Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CoolWebSearch.HotWorld [RESOLVED]


  • This topic is locked This topic is locked

#1
Graver

Graver

    New Member

  • Member
  • Pip
  • 4 posts
I have just joined this group in the hopes that someone can help me...

I am the SysAdmin at my company and the big bosses PC has been infected with CoolWebSearch.HotWorld spyware/malware. I have given a few of the free spyware softwares a shot at eliminating it and it keeps coming back. I have purged all of the temporary files as well as the temporary internet files and cookies but still to no avail.

After the minimal progress that I made yesterday he downloaded the latest version of AOL (which detected the first occurrance of CoolWebSearch.HotWorld) and now it is no longer detected. I am posting his "HiJackThis" log in the hopes that someone can help me out.

I have looked on the Web but cannot find any information on this specific variant. Has anyone seen this before? Or can it be AOLism where their software is falsely accusing another process of being malicious?

Here is the HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:57 PM, on 7/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\COMMON~1\AOL\111325~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111325~1\EE\AOLServiceHost.exe
C:\WINNT\explorer.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\system32\wuauclt.exe
G:\Spybot Removal\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1113252036\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\xdcla.exe
O4 - Global Startup: superdat.lnk = MCAFEE\SuperDat_Win2000\sdat4528.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

End of Log File
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Download the Pfind.zip file and extract it to your C:\ folder. This will create a folder called Pfind in C:\pfind. Inside c:\pfind is a file called pfind.bat. Double-click on this file and wait for it to finish. When it is done, it will open up a notepad that contains a log of what it has found. Copy that log as a reply to the topic where you are are receiving help.

It is important to note that not all files found with this program are necessarily bad. Please use extreme caution when deleting these files.
Making this log can take quite a while depending on the number of files to be scanned and the speed of the computer.


Regards,
  • 0

#3
Graver

Graver

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the assistance. Here is the pfind.txt output file...

Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINNT folder


Checking the C:\WINNT\SYSTEM32 folder


Checking all directories under the C:\WINNT\SYSTEM32\drivers folder


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\OBRIEN\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\OBRIEN\Application Data folder
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
So that came up empty?

Can you do a find files for run.bat ?
If it is found let me know where exactly.

Also open it in notepad and post the content.

Regards,
  • 0

#5
Graver

Graver

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I was just as shocked as you... Maybe the newest version of AOL was able to ZAP it out of the system??? I have a hard time believing this but, maybe they actually did something right? Or was the original alarm a false positive?

I ran a full search of the HDD for *.bat after I did not find a run.bat on the system. There is only a few bat files from AOL that he has for re-establishing IP addresses via the ipconfig commands.

Any other suggestions to see if this PC is still infected?
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
I think you did help when you cleaned out the Temp folders.

I found this info about Hotworld:
http://vil.nai.com/v...nt/v_130370.htm

CWS files are usually packed in a special way and Pfind looks for signs of that, so if the log is clean and the sarches come up empty.....
Plus the program that found it in the first place keeps quiet..

I'd say, tell your boss you cleaned it out and ask for a raise. Now's the time. :tazz:

Regards,
  • 0

#7
Graver

Graver

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Pieter,

Thanks for the help and I will cut you in for 10% of what I get! :tazz:

Unfortunately... 10% of nothing is still nothing!

Thanks again!

Jim
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP