First off, I'm gonna' ask you to forgive me both for my amateur computer knowledge and lingo, and my crappy operating system/computer... I know I should just buy a new computer instead of trying to rescue this one, but, alas, I am pretty broke, so I'd appreciate any attempts to salvage this one .
Anyways, by my estimations, I've been hijacked by Coolwwwsearch and associated friends. It all started a few weeks ago on my boyfriend's profile, when apparently some boxes popped up telling him he was infected (I don't know if they were real Norton related files or just the spyware in action). He also got the blue screen telling him that his computer's infected, run virus software, etc., and psguard (red exclamation point with a link to their spyware) was on his toolbar, saying "this computer has been infected".
Since then, most of the work has been done on my profile, which seems to run a little faster and better. On his profile we can't seem to open Norton anymore, although I haven't tried reinstalling because it runs on my profile.
Symptoms: My Internet Explorer has it's home page changed to about:blank (search engine with words like Xanax, Viagra and casinos typed in for me), and both [bleep] and search sites have been put into my bookmarks. Of course, all of this returns with reboot even if I change it. Lots of pop-ups (I think most have the header "Only the best" or something like that). Frequent freezing. Dialog boxes popping up and telling me that Windows Firewall has detected suspicious activity, click here to find out how to get rid of spyware. Pretty slow (although it was already ). Etc. No blue screen of death on my profile, though.
When I run a Norton full scan, it inevitably finds files infected by Byte.Trojan and Download.Trojan, but even after I "fix" these files, the infection is usually back by next scan.
Ad-Aware keeps on finding lots of CWS stuff, and Spyware S & D keeps on finding CoolWWWSearch.Aff.Winshow and trek blue error nuker, yet even if I get rid of them, they are back after the next reboot. I thought CWShredder would be my saviour, but it keeps on saying that there is no CWS on my computer (I even tried running that extra program that gets rid of the type of CWS that won't let shredder run, but apparently that type of CWS wasn't on my computer).
Panda Active Scan found a whole bunch of spyware, but couldn't disinfect any of it.
My HJT log is below. Any insights on how I can free my computer would be greatly appreciated... although layperson's language is always appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 9:13:30 AM, on 7/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SDKNF.EXE
C:\WINDOWS\SYSTEM\ADDTD.EXE
C:\WINDOWS\SYSTEM\MFCPV.EXE
C:\WINDOWS\MSDM32.EXE
C:\WINDOWS\ATLGS.EXE
C:\WINDOWS\D3FS32.EXE
C:\WINDOWS\SYSTEM\D3HT32.EXE
C:\WINDOWS\ADDSD32.EXE
C:\WINDOWS\NETUQ32.EXE
C:\WINDOWS\SYSTEM\WINCC32.EXE
C:\WINDOWS\SYSTEM\NTYM.EXE
C:\WINDOWS\IPEX32.EXE
C:\WINDOWS\SYSTEM\D3MX32.EXE
C:\WINDOWS\WINBJ32.EXE
C:\WINDOWS\D3WW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\ATLOP32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\D3MX32.EXE
C:\WINDOWS\SDKNF.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\PROFILES\NORANN\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E741AE57-A145-C804-699C-3AC145BCB876} - C:\WINDOWS\SYSTEM\MSZC32.DLL
O2 - BHO: Class - {DCC69B40-C060-D573-6BED-21A0EA3DBCD1} - C:\WINDOWS\SYSTEM\SYSIV.DLL
O2 - BHO: Class - {99FA4172-70BA-F5F0-EB8D-3E910E0ADD26} - C:\WINDOWS\APPHM.DLL
O2 - BHO: Class - {957A6506-FA99-95EC-8012-78785C25AEF1} - C:\WINDOWS\SYSTEM\IPLP.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ATLOP32.EXE] C:\WINDOWS\SYSTEM\ATLOP32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [SDKNF.EXE] C:\WINDOWS\SDKNF.EXE /s
O4 - HKLM\..\RunServices: [ADDTD.EXE] C:\WINDOWS\SYSTEM\ADDTD.EXE /s
O4 - HKLM\..\RunServices: [MFCPV.EXE] C:\WINDOWS\SYSTEM\MFCPV.EXE /s
O4 - HKLM\..\RunServices: [MSDM32.EXE] C:\WINDOWS\MSDM32.EXE /s
O4 - HKLM\..\RunServices: [ATLGS.EXE] C:\WINDOWS\ATLGS.EXE /s
O4 - HKLM\..\RunServices: [D3FS32.EXE] C:\WINDOWS\D3FS32.EXE /s
O4 - HKLM\..\RunServices: [D3HT32.EXE] C:\WINDOWS\SYSTEM\D3HT32.EXE /s
O4 - HKLM\..\RunServices: [ADDSD32.EXE] C:\WINDOWS\ADDSD32.EXE /s
O4 - HKLM\..\RunServices: [NETUQ32.EXE] C:\WINDOWS\NETUQ32.EXE /s
O4 - HKLM\..\RunServices: [WINCC32.EXE] C:\WINDOWS\SYSTEM\WINCC32.EXE /s
O4 - HKLM\..\RunServices: [NTYM.EXE] C:\WINDOWS\SYSTEM\NTYM.EXE /s
O4 - HKLM\..\RunServices: [IPEX32.EXE] C:\WINDOWS\IPEX32.EXE /s
O4 - HKLM\..\RunServices: [D3MX32.EXE] C:\WINDOWS\SYSTEM\D3MX32.EXE /s
O4 - HKLM\..\RunServices: [WINBJ32.EXE] C:\WINDOWS\WINBJ32.EXE /s
O4 - HKLM\..\RunServices: [D3WW.EXE] C:\WINDOWS\D3WW.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab