Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Within the last 3 days, I visited a website that pushed a browser hijacker onto my machine. I use IE5.5 128 bit encryption with updates SP1 and Q321232.
After restart, the hijack takes me to "Cool Web Search" website. I've run "Hijack This" and included log file results below.
I have deleted the "http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31" Registry entries several times to no avail as there seems to be something running which adds them back to the Registry.
Does anyone have a solution for this? Can someone please look at the log file below to see anything suspicious?
Thanks in advance,
BillLogfile of HijackThis v1.90.0
Scan saved at 10:45:25 AM, on 6/24/2003
Platform: Windows NT 5.00.2195
MSIE version: 5.50.4522.1800R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://computing.net/windows2000/wwwboard/forum/47376.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [DNSRestore] "C:\PROGRA~1\AT&TNE~1\DNSRestore.exe" -R
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db539.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - https://www-3.ibm.com/pc/support/access/sdccommon/download/tgctlins.cab
O16 - DPF: {0B9C9C7D-ED81-4594-AFCB-FC5588125382} (JNILoader Control) - https://d02db539.southbury.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://81.216.10.59/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/319da5df71489d303b17/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37733.4507986111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68A773F8-6B61-4680-8CDC-B13DF58478A6}: Domain = ibm.com
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754}
Hi, I have the exact same thing and
SpyBot and Ad Aware 6.0. don't workI have tried everything all day, followed the instructions on http://www.spywareinfo.com/articles/hijacked/
to no avail. I have 2 BHO's. One winshow.dll you don't have, the other is the adobe help which you have but it is digitally signed. Anyway I disabled the former.I noticed that bootconf.exe date modified hasd been changed to sometime close to when the problem occured, though i have no idea what it does
I also noticed that sometimes, after I had cleared it in the HIjackThis, when I went online, on or two of the lines would return
Anyway here is my log, which is much slimmer than yours
I'll let you knwo if I find anything
Jonathan
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Jonathans Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchv.com/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINNT\winshow.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.exe
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Deskmenu.lnk = C:\WINNT\Deskmenu.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37501.1885416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINNT\default.css
0 
I don't know what bootconf.exe is for (I suspect nothing) but if you delete it (or move it somewhere else) IE won't get it's urls changed the next time you boot.
Here is what I did:
1. Move c:\windows\system 32\bootconf.exe to my desktop.
2. Go to HKLM\Software\Microsoft\Internet Explorer\ and change all URL references to http://www.google.com/
3. Rebootand it appears to be gone.
If you have ?? Email me.
0
Oh what a beautiful morning....
I cleared the offending items with HijackThis and then double clicked bootconf.exe, and all the offending items reappeared. I renamed bootconf.exe and
rebooted. First time nothing happened.
Second time system was clear. One gets the feeling there is something else up, becaue
i was clearing in Hijack this, opening
IE and then rescanning and finding a couple
of the offending urls had returned.Anyway, CoolWWWSearch.com (which isn't a search at all) is registered to Jos Verhaak,
Midtermolen 492/69, Copenhagen, 2100 DK.I am going to have the address checked out as
this guy owes megood luck
Jonathan
0
I got the same problem, my browser takes me before to http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37%20%20about:blank , that redirects me to a site calle youfindall or something like that.
Noway to find the problem with ad-aware or spybot, and the worst thing is that now the sistem when i use IE is VERY slowed down, i quite can't use IE.
U got that problem too ?
0
Hi
You need to remove the bootconf.exe from your windows directory.
There is another unidentified component which scans the downloaded pages and if it comes accross a particular p[hrase opens up a porn pop up. this is what is slowing you down.
Don't know what it is
Let me know if you find anythingJonathan
0
Hi
I've also fallen victim to this one and anything I type into a form types really slowly (that's happening right now as I type!). Almost like someone's watching everything I type. Will spybot help me? I've removed the bootconf file and changed the necessary pages in the registry, but things are still slow.
0
Hi,
this nice guy Tony from http://www.spywareinfo.com/forums/ emailed me about this, and the solution, which worked
See below:"I found out he Winshow.dll is related to the Searchv.com hijacker we've been seeing a lot of recently.
I understand your frustration with the Coolwwwsearch hijacker. It's a tricky one, but fortunately we now know what's causing it and how to get rid of it:
Bootconf.exe is the culprit, but it also uses the default.css Custom Style Sheet for its hijack.
I'll use the Hijack This log you posted to help you clear it up.
In Hijack This, check, and have Hijack this fix all of the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchv.com/search.php?qq=%s
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINNT\winshow.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O19 - User stylesheet: C:\WINNT\default.css
Now go to Internet Options > Programs tab, and press "Reset Web Settings"
Restart your computer, and delete:
C:\WINNT\System32\bootconf.exe
C:\WINNT\default.css
That will be the end of your hijack! :)"thanks Tony and goodluck
Jonathan
0
You're welcome, Jonathan! :)
It all started when I happened upon this forum thread searching the web for information about the Winshow.dll Browser plugin I'd seen in another log.
I maintain a list of BHOs (which can be viewed here: http://www.spywareinfo.com/bhos/ ), and I'm always interested in adding new ones.
As you were so kind to send me a copy of the file, I figured that the least I could do is help you get rid of your hijack. ;)
Cheers, Tony
0
LIsa,
You also need to remove that default.css file from your Windows/Winnt folder.
It's responsible for your slowdown.
Read this:
http://www.spywareinfo.com/articles/datanotary/
Cheers, Tony
0
Tony and jc, your posts helped enormously with my problem. I also was having my browser hijacked any time I rebooted and any spyware program I used did not work. I downloaded the "Hijack This" program mentioned earlier and it helped with the cleanup process...finally I can work without the computer lagging any time I type; it was getting to the point where it affected system resources and was crashing the computer. I was considering reinstalling IE when I found this forum, thanks to all of you :)
0
Hello and, first of all, forgive my English since it's not my mother tongue.
I'm having problems with Google opening a Coolwebsearch popup since tonight and I cannot fix it following your instructions since nor the bootconf.exe programm, nor the default.css file are present on my system.
I give you the log I get on HijackThis (sorry, it's big) :
Logfile of HijackThis v1.95.1
Scan saved at 02:59:57, on 24/07/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.exe
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.exe
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\PROGRAM FILES\WEBWASHER\WWASHER.exe
C:\PROGRAM FILES\TURBONOTE\TBNOTE.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\POWERDESK\PDEXPLO.exe
C:\MES DOCUMENTS\HIJACKTHIS.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=040C&s=search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=040C&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=040C&s=search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
F1 - win.ini: run=hpfsched
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRA~1\AVPERS~1\AVGCTRL.exe /min
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\PROGRA~1\NORTON~1\CSINJECT.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.exe -service
O4 - HKCU\..\Run: [WebWasher] C:\PROGRAM FILES\WEBWASHER\WWASHER.exe
O4 - Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O4 - Startup: @llo.lnk = C:\Program Files\@llo\@llo.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://geotoo.mkm-wpe.net/activex/AxisCamControl.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cabIf you can't help me, I think the only solution may be to format my hard drive but I'm quit depressed since, as a translator, I work with Google a lot. :-(
Thanks A LOT for your help.
0
Hi to all.
I got the same problem like yann. When i start a search at google a site named "CoolWebSearch" opens. The adress shown in the adress bar is "http://www.unipages.cc/frame.php?param=%searchword%". When i close this window or leave the site a new window opens and wants to install "Free-Sex-xxxtoolbar".
The weird thing is that this doesnt happen if i call the google page trough the ip-adress (216.127.33.119 in this case). It only happens if i launch the google page by typing www.google. .. in the adressbar.Neither the bootconf.exe nor the default.css is present on my comp.
Here is my HijackThis logfile:
Logfile of HijackThis v1.95.1
Scan saved at 03:23:14, on 25.07.03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\TOOLS\SPYBOT - SEARCH & DESTROY\SPYBOTSD.exe
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.exe
C:\DOWNLOADS\HIJACKTHIS.exeO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\Scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakLogon
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .tga: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
Would be very pleased if someone have any ideas to fix this. Sry for my bad english.Thx
Damn
0
Hi,
I finally reformated my hard drive. I think there's a problem with the msspi.dll file since I can't find it with HijackThis now. I tried to fix it with HijackThis before reformating but it didn't change anything. I also tried to supress the file but, then, I couldn't surf anymore...
I called the French Google but they didn't know they were being Hijacked...
Good luck to Run4 and to all who have this problem !
:-/
0
Arggh.
I made a mistake in the post before:
The www.google.de IP-adress is 216.239.39.99 !
The other ip is the ip shown by my firewall when the CoolWebSearch Site opens (216.127.33.119)
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
