coolwebsearch variant

[mattmos]

Hi guys, firstly thanks in advance for any help, I've just been recommended here and it seems like a great forum :)

I appear to have picked up a variant of the coolwebsearch trojan, have downloaded ad-aware se with vx add-on and spybot, but they haven't been sucessful and ad-aware is actually closed down if it is started with full system scan.

IE's start page is taken over by a search page, normally I would just switch to Firefox but am using Softimage XSI 3d software which relies on IE for certain operations...

Have tried to follow advice in the stickies as closely as poss, here is the resulting HJT logfile:

Logfile of HijackThis v1.98.2
Scan saved at 12:52:32, on 05/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\spm\spmd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Softimage\XSI_4.0\Application\bin\raysatxsi4_0server.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66FB287B-A224-CFD0-B6F6-EC69E7EE13D2} - C:\WINNT\system32\syspe.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [javaet32.exe] C:\WINNT\system32\javaet32.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: XSIBatchServe Control.lnk = C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk



Cheers,
Matt

[greyknight17]

Welcome to TSF.

You may still use Firefox for most of your other online websites. Just use IE for those sites that require it. That will put you less at risk on getting these infections again.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Windows ServeAd

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {66FB287B-A224-CFD0-B6F6-EC69E7EE13D2} - C:\WINNT\system32\syspe.dll
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [javaet32.exe] C:\WINNT\system32\javaet32.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Windows ServeAd\
C:\WINNT\system32\syspe.dll
C:\WINNT\system32\javaet32.exe

Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided.

[mattmos]

Hi greynight17, thanks for the quick response.

I followed your instructions, but unfortunately when starting IE the homepage is still taken over and am getting various pop-ups. The HJT log looked pretty clean before I tried re-starting IE, but afterwards it now looks like this:

Logfile of HijackThis v1.98.2
Scan saved at 17:01:41, on 05/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\spm\spmd.exe
C:\Softimage\XSI_4.0\Application\bin\raysatxsi4_0server.exe
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientd.exe
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe
C:\WINNT\winkg.exe
C:\WINNT\system32\apivc32.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\tibs3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B9D54197-F757-991D-CAB8-33E9120131BE} - C:\WINNT\atlbw32.dll
O4 - HKLM\..\Run: [apivc32.exe] C:\WINNT\system32\apivc32.exe
O4 - HKLM\..\Run: [tibs3] C:\WINNT\system32\tibs3.exe
O4 - HKLM\..\RunOnce: [winkg.exe] C:\WINNT\winkg.exe
O4 - Global Startup: XSIBatchServe Control.lnk = C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk



Have you got any further suggestions? Gratefully received as always :)

This is the logfile having run through the procedure above without starting IE again, if it's of any use? I won't restart IE for the moment...

thanks again...


Logfile of HijackThis v1.98.2
Scan saved at 17:31:28, on 05/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\spm\spmd.exe
C:\Softimage\XSI_4.0\Application\bin\raysatxsi4_0server.exe
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientd.exe
C:\WINNT\winkg.exe
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B9D54197-F757-991D-CAB8-33E9120131BE} - C:\WINNT\atlbw32.dll
O4 - HKLM\..\Run: [apivc32.exe] C:\WINNT\system32\apivc32.exe
O4 - HKLM\..\Run: [tibs3] C:\WINNT\system32\tibs3.exe
O4 - Global Startup: XSIBatchServe Control.lnk = C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk

[CTSNKY]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You should clear out the files in the Prefetch folder. Download prefetch.bat and double click on it to run it.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet.

Download FixAgent and unzip it. Run FixAgent.exe. It should fix something. If nothing is fixed, skip to the next step for the HijackThis fixes. If something is found, also download home_missing_114 and unzip it. Run the Home winkey missing batch file. Remember: ONLY run home_missing_114 if FixAgent found something.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\winkg.exe
C:\WINNT\system32\apivc32.exe
C:\WINNT\system32\tibs3.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gejym.dll/sp.html#26825
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B9D54197-F757-991D-CAB8-33E9120131BE} - C:\WINNT\atlbw32.dll
O4 - HKLM\..\Run: [apivc32.exe] C:\WINNT\system32\apivc32.exe
O4 - HKLM\..\Run: [tibs3] C:\WINNT\system32\tibs3.exe
O4 - HKLM\..\RunOnce: [winkg.exe] C:\WINNT\winkg.exe

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\winkg.exe
C:\WINNT\system32\apivc32.exe
C:\WINNT\system32\tibs3.exe
C:\WINNT\system32\gejym.dll

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

[mattmos]

Hi guys, ok looking more promising:

the about buster log:

-- Scan 1 ---------------------------
about:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
about:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

.
.
.
and the HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 18:26:40, on 05/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\spm\spmd.exe
C:\Softimage\XSI_4.0\Application\bin\raysatxsi4_0server.exe
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientd.exe
C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe

O4 - Global Startup: XSIBatchServe Control.lnk = C:\Softimage\XSIBatchServeClient_1.5\bin\XSIbServClientUI.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk

A quick bit of info in case it's important, I'm using win2kNT and rebooting into 'safe mode with networking' when asked to go to safe mode - hope this doesn't effect anything.

.
.
.
Do you think it is safe to try loading IE again?

Thanks again!
Matt

[CTSNKY]

I say yep.....

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

[mattmos]

Excellent! Tis gone, that's a weight off. Thanks a mill for the help, you are all scholars and gentlemen :)

[MicroBell]

mattmos: I do have one question....


O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Jellyfish.jellyfish.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jellyfish.co.uk,easynet.co.uk

Are these related to your ISP or company network?

[mattmos]

Hi Microbell,

Company is Jellyfish, ISP is easynet I think?

Cheers
Matt