing and hijack this I managed to get it sorted.

For anyone else who gets this problem here is the solution.

1) Setup adware correctly, click the cog, then turn on everything that adds more scans\detail to it.

2) get hijack this and delete anythign that shouldnt be there.

3) Red edit out anything lick larch said

4) make a note of what programs keep starting.

5) boot up in safe mode. Scan for adware etc kill it off. Hijack this again

6) still in safe mode go to the windows folder (system 32 for some varients) show all files and show hidden and show system, find the ones it refers to and forcably delete them

7) last reg edits.

8) Congratualtions.
Image

Postby Klors on Thu Jul 01, 2004 1:02 pm

User avatar
Klors
Forum Guru
Would fuck the antichrist
 
Posts: 3971
Joined: Thu Feb 26, 2004 7:34 pm
Location: Lincoln, UK
The author of the CoolWebShredder has apparently given up developing his automated removal tool as it's getting beyond automated removal techniques.
http://www.theregister.co.uk/2004/06/29/cws_shredder/



How does IE manage to stay as most used browser?
http://www.theregister.co.uk/2004/06/30 ... re_attack/
Klors Trofobik

Postby larchy on Thu Jul 01, 2004 1:17 pm

User avatar
larchy
Site Admin
R2 where are you?
 
Posts: 8756
Joined: Wed Sep 10, 2003 3:48 pm
Location: lalala I can't hear you
steamID: larchy
antispam1: Yes
orientation: Yes
Because people are ignorant. Most don't even realise IE is a program like any other.. they think its part of Windows (which is MS's fault really), and have no idea you can use other programs to view web pages.

Postby Klors on Thu Jul 01, 2004 1:26 pm

User avatar
Klors
Forum Guru
Would fuck the antichrist
 
Posts: 3971
Joined: Thu Feb 26, 2004 7:34 pm
Location: Lincoln, UK
It was rhetorical really, but yeah you're probably right.
Klors Trofobik

Postby Refugee on Thu Jul 01, 2004 1:42 pm

User avatar
Refugee
Forum Case-Study
#bitter
 
Posts: 14706
Joined: Wed Sep 10, 2003 11:52 pm
Location: Manchester
Xbox Live: Refwah
Twitter: AndrewFairbairn
antispam1: Yes
orientation: No
larchy wrote:Because people are ignorant. Most don't even realise IE is a program like any other.. they think its part of Windows (which is MS's fault really), and have no idea you can use other programs to view web pages.


Yes. But people also think their monitor is their hard drive/pc/graphics card.

Postby Eric on Thu Jul 01, 2004 4:31 pm

User avatar
Eric
Forum Bicycle
 
Posts: 5556
Joined: Wed Sep 10, 2003 4:07 pm
Location: Sony Towers
antispam1: No
orientation: Yes
And some people happen to like IE :E

Hmph :P
Image


Return to Technical Support

Who is online

Users browsing this forum: No registered users and 1 guest

cron