Hello everone.
My computer just got hit with the coolweb trojan. So far I've run spybot, adware, bazooka, cwshredder and nothing seems to work.
Can someone please take a look at my hijack log and help me out.
Thanks to all who reply.
Rafael
Logfile of HijackThis v1.97.7
Scan saved at 12:33:14 PM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\6AHBY3FF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
My computer just got hit with the coolweb trojan. So far I've run spybot, adware, bazooka, cwshredder and nothing seems to work.
Can someone please take a look at my hijack log and help me out.
Thanks to all who reply.
Rafael
Logfile of HijackThis v1.97.7
Scan saved at 12:33:14 PM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\6AHBY3FF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab