malware has taken over,please help

Question

My husband was browsing the net a few days ago and a site installed what we believe is the coolworld malware. After our computer was infected with it our internet explorer home bage kept being reset and things just went all around haywire. Browser windows shutting,we can't scan disk to fix errors,etc. I have run cwshredder to no avail,have been running spybot & adaware repeatedly,downloaded system mechanic,and done anything I can think to do to remove this thing from our computer. We just can't seem to get rid of it. I have been able to at least reset our homepage and use another browser but ie is pretty much asking for trouble anytime you open it. Any help would be appreciated greatly. I ran hijackthis and here is my log:   MyLogfile of HijackThis v1.97.7Scan saved at 5:01:22 PM, on 6/28/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\System32
vsvc32.exeC:\Program Files\Trend Micro\Internet Security\Tmntsrv.exeC:\Program Files\Trend Micro\Internet Security	mproxy.exeC:\Program Files\Trend Micro\Internet Security\PccPfw.exeC:\WINDOWS\System32\dllhost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\System32\NDrv.exeC:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exeC:\Documents and Settings\Jennifer Jones\Application Data\mesm.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\PROGRA~1\YAHOO!\BROWSER\ycommon.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\Program Files\Microsoft Hardware\Mouse\POINT32.EXEC:\WINDOWS\system32\cidaemon.exeC:\PROGRA~1\YAHOO!\BROWSER\YBROWSER.EXEC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\Jennifer Jones\My Documents\My Pictures\HijackThis.exeC:\WINDOWS\SYSTEM32
otepad.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [IPInSightMonitor 01] 'C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe'O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKCU\..\Run: [Registry Cleaner Scheduler] 'C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe' /startupO4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exeO4 - HKCU\..\Run: [Asse] C:\Documents and Settings\Jennifer Jones\Application Data
cts.exeO4 - HKCU\..\Run: [System Mechanic Popup Stopper] 'C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe'O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvsu.exeO4 - HKCU\..\Run: [Tsie] C:\Documents and Settings\Jennifer Jones\Application Data\mesm.exeO8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO9 - Extra button: Related (HKLM)O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dllO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dllO16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cabO16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{68F2791F-1703-47B3-9FD1-E497E73A2986}: NameServer = 151.164.1.8 151.164.30.105

baskar1234 · Answer

Hello, Its easy to miss a post among the lots here. Close all browser windows . RUn hijackthis. Put a check mark on all these entries. Hit FIX CHECKED button. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exeO4 - HKCU\..\Run: [Asse] C:\Documents and Settings\Jennifer Jones\Application Data
cts.exe O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvsu.exeO4 - HKCU\..\Run: [Tsie] C:\Documents and Settings\Jennifer Jones\Application Data\mesm.exe O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cabReboot intoo safe mode. Unhide all files and folders, delete, C:\WINDOWS\System32\NDrv.exe -- FILEC:\Documents and Settings\Jennifer Jones\Application Data
cts.exe --FILE C:\Documents and Settings\Jennifer Jones\Application Data\mesm.exe -- FILE C:\WINDOWS\System32\wtssvsu.exe --FILE reboot,rescan with hijackthis and post it in this same thread.

jennsahm · Answer

thanks for the help I realize you guys are busy but it has been 10 days with no reply. The guidelines of the board say that messages are answered in the order which they are recieved....yet mine is 8 pages back and tons of messages posted after mine have been answered. Is it all in who you know??

jennsahm · Answer

Thanks for your help,here is the new scan log.     Logfile of HijackThis v1.97.7Scan saved at 4:30:52 PM, on 7/8/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\VVSN\VVSN.exeC:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exeC:\WINDOWS\System32\qpsoiuu.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\System32
vsvc32.exeC:\Program Files\Trend Micro\Internet Security\Tmntsrv.exeC:\Program Files\Trend Micro\Internet Security	mproxy.exeC:\Program Files\Trend Micro\Internet Security\PccPfw.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\Jennifer Jones\My Documents\My Pictures\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslO2 - BHO: (no name) - {40A16D59-EF4F-5FE9-8757-66550BD32E4F} - C:\WINDOWS\System32\ydmmhmag.dllO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [IPInSightMonitor 01] 'C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe'O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exeO4 - HKCU\..\Run: [Registry Cleaner Scheduler] 'C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe' /startupO4 - HKCU\..\Run: [System Mechanic Popup Stopper] 'C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe'O4 - HKCU\..\Run: [Yqacu] C:\WINDOWS\System32\qpsoiuu.exeO8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dllO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dllO16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{68F2791F-1703-47B3-9FD1-E497E73A2986}: NameServer = 151.164.1.8 151.164.30.105

baskar1234 · Answer

Hello,

Reboot into safe mode.

Close all browser windows.Run hijackthis and put a check mark on these entries and hit FIX CHECKED button.

O2 - BHO: (no name) - {40A16D59-EF4F-5FE9-8757-66550BD32E4F} - C:\WINDOWS\System32\ydmmhmag.dll
O4 - HKCU\..\Run: [Yqacu] C:\WINDOWS\System32\qpsoiuu.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

Delete the following,

C:\WINDOWS\System32\qpsoiuu.exe-- FILE

C:\Program Files\VVSN\VVSN.exe - FILE

Reboot, rescan with hijackthis and post a fresh log.

Message Edited by baskar1234 on 07-06-2004 10:22 PM

jennsahm · Answer

new log file:   Logfile of HijackThis v1.97.7Scan saved at 11:34:13 PM, on 7/8/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\qttask.exeC:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\System32
vsvc32.exeC:\Program Files\Trend Micro\Internet Security\Tmntsrv.exeC:\Program Files\Trend Micro\Internet Security	mproxy.exeC:\Program Files\Trend Micro\Internet Security\PccPfw.exeC:\PROGRA~1\YAHOO!\BROWSER\YBROWSER.EXEC:\PROGRA~1\YAHOO!\BROWSER\ycommon.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\Jennifer Jones\My Documents\My Pictures\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dslO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [IPInSightMonitor 01] 'C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe'O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKCU\..\Run: [Registry Cleaner Scheduler] 'C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe' /startupO4 - HKCU\..\Run: [System Mechanic Popup Stopper] 'C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe'O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dllO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dllO16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{68F2791F-1703-47B3-9FD1-E497E73A2986}: NameServer = 151.164.1.8 151.164.30.105

baskar1234 · Answer

Good Job,. Your log looks clean. If you have any more problems, do tell us. Regards, Baskar.

jennsahm · Answer

Thanks so much for your help,I truly appreciate it. You're a life saver

Virus & Spyware

Was this post helpful?