look at this page.. there is a coolwebsearch remover, "cwshredder", and there is also a program to solve a problem if you cannot get the coolwebsearch removal program (cwshredder) to work..
O2 - BHO: (no name) - {A7C15BE6-1EC0-49CC-86A0-2FFB0D5934AA} - C:\WINNT\System32\ocolp.dll Comments: if you have rebooted since you posted this may now be a different .dll file...but it will be in same location and a weird name like this one.
In the upper window select explorer.exe In the lower window find and rightclick the BHO from the HijackThis log Select Unload DLL and click OK on the prompts that follow.
Reboot and scan with AdAware to remove the txt and html protocol association.
HTH,
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)
leon, I had the same problem you're having. IT can be fixed. I now have 4, count em, 4 spyware removal and spyware protection programs on my computer. They have cleaned up my system very well. AND ALL OF THEM ARE FREE. First thing you have to do is go on download.com and download these removal tools and protection tools. The first one is X-Cleaner. It's awesome, it has like 1500 different types of spyware that it can find. It can clean your Internet cache, history, EVERYTHING. Anyway, the program is really small. The download itself IS the program, so you don't have to install anything. It runs the first time you click the icon so make sure when you download it that you save it to your Desktop. Here's the link to it on download.com: http://www.download.com/X-Cleaner-Freeware-Version/3000-2092-10254992.html?tag=lst-0-1
The next two programs are for protection mainly. First, download Spyware Blaster. It protects against everything and you should click "Enable All Protection" for the options that they give you. Just explore the options because there are a lot, including disabling Flash which has become a way for websites to put pop ups on you that you don't want. Here's Spyware Blaster: http://www.javacoolsoftware.com/sbdownload.html Just choose a site you wanna download it from. If it's slow, cancel it and choose another site on the list.
The final program is Spybot Search and Destroy. Now, one thing I HIGHLY recommend is that you turn on the Advanced mode...Click Mode, and change from Default to Advanced. On both Spybot and Spyware Blaster there is protection on your internet HOME PAGE. It can block the home page from being tampered with. This includes from you tampering with it unless you turn the protection off. However, this is GREAT for even if you do get spyware (which you won't with two programs like this running) because the spyware won't be able to change your home page like many of them try to do. One thing I'd like to note about Spyware Blaster is that it doesn't need to stay running. You just hit close and it runs in the background, but no icon by the clock on your computer. Spybot Search and Destroy, however, has an option where you can run it by the clock. You right click on it's icon and it gives you the option of running Spybot or exiting the icon. It also has an option for Internet Explorer "page blocking" where it has different levels of protection against certain KNOWN bad web pages. Anyway, the best thing to do is update these programs as often as you can, because different types of spyware/adware are ALWAYS coming out. Here's the link to Spybot Search and Destroy: http://www.download.com/Spybot-Search-Destroy/3000-8022-10289035.html?tag=lst-0-3
The thing I suggest HIGHLY is running the X-Cleaner first. It found a bunch of spyware on my PC and removed all of it. Then after cleaning it will ask you to restart. DO IT. You must restart or the spyware will stay on your machine. I restarted, and it got rid of CoolWebSearch and the other 15 spyware/adware I had on my computer. Good luck, and remember to tinker around with all the options, because these programs are GREAT for protection and prevention. Have fun killing all that spyware!!!!
Logfile of HijackThis v1.97.7 Scan saved at 1:44:55 PM, on 24/06/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>texruss - i think what you suggested did the trick. thank you very much!
If you'll share a fresh hopefully final log, I will reply with defensive tips.
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)
Thanks very much for all your help people! I truly did not expect such quick and detailed replies. I have managed to fix it. Well at least it hasn't seem to come back afer a few minutes (and if it does you won't hear the last of me then on this posting)
redwolfe_98 - thanks for showing me that webpage. It didn't fix it but it had useful links there.
texruss - i think what you suggested did the trick. thank you very much!
redfirebird - thank you! very useful stuff! x-cleaner didn't fix it but i've downloaded all those useful tools.
Here's the all clear...a little premature, but hey, you're pretty darn close.
You look
(nearly) clean and hearty congratulations! Now to stay that way:
Cleanup Programs and Preventative Procedures
(the four free programs in Items 2, 3, and 4 bolded below are a MUST in my opinion)
1. Spybot Search&Destroy, Ad-aware Run weekly - or after a heavy internet session. Download at the following link.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...go
slow on the directions for the custom setup of Adaware and print it out as a hard copy. It will take five minutes to set up the custom scanning options for Adaware, but it's worth it as these settings will be retained and you won't have to re-enter them again.
Please
note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.
I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).
Reboot and click on Start/Run/ type:
cleanmgr
If you have problems with Disk Cleanup hanging and not completing see this page for XP users:
From MS Help: "
Disk Cleanup helps free up space on your hard drive. Disk Cleanup searches your drive, and then shows you temporary files, Internet cache files, and unnecessary program files that you can safely delete. You can direct Disk Cleanup to delete some or all of those files."
I check all the selected categories and click OK at the end of Disk Cleanup.
If you have any problems with Disk Cleaner completing...XP users can fix it here:
2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.
3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
The MVPS Hosts file replaces your current HOSTS file with one that prevents your computer from connecting to hostile sites by redirecting them to 127.0.0.1 which is your local computer. This is an easy way to prevent one of the most common hijackings computer users will face on the Internet! Do it now.
5. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.
You can also start Windows Update by running Internet Explorer, pulling down
Tools on top Menu bar and selecting
Windows Update.
Install ALL critical updates! Always!
If LiveUpdate fails (and it is prone to on MANY machines) download each patch manually from the MS advisory pages and install manually. Works for me!
6. Keep your antivirus updated.
Free AVG Antivirus for home users:
http://www.grisoft.com
7. Beg, borrow, or buy a Software Firewall if at all possible. I use Norton Internet Security 2004 and it has saved my bacon more times than I can count. For a free software firewall turn on the fairly lame firewall in Windows XP (I say it is lame because it does not monitor or block outgoing traffic...only incoming...a serious omission if the threat occurs inside your network). Hopefully with the upcoming Service Pack 2 this flaw will be addressed.
8. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.
9. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.
Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a Local Settings Temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when XP and W2K users post here and place it in the Local Settings, the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)
Texruss
www.russelltexas.com Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs:
Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)
redwolfe_98
2 Intern
•
1.3K Posts
0
June 23rd, 2004 05:00
look at this page.. there is a coolwebsearch remover, "cwshredder", and there is also a program to solve a problem if you cannot get the coolwebsearch removal program (cwshredder) to work..
http://www.spywareinfo.com/~merijn/downloads.html
(scroll down the page for the actual downloads)
note that this is the same author of hijackthis..
Message Edited by redwolfe_98 on 06-23-2004 09:26 AM
Texruss
3.4K Posts
0
June 23rd, 2004 05:00
Try this...this has been a nasty exploit...not sure this will work, but worth a try:
Close all windows except HijackThis and scan, check and after gettin them all checked fix check these lines.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\lchan6\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\lchan6\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\lchan6\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\lchan6\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\lchan6\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\lchan6\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A7C15BE6-1EC0-49CC-86A0-2FFB0D5934AA} - C:\WINNT\System32\ocolp.dll
Comments: if you have rebooted since you posted this may now be a different .dll file...but it will be in same location and a weird name like this one.
After fixing, exit Hijackthis.
Next...Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm
Run APM:
In the upper window select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log
Select Unload DLL and click OK on the prompts that follow.
Reboot and scan with AdAware to remove the txt and html protocol association.
HTH,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)
redfirebird
66 Posts
0
June 23rd, 2004 06:00
leon, I had the same problem you're having. IT can be fixed. I now have 4, count em, 4 spyware removal and spyware protection programs on my computer. They have cleaned up my system very well. AND ALL OF THEM ARE FREE. First thing you have to do is go on download.com and download these removal tools and protection tools. The first one is X-Cleaner. It's awesome, it has like 1500 different types of spyware that it can find. It can clean your Internet cache, history, EVERYTHING. Anyway, the program is really small. The download itself IS the program, so you don't have to install anything. It runs the first time you click the icon so make sure when you download it that you save it to your Desktop. Here's the link to it on download.com: http://www.download.com/X-Cleaner-Freeware-Version/3000-2092-10254992.html?tag=lst-0-1
The next program I recommend is Bazooka. It only finds stuff but it is very fast at searching and it found a lot of stuff on my computer. It doesn't remove stuff, but it's still good to have it for finding things. Here's the link for it: http://www.download.com/Bazooka-Adware-and-Spyware-Scanner/3000-8022-10247783.html?tag=lst-0-1
The next two programs are for protection mainly. First, download Spyware Blaster. It protects against everything and you should click "Enable All Protection" for the options that they give you. Just explore the options because there are a lot, including disabling Flash which has become a way for websites to put pop ups on you that you don't want. Here's Spyware Blaster: http://www.javacoolsoftware.com/sbdownload.html Just choose a site you wanna download it from. If it's slow, cancel it and choose another site on the list.
The final program is Spybot Search and Destroy. Now, one thing I HIGHLY recommend is that you turn on the Advanced mode...Click Mode, and change from Default to Advanced. On both Spybot and Spyware Blaster there is protection on your internet HOME PAGE. It can block the home page from being tampered with. This includes from you tampering with it unless you turn the protection off. However, this is GREAT for even if you do get spyware (which you won't with two programs like this running) because the spyware won't be able to change your home page like many of them try to do. One thing I'd like to note about Spyware Blaster is that it doesn't need to stay running. You just hit close and it runs in the background, but no icon by the clock on your computer. Spybot Search and Destroy, however, has an option where you can run it by the clock. You right click on it's icon and it gives you the option of running Spybot or exiting the icon. It also has an option for Internet Explorer "page blocking" where it has different levels of protection against certain KNOWN bad web pages. Anyway, the best thing to do is update these programs as often as you can, because different types of spyware/adware are ALWAYS coming out. Here's the link to Spybot Search and Destroy: http://www.download.com/Spybot-Search-Destroy/3000-8022-10289035.html?tag=lst-0-3
The thing I suggest HIGHLY is running the X-Cleaner first. It found a bunch of spyware on my PC and removed all of it. Then after cleaning it will ask you to restart. DO IT. You must restart or the spyware will stay on your machine. I restarted, and it got rid of CoolWebSearch and the other 15 spyware/adware I had on my computer. Good luck, and remember to tinker around with all the options, because these programs are GREAT for protection and prevention. Have fun killing all that spyware!!!!
leonchan
3 Posts
0
June 24th, 2004 02:00
Ok Texruss, this is the latest log.
Logfile of HijackThis v1.97.7
Scan saved at 1:44:55 PM, on 24/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\WINNT\System32\ccsrvc.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\System32\rmctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Eraser\eraser.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
\nsf30\express\eXpress.exe
C:\mp3\Software\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nsitwww.tafensw.edu.au/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] C:\WINNT\System32\rmctrl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/012acc0774fda69d5005/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.6831712963
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/5571-b301h/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nsi.det.win
O17 - HKLM\Software\..\Telephony: DomainName = nsi.det.win
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nsi.det.win
Texruss
3.4K Posts
0
June 24th, 2004 02:00
>texruss - i think what you suggested did the trick. thank you very much!
If you'll share a fresh hopefully final log, I will reply with defensive tips.
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)
leonchan
3 Posts
0
June 24th, 2004 02:00
Thanks very much for all your help people! I truly did not expect such quick and detailed replies. I have managed to fix it. Well at least it hasn't seem to come back afer a few minutes (and if it does you won't hear the last of me then on this posting)
redwolfe_98 - thanks for showing me that webpage. It didn't fix it but it had useful links there.
texruss - i think what you suggested did the trick. thank you very much!
redfirebird - thank you! very useful stuff! x-cleaner didn't fix it but i've downloaded all those useful tools.
Texruss
3.4K Posts
0
June 24th, 2004 03:00
Fix check this in Hijackthis and reboot.
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/012acc0774fda69d5005/netzip/RdxIE601.cab
Comments: Netster
Here's the all clear...a little premature, but hey, you're pretty darn close.
You look (nearly) clean and hearty congratulations! Now to stay that way:
Cleanup Programs and Preventative Procedures
(the four free programs in Items 2, 3, and 4 bolded below are a MUST in my opinion)
1. Spybot Search&Destroy, Ad-aware Run weekly - or after a heavy internet session. Download at the following link.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware and print it out as a hard copy. It will take five minutes to set up the custom scanning options for Adaware, but it's worth it as these settings will be retained and you won't have to re-enter them again.
http://www.cjwd.demon.co.uk/spybot-adaware.html
Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.
I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).
Reboot and click on Start/Run/ type: cleanmgr
If you have problems with Disk Cleanup hanging and not completing see this page for XP users:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248
Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
From MS Help: " Disk Cleanup helps free up space on your hard drive. Disk Cleanup searches your drive, and then shows you temporary files, Internet cache files, and unnecessary program files that you can safely delete. You can direct Disk Cleanup to delete some or all of those files."
I check all the selected categories and click OK at the end of Disk Cleanup.
If you have any problems with Disk Cleaner completing...XP users can fix it here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248
Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.
3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html
4. MVPS Hosts file at: http://mvps.org/winhelp2002/hosts.htm
The MVPS Hosts file replaces your current HOSTS file with one that prevents your computer from connecting to hostile sites by redirecting them to 127.0.0.1 which is your local computer. This is an easy way to prevent one of the most common hijackings computer users will face on the Internet! Do it now.
5. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.
Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp
You can also start Windows Update by running Internet Explorer, pulling down Tools on top Menu bar and selecting Windows Update. Install ALL critical updates! Always!
If LiveUpdate fails (and it is prone to on MANY machines) download each patch manually from the MS advisory pages and install manually. Works for me!
6. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com
7. Beg, borrow, or buy a Software Firewall if at all possible. I use Norton Internet Security 2004 and it has saved my bacon more times than I can count. For a free software firewall turn on the fairly lame firewall in Windows XP (I say it is lame because it does not monitor or block outgoing traffic...only incoming...a serious omission if the threat occurs inside your network). Hopefully with the upcoming Service Pack 2 this flaw will be addressed.
http://www.microsoft.com/technet/community/columns/5min/5min-101.mspx#XSLTsection125121120120
A better choice for now for a free software firewall is Zone Alarm.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
8. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.
9. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.
Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a Local Settings Temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when XP and W2K users post here and place it in the Local Settings, the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)
See this link for graphical instruction: http://russelltexas.com/malware/faqhijackthis.htm
Forums for help and analysis of your Hijackthis logfile:
http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.wilderssecurity.com
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.bleepingcomputer.com
Good luck and safe computing!
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)