 |  |  |  |  |  |  |  |
Cool Web Search!!! Damnit!
 |
sorry, no offense intended crunchie
I tiked it in HJT, ran an ad-aware, and did a CWS rip on my C drive. It was fine for a bit, turned on my PC today and the about:blank was back. Fixed it again, although it was under a BHO this time and a dll referance, then I played CS for an hour or two, and wha-la it is back again. Anyone know how to fix this? I've tried the basic stuff and it DOES NOT WORK. It hasn't worked for the past couple of months and is not working now, anyone? anyone at all?
BTW: the only websites i have been going to are yahoo and ebay, so unless one of them has spyware, it is a trojan or something already on my pc
I tiked it in HJT, ran an ad-aware, and did a CWS rip on my C drive. It was fine for a bit, turned on my PC today and the about:blank was back. Fixed it again, although it was under a BHO this time and a dll referance, then I played CS for an hour or two, and wha-la it is back again. Anyone know how to fix this? I've tried the basic stuff and it DOES NOT WORK. It hasn't worked for the past couple of months and is not working now, anyone? anyone at all?
BTW: the only websites i have been going to are yahoo and ebay, so unless one of them has spyware, it is a trojan or something already on my pc
•
•
•
•
Originally Posted by p3-450
Can you post a new log please.
Logfile of HijackThis v1.98.2
Scan saved at 2:16:13 AM, on 9/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dreg\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.afes.com/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
Try this to see if it will find the trojan:
First go to:
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.
First go to:
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.
•
•
•
•
Originally Posted by dlh6213
Try this to see if it will find the trojan:
First go to:
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.
Here's what was in the Value spot:
C:\WINDOWS\System32\mshepg.dll
I'll await the next set of instructions.
-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.
-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.
-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\mshepg.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set.
-Rename the NotWindows folder back to its
original name Windows
-Restart computer
Check in the system32 folder if the culprit dll is visible & delete it.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.
-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.
-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\mshepg.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set.
-Rename the NotWindows folder back to its
original name Windows
-Restart computer
Check in the system32 folder if the culprit dll is visible & delete it.
•
•
•
•
Originally Posted by dlh6213
-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.
-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.
-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\mshepg.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set.
-Rename the NotWindows folder back to its
original name Windows
-Restart computer
Check in the system32 folder if the culprit dll is visible & delete it.
I did as you said, but the dll will not delete, it is in use in regular mode and safe mode so i cannot delete it, any suggestions how to delete it another way?
Also, I'll let you know how that registry fix worked, it usually takes a day or two for the virus to reappear, so I'll see if it does, thanks!
•
•
Join Date: Feb 2004
Posts: 10,028
Reputation: 
Solved Threads: 760
Open hijackthis & go to config\misc tools\delete a file on reboot & paste in C:\WINDOWS\System32\mshepg.dll then reboot.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- Virtumonde and Cool web search...I think (Viruses, Spyware and other Nasties)
- Cool Web Search/Search Assistant/Shopping Wizard Trojan (Viruses, Spyware and other Nasties)
- cool web search problems (Viruses, Spyware and other Nasties)
- Cool Web Search - You Ain't So Cool! (Viruses, Spyware and other Nasties)
- How to remove cool web search (Viruses, Spyware and other Nasties)
- Cool Web Search Trouble (HiJack Log inside) (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Before fixing with hijackthis!!
- Next Thread: i got trapped in a stream of warez sites
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exploit facebook fake gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirecting reliability report research risk rogueantivirus samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted usa virus viruses war warning windows worm yahoo zeroday
