Spyware - Coolwebsearch

by **Toothpick** on Wed Jun 30, 2004 4:28 pm

I dont have a clue how the fuck I've been infected with this. And well frankly I don't care as soon as I am shot of it Im changing browser.

I've tried everything.

Adware, with decent serach and kill settings.
Search and destroy.
CoolWebShredder
Hijack this

All of them find fuck all. Or if they do find something and destroy it, its right back there.

I have a constant running process thats spying on me (hi there! I hate you!) and wont go away. constantly changes names. I've got rid of some of it but the rest wont go away. It not longer fucks up my favorites and hijacks my browser but its still there. Slowing down my PC.

Also when it starts up, 1 process loads, which im guessing results in another 10 or so loading until I run out of ram, at which point they will all close. Names such as Nemo32 Akin32 or summat. Its all from those russian cunts.

Running win2k all up to date now.

Logs from hijack this.

Logfile of HijackThis v1.98.0
Scan saved at 16:31:04, on 30/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sdkzh32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp5\winampa.exe
C:\WINDOWS\appdm32.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Toothpick\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FBD7A3E5-5601-4992-2152-5DFA235095A9} - C:\WINDOWS\system32\netch32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NetScroll] C:\Program Files\KYE\Genius NetScroll Optical Mouse Driver\gnetmous.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp5\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\system32\CSRSS.EXE /i
O4 - HKLM\..\Run: [appdm32.exe] C:\WINDOWS\appdm32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Help moi please.

by **Toothpick** on Wed Jun 30, 2004 4:33 pm

I know, well can guess which ones from the log need to go.

O2 - BHO: (no name) - {FBD7A3E5-5601-4992-2152-5DFA235095A9} - C:\WINDOWS\system32\netch32.dll

Is a defo

O4 - HKLM\..\Run: [appdm32.exe] C:\WINDOWS\appdm32.exe I dunno what the fuck that is or the toolbar one.

I can delete them but they just come back.

This is seriously annoying.

by **larchy** on Wed Jun 30, 2004 5:30 pm

Start>Run>regedit

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run, RunOnce and RunServices. Delete anything in the right hand pane under these keys that you don't want to load when Windows starts.

Also check in HKEY_CURRENT_USER\Software... etc...\RunOnce

by **Toothpick** on Wed Jun 30, 2004 10:53 pm

I'll take a good look tommorow. just got in from work. I think everyone should check for this as its fucking hard to get rid of, even worse if you leave it.

Just get ad-ware with newest deifinition. Obv only applys to IE junkies.

by **Defrag** on Thu Jul 01, 2004 1:01 am

Try running your spyware proggies in safe mode -- it can sometimes get rid of stuff that refuses to budge in normal mode.

by **Toothpick** on Thu Jul 01, 2004 7:48 am

This is fucked :/

Its running on startup without any mention in the registory that I can find. It doesnt (or didnt on this anyway) run all the crazy zillions this time as I removed an entry from the reg.

Safe mode doesnt seem to work. Might be because of those zillions I try it zillion free.

Why do I get the feeling its mocking me?

by **Toothpick** on Thu Jul 01, 2004 10:54 am

My thanks to both of you, between adware, safe mode, reg editing and hijack this I managed to get it sorted.

For anyone else who gets this problem here is the solution.

1) Setup adware correctly, click the cog, then turn on everything that adds more scans\detail to it.

2) get hijack this and delete anythign that shouldnt be there.

3) Red edit out anything lick larch said

4) make a note of what programs keep starting.

5) boot up in safe mode. Scan for adware etc kill it off. Hijack this again

6) still in safe mode go to the windows folder (system 32 for some varients) show all files and show hidden and show system, find the ones it refers to and forcably delete them

7) last reg edits.

Congratualtions.

by **Klors** on Thu Jul 01, 2004 1:02 pm

The author of the CoolWebShredder has apparently given up developing his automated removal tool as it's getting beyond automated removal techniques.
http://www.theregister.co.uk/2004/06/29/cws_shredder/

How does IE manage to stay as most used browser?
http://www.theregister.co.uk/2004/06/30 ... re_attack/

by **larchy** on Thu Jul 01, 2004 1:17 pm

Because people are ignorant. Most don't even realise IE is a program like any other.. they think its part of Windows (which is MS's fault really), and have no idea you can use other programs to view web pages.

by **Klors** on Thu Jul 01, 2004 1:26 pm

It was rhetorical really, but yeah you're probably right.

by **Refugee** on Thu Jul 01, 2004 1:42 pm

larchy wrote:Because people are ignorant. Most don't even realise IE is a program like any other.. they think its part of Windows (which is MS's fault really), and have no idea you can use other programs to view web pages.

Yes. But people also think their monitor is their hard drive/pc/graphics card.

by **Eric** on Thu Jul 01, 2004 4:31 pm

And some people happen to like IE

Hmph

Spyware - Coolwebsearch

Spyware - Coolwebsearch

Who is online