Well, I was looking through some serials for a software and BOOM.... My browser get's hijacked like hell. The homepage has been redirected to a website that I won't post here in case some n00bies click it and the same thing happen to them but their name is "Cool Web Search". I downloaded HijackThis and it found it, got rid of it and it came back. Ran Adware, found got rid of it, kept on coming back. The same with SpyBot and on and on. Really don't know what to do?? My homepage is always taken by some wierd IP address that redirects to some website. I managed to clean some of it up but I know there are some left but I don't know where and no spyware killer managed to get it.

Anyone had any experience with this or know how to get rid of it





:frusty: PLEASE HELP :frusty:

http://www.spysweeper.com is the correct answer, and worst case get cwshreadder, but spysweeper should take care of it
p.s.
don't surf while logged in as admin ;)

Cwsredder ? Heres a few links .
http://www.softpedia.com/public/cat/10/17/10-17-150.shtml


Edit: Sorry mulch , i can't type I was still looking for a link for him . :lol:

Download CWShredder (http://www.spywareinfo.com/~merijn/downloads.html), close all browser windows and click on fix to run it.

Run hijackthis, save log and post the log here.

mulch :(

I know for a fact spysweeper can remove cool web search, but it used to be only cwsshreader (sp)

Originally posted by muchspl2@7 July 2004 - 19:04
mulch :(

I know for a fact spysweeper can remove cool web search, but it used to be only cwsshreader (sp)
@much sorry buddie ! lol Told you spelling was bad .

all good in the hood

Thanks man but spysweeper doesn't pick it up like adware does. I download an upgrade for adware and it kicked out 280 spyware and hijackThis files. I closed it and reopened it and it picks up some more. Spybot also does the same thing but with other spyware that adware misses. My browser keeps getting hijacked no matter what I do?

Please help :helpsmile:

Originally posted by Jg427@7 July 2004 - 22:01
Download CWShredder (http://www.spywareinfo.com/~merijn/downloads.html), close all browser windows and click on fix to run it.

Run hijackthis, save log and post the log here.
^^ then

Newer varients of Cws will return after removal by most cleaners even CWShredder. The first step is to run CWShredder. Some have had better results by running cws in safemode then running adaware again while still in safemode. Reboot to see if the hijacker returns, run hijackthis to help identify it. Other tools are available after that.

ok doing it right now after I log off.

Be back very soon...

Originally posted by muchspl2@7 July 2004 - 20:50
http://www.spysweeper.com is the correct answer, and worst case get cwshreadder, but spysweeper should take care of it
p.s.
don't surf while logged in as admin ;)
SpySweeper is great, much better than SpyBot and Adware I think. Latest full version is on SuprNova I think.

Ok I did what you suggested and it found some more tracking cookies and other spyware in safemode. Here is the logs you wanted,

=====================================================
-HijackThis Report-

StartupList report, 08/07/2004, 04:22:36
StartupList version: 1.52.2
Started from : G:\Documents and Settings\The One\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Documents and Settings\The One\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[G:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = G:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DSLAGENTEXE = dslagent.exe USB
ccApp = "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

warez = "G:\Program Files\Warez P2P Client\warez.exe" -h
Symantec NetDriver Monitor = G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

--------------------------------------------------

Shell & screensaver key from G:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - G:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Ipswitch.WsftpBrowserHelper - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}
(no name) - G:\PROGRA~1\FlashGet\jccatch.dll (file missing) - {A5366673-E8CA-11D3-9CD9-0090271D075B}
NAV Helper - G:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB)

[Symantec RuFSI Utility Class]
InProcServer32 = G:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab)

[Update Class]
InProcServer32 = G:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8172.8495138889 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38172.8495138889)

[Shockwave Flash Object]
InProcServer32 = G:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shock...ash/swflash.cab (http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab)

[{E36C5562-C4E0-4220-BCB2-1C671E3A5916}]
CODEBASE = http://www.seagate.com/support/disc/asp/to.../npseatools.cab (http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: G:\WINDOWS\system32\SHELL32.dll
CDBurn: G:\WINDOWS\system32\SHELL32.dll
WebCheck: G:\WINDOWS\System32\webcheck.dll
SysTray: G:\WINDOWS\System32\stobject.dll
System: G:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 4,930 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
=====================================================





-CWShredder v1.40.2 scan only report-

Windows XP (5.01.2600 SP1)
Windows dir: G:\WINDOWS
Windows system dir: G:\WINDOWS\system32
AppData folder: G:\Documents and Settings\The One\Application Data
Username: The One

Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] G:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com dword:4
Found Win.ini file: G:\WINDOWS\win.ini (597 bytes, A)
Found System.ini file: G:\WINDOWS\system.ini (231 bytes, A)

- END OF REPORT -



Picture of my Hijacked Start page in IE
Image Resized
[img]http://www.godsholyangels.com/regedit.JPG' width='200' height='120' border='0' alt='click for full size view'> ('http://www.godsholyangels.com/regedit.JPG')

thanks like I said, the latest spysweeper can beat it
but atleast hope he can beat it

Please run hjt again. The scan button will change to a save log button, click that. It will save a log to notepad. Open the notepad log, select all and copy, paste it here.

The CWShredder report was a scan only report. Run it by clicking the fix button. Do this before the new hjt log.

Logfile of HijackThis v1.98.0
Scan saved at 05:15:54, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ISS\BlackICE\blackd.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
G:\WINDOWS\wanmpsvc.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\dslagent.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\ISS\BlackICE\blackice.exe
G:\Program Files\MYIE2\MyIE.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\ePrompter\ePrompter.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Documents and Settings\The One\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [warez] "G:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab)
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/to.../npseatools.cab (http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134
O21 - SSODL: System - {A8176633-6957-4BCA-89FC-E2ED8F7496DB} - G:\WINDOWS\system32\system32.dll

Originally posted by KazaaBoy@7 July 2004 - 18:46
Well, I was looking through some serials for a software and BOOM.... My browser get's hijacked like hell.
Using Internet Explorer to browse a serial website? That is a big no-no.

Make a new folder for hjt and place the hijackthis.exe inside it. Backup files will be saved there.

fix with hjt:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

if this is provided by your isp, it's ok , otherwise fix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134

Here is why it keeps coming back, fix:
O21 - SSODL: System - {A8176633-6957-4BCA-89FC-E2ED8F7496DB} - G:\WINDOWS\system32\system32.dll

Now delete this file:
G:\WINDOWS\system32\system32.dll

If you don't see it, try this first.
Show hidden files and folders. (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec)

Reboot and reset your web settings.
In IE > tools > internet options > programs
click " reset web settings"

Post a new hjt log.

Logfile of HijackThis v1.98.0
Scan saved at 06:42:31, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ISS\BlackICE\blackd.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
G:\WINDOWS\wanmpsvc.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\dslagent.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
G:\Program Files\ISS\BlackICE\blackice.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Documents and Settings\The One\Desktop\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [warez] "G:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab)
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/to.../npseatools.cab (http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134



=====================================================
I think that did the trick. This was the only trouble that I had with while every other spyware was deleted by Adware and Spybot. I guess when I was installing software I didn't realise the effect of it. When I had my Norton Personal Firewall, it had advertising blocking, script blocking and many other features. I can't download personal firewall 2004 as it won't let me access the internet even tho I tell it to. Looking at the log ^ do you think there any more problems?

Thanks again for your help ;)

Looks good to me, as long as nothing comes back.
If it does, we'll go another round. :P

Now why couldn't the anit-spywares detects the system32.dll