1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

coolwwwsearch driving me insane, hijack this logs + spybot logs

Discussion in 'Virus & Other Malware Removal' started by Rfouche, May 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Rfouche

    Rfouche Thread Starter

    Joined:
    May 19, 2004
    Messages:
    1
    I can't get rid of it, everytime I restart my computer and run spybot, there it is, laughing at me. Also, 1) my homepage is constantly reset to: res://mshp.dll/index.html, which seems to download the "mshp.dll" to my WINNT file 2) my ability to change IE's internet options is disabled and 3) my add/remove software program will not appear when I try to access it. I'm at the end of my rope. If anyone can help me out, it would be much appreciated.


    I'm currently using windows 2000, with a recently updated IE 6.0.2800.1106

    Spybot log before "problems fixed" :

    Avenue A, Inc.: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

    Commission Junction: Tracking cookie or cookie of tracking site (File, nothing done)
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

    CoolWWWSearch.008k: Browser helper object (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Browser helper object (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{587DBF2D-9145-4c9e-92C2-1F953DA73773}

    CoolWWWSearch.008k: Class (Registry key, nothing done)
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource.1

    CoolWWWSearch.008k: Class (Registry key, nothing done)
    HKEY_CLASSES_ROOT\SearchHook.SearchHookObject

    CoolWWWSearch.008k: Class (Registry key, nothing done)
    HKEY_CLASSES_ROOT\SearchHook.SearchHookObject.1

    CoolWWWSearch.008k: Class (Registry key, nothing done)
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource

    CoolWWWSearch.008k: Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{587DBF2D-9145-4c9e-92C2-1F953DA73773}

    CoolWWWSearch.008k: Explorer settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-299502267-789336058-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Explorer settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-299502267-789336058-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}

    CoolWWWSearch.008k: Global settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Typelib (Registry key, nothing done)
    HKEY_CLASSES_ROOT\Typelib\{2C671705-77A7-4592-A484-545087ED9EE8}

    CoolWWWSearch.008k: Typelib (Registry key, nothing done)
    HKEY_CLASSES_ROOT\Typelib\{58510DE5-7C2E-45fc-ADBC-5EF6BCEA5ACB}

    CoolWWWSearch.008k: URL Search Hook (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.mshp: IE Default page (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

    CoolWWWSearch.mshp: IE Start page (Registry change, nothing done)
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page=about:blank

    CoolWWWSearch.mshp: IE Start page (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page=about:blank


    --- Spybot-S&D version: 1.2 ---
    2003-03-16 Includes\Temporary.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2004-02-26 Includes\Cookies.sbi
    2004-02-29 Includes\Dialer.sbi
    2004-02-29 Includes\Hijackers.sbi
    2004-02-26 Includes\Keyloggers.sbi
    2004-02-29 Includes\Malware.sbi
    2004-02-26 Includes\Security.sbi
    2004-02-29 Includes\Spybots.sbi
    2004-02-29 Includes\Trojans.sbi
    2004-02-26 Includes\Tracks.uti
    2004-03-09 Includes\Revision.sbi

    and after:

    Avenue A, Inc.: Tracking cookie or cookie of tracking site (File, fixed)
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

    Commission Junction: Tracking cookie or cookie of tracking site (File, fixed)
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

    CoolWWWSearch.008k: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{587DBF2D-9145-4c9e-92C2-1F953DA73773}

    CoolWWWSearch.008k: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource.1

    CoolWWWSearch.008k: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\SearchHook.SearchHookObject

    CoolWWWSearch.008k: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\SearchHook.SearchHookObject.1

    CoolWWWSearch.008k: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource

    CoolWWWSearch.008k: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{587DBF2D-9145-4c9e-92C2-1F953DA73773}

    CoolWWWSearch.008k: Explorer settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-299502267-789336058-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Explorer settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-299502267-789336058-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}

    CoolWWWSearch.008k: Global settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.008k: Typelib (Registry key, fixing failed)
    HKEY_CLASSES_ROOT\Typelib\{2C671705-77A7-4592-A484-545087ED9EE8}

    CoolWWWSearch.008k: Typelib (Registry key, fixing failed)
    HKEY_CLASSES_ROOT\Typelib\{58510DE5-7C2E-45fc-ADBC-5EF6BCEA5ACB}


    CoolWWWSearch.008k: URL Search Hook (Registry value, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\{FD9BC004-8331-4457-B830-4759FF704C22}

    CoolWWWSearch.mshp: IE Default page (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

    CoolWWWSearch.mshp: IE Start page (Registry change, fixed)
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page=about:blank

    CoolWWWSearch.mshp: IE Start page (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page=about:blank


    --- Spybot-S&D version: 1.2 ---
    2003-03-16 Includes\Temporary.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2004-02-26 Includes\Cookies.sbi
    2004-02-29 Includes\Dialer.sbi
    2004-02-29 Includes\Hijackers.sbi
    2004-02-26 Includes\Keyloggers.sbi
    2004-02-29 Includes\Malware.sbi
    2004-02-26 Includes\Security.sbi
    2004-02-29 Includes\Spybots.sbi
    2004-02-29 Includes\Trojans.sbi
    2004-02-26 Includes\Tracks.uti
    2004-03-09 Includes\Revision.sbi


    The same two files are repeatedly not able to be fixed, but if searched for again by spybot, do not appear.


    Hijack this log (after spybot's "cleaning"):

    Logfile of HijackThis v1.97.7
    Scan saved at 12:58:39 AM, on 5/19/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\drivers\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Winamp\Winampa.exe
    D:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\cmd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\WINNT\System32\mshta.exe
    D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Rar$EX00.462\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINNT\msta\mssearch.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\20041616810_mcinfo.exe /insfin
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/emCraft1.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01674eb1257274e9d903/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7983333333
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4358/mcfscan.cab
    O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} - http://a1040.g.akamai.net/f/1040/759/1h/pic.infospace.com/info.dogpl/tbar/download/msxml3.cab

    Again, thanks in advanced to anyone willing to tackle my problem.
     
  2. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    Get, install, update and run free Ad-aware (and its HexDump plug-in) from http://www.lavasoftusa.com/software/adaware/

    First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use Custom Scanning Options' then click Customize' and have these options selected: Under Drives and Folders put a check by Scan Within Archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select: Unload recognized processes during scanning and under Cleaning Engine select: Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.
     
  3. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    I'm not a HJT log analyzer, but try running CWShredder:

    http://www.spywareinfo.com/~merijn/downloads.html

    Under "Official Downloads" download "CWShredder"

    Unzip the program to a permanent folder of your choosing. Close ALL browser windows and click "FIX".

    Restart your computer and post another HJT log.
     
  4. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    Click the below colored link to do a on-line Scumware scan. In your Add/Remove Programs control panel remove any items referring to Search, toolbar, web media etc. If you need help deciding what to remove type in the entries in a post here.

    http://www.extremetech.com/article2/0,3973,1224361,00.asp
     
  5. tombrend

    tombrend

    Joined:
    May 29, 2004
    Messages:
    1
    NOTE: emcraft1.cab is spyware
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/230503

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice