CoolWeb Search problem 1

[Ngolem]

I am helping a friend with this annoying Hijack.

He is running on

Win98 2nd edition 4.10.2222A
MS ie 6.0.2800.1106 Update SP1

Booting IE results in a coolweb search menu but the address shows it as "About.blank"

We have run in this order the lastest versions of

cwshredder
Spybot
Adaware

*************************************************

followed by Hijacjthis...here is the log from hijackthis

Logfile of HijackThis v1.97.7
Scan saved at 3:37:40 PM, on 1/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL
O2 - BHO: (no name) - {9B607581-5A6F-11D9-8AFD-0010DC98AC3F} - C:\WINDOWS\SYSTEM\IMKI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37905.5198148148

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

***************************************************

Cwshredder finds no problems
Spybot finds one problem (DOS?? something like that I forget exactly)
Adaware finds 15 objects all related to CoolWebSearch

Starting ie after this results in the same problem with all problem objects reinstalled

Any advice appreciated

Jim

PS: I have seen reference to a tool called "AboutBuster" since we seem to always end up with "About.blank" in our address box...is this tool required to fix this problem?


Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[Ngolem]

There is another >>>REALLY<<< annoying aspect to this hijacking.

Once you are in IE and you access MSN.com to get Hotmail...as soon as you eter userID and password you see a flash of available mail...then it transfers to this freaken coolWeb search!!!


Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[diogenes10]

Hi Jim,

It would be good for us to see a log from the newer hijackthis version.

As far as this log is concerned, you can try fixing these lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {9B607581-5A6F-11D9-8AFD-0010DC98AC3F} - C:\WINDOWS\SYSTEM\IMKI.DLL
Reboot to safe mode and delete this file:
C:\WINDOWS\SYSTEM\IMKI.DLL
(Go after it in dos mode if you can't get it in safe mode)
And then reset explorer to defaults.
(Tools, Internet options, Programs, Reset websettings.)

I'm not sure if about buster helps with this one, you can try it if you like, there is a symantec tool you can try also, I'll get you a link for it in a minute. (There is a coolwebsearch that puts a number in the R lines, that's the one I know aboutbuster helps with.)

The newer hijackthis may show some additional items to fix.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

Here is the symantec tool, again your R lines are a little different than what I know this helps with, but you can give it a try.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html

Here's a link for you for current hijackthis and aboutbuster

http://www.subratam.org/?page=removal

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Ngolem]

Hi diogenes10

You have made my friend very happy. He has his baby back.

Your first advice did the trick.

It appears that all of the problems are solved. We downloaded a new version of HJT and this is the log that we get now....can you see any lurkers in there that don't belong???

********************************

Logfile of HijackThis v1.99.0
Scan saved at 5:02:06 PM, on 1/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab

**************************

There is one thing that keeps showing up in Spybot S&D...it finds something called DSO Exploit...we fix it but it returns...anything can be done to remove this permanently??

Thanks alot for your help....as always this great board has helped me again


Jim Broadbent

The quality of the answer is directly proportional to the quality of the problem statement!

 

[MeGustaXL]

Hi Jim, and Happy New Year!

Glad to hear you've cleaned your friend's PC
For future reference, take a look at thread760-943407 and download About:Buster from the link in that thread, together with FireFox from

http://www.getfirefox.com

Happy Surfing!

Chris

Varium et mutabile semper Excel

 

[starzwell]

http://www.softwarepatch.com/tips/about-blank-adware.html

Try this link and see if this helps

Steph

Do random nice things for no apparent reason.