Another Coolwebsearch Infection

cromwell_4 · July 27, 2005

Hi,

I have completed the steps you posted on a 2nd laptop that was affected by coolwebsearch. Everything looks ok now. Can you please have a look att he log to confirm if I have been successful in removing it?

Logfile of HijackThis v1.99.1

Scan saved at 16:01:16, on 27/07/05

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\PEREGR~1\DESKTO~1\bin\iftlsnr.exe

C:\WINNT\floplock.exe

C:\Program Files\BT Digital Access USB\vstartx.exe

C:\Program Files\BT Digital Access USB\gisdnlog.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\program files\notes\ntmulti.exe

C:\WINNT\system32\NALNTSRV.EXE

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\wm.exe

C:\NOVELL\ZENRC\wuser32.exe

C:\NOVELL\ZENRC\WUOLService.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\ltmsg.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\system32\RunDll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINNT\System32\dpmw32.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe

C:\Program Files\BT Digital Access USB\gsyno.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\system32\internat.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\admcouplac\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://campbellcorner.soups.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.51.87.140:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 213.*;170.*;*.soups.com;194.253.155.19;62.185.95.179;62.185.95.184;<local>

O1 - Hosts: 170.230.110.20 ocie

O1 - Hosts: 170.230.107.200 ftp.campbellplace.com www.campbellplace.com

O1 - Hosts: 194.118.99.14 GBBSERVER1 KGLHUB01

O1 - Hosts: 213.62.238.230 GBBIPMS

O1 - Hosts: 195.118.243.105 GBCAMP01 GBCAMP01-IP

O1 - Hosts: 195.51.85.1 PUURS

O1 - Hosts: 195.118.243.101 GBBDGM1

O1 - Hosts: 32.77.1.31 DMCAMUS02

O1 - Hosts: 32.77.1.28 DMCAMUS06

O1 - Hosts: 170.230.46.6 DACAMUS04 DACAMUS04.SOUPS.COM

O1 - Hosts: 170.230.115.80 campbellcorner

O1 - Hosts: 213.62.238.15 DMKGLUK01

O1 - Hosts: 195.118.243.108 DHDIEBE01

O1 - Hosts: 195.118.243.100 Y2CAMD00 Y2CAMD00-IP

O1 - Hosts: 194.253.61.57 COMFIERY

O1 - Hosts: 194.253.61.73 GENFIERY

O1 - Hosts: 213.62.238.49 GBBTOWER

O1 - Hosts: 203.8.80.233 DMSYDAU01

O1 - Hosts: 203.8.80.234 DMSYDAU02

O1 - Hosts: 141.94.135.6 FIREWALL1

O1 - Hosts: 141.94.135.4 FIREWALL2

O1 - Hosts: 213.62.238.12 EKGLAPP02

O1 - Hosts: 213.62.238.20 EKGLCMB01

O1 - Hosts: 170.230.105.27 DACAMUS02

O1 - Hosts: 128.1.0.9 S4441272

O1 - Hosts: 128.1.0.10 CBS270

O1 - Hosts: 195.118.243.109 EURAPP01

O1 - Hosts: 213.62.238.11 GBBSERVER2

O1 - Hosts: 213.62.238.23 GBBSQL

O1 - Hosts: 170.230.236.44 GBBCOGNOS

O1 - Hosts: 170.230.113.75 CAMPBELLDW01

O1 - Hosts: 213.62.238.17 DAKGLUK01

O1 - Hosts: 170.230.185.20 DMASHUK10

O1 - Hosts: 170.230.240.20 DMWORUK10

O1 - Hosts: 170.230.197.20 DMCRAUK10

O1 - Hosts: 213.62.238.30 GBBPSOFT

O1 - Hosts: 213.62.238.40 GBBIPMS2

O1 - Hosts: 213.62.238.5 FIREWALL

O1 - Hosts: 195.118.243.110 EUCAMD00

O1 - Hosts: 170.230.113.75 WHQDWH41

O1 - Hosts: 170.230.104.217 DDACAMUS01

O1 - Hosts: 170.230.240.15 EWORCMB01

O1 - Hosts: 170.230.185.15 EASHCMB01

O1 - Hosts: 170.230.197.50 ECRACMB01

O1 - Hosts: 170.230.191.3 DMDUNFR10

O1 - Hosts: 213.62.238.34 GBBCITRIX

O1 - Hosts: 213.62.238.18 EKGLAPP04

O1 - Hosts: 170.230.185.20 DMASHUK10

O1 - Hosts: 170.230.189.178 DAKARSE01

O1 - Hosts: 170.230.113.149 psacpt PSACPT

O1 - Hosts: 170.230.128.36 DMTORCA01

O1 - Hosts: 170.230.243.9 CAMBOURNE-UNITY

O1 - Hosts: 170.230.243.7 CAMBOURNE-PUB

O1 - Hosts: 170.230.215.123 DMHBUAU10

O1 - Hosts: 170.230.115.101 DMCAMUS12

O1 - Hosts: 170.230.46.11 DMCAMUS10

O1 - Hosts: 213.62.238.25 DGKGLUK01

O1 - Hosts: 170.230.236.42 DMCAMUK10

O1 - Hosts: 170.230.115.80 CAMPBELLCORNER

O1 - Hosts: 195.51.83.8 DMBOUFR10

O1 - Hosts: 170.230.113.198 DCCAMUS01

O1 - Hosts: 213.62.238.33 EKGLAPP07

O1 - Hosts: 170.230.236.40 ECAMCMB01

O1 - Hosts: 213.62.238.28 DANOSBE01

O1 - Hosts: 213.62.238.26 DSDIEBE01

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE

O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"

O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [EasySync Pro - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe

O4 - HKLM\..\Run: [EasySync Pro] C:\Program Files\Common Files\XCPCMenu.exe

O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=about:blank

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - https://www-3.ibm.com/pc/support/access/sdc...oad/tgctlar.cab

O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - https://www-3.ibm.com/pc/support/access/sdc...oad/tgctlsi.cab

O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://dccamus01.soups.com/qp2.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdc...ad/IbmEgath.cab

O16 - DPF: {95E52A86-61B2-11D6-976A-00B0D09A3628} (ProjectBPSInterface3.BPSInterface3) - http://worldpanel.tns-global.com/Worldpane...SInterface3.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A22ECFD-1D48-4F30-A047-F4AB3D5657DC}: Domain = europe.soups.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B8FFE0DF-1558-4B64-A3B7-2285A3E7CFE7}: NameServer = 170.230.236.46,170.230.236.36

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eu.cpb.com,cpb.com,europe.soups.com,soups.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eu.cpb.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = eu.cpb.com,cpb.com,europe.soups.com,soups.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eu.cpb.com,cpb.com,europe.soups.com,soups.com

O23 - Service: Peregrine Listener 6.0.1 (agtlsnr601) - Peregrine Systems, Inc. - C:\PROGRA~1\PEREGR~1\DESKTO~1\bin\iftlsnr.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe

O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: floppylock - Unknown owner - C:\WINNT\floplock.exe

O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)

O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\notes\ntmulti.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe

O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS

O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe

O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

Thanks,

Claire

Excal · July 31, 2005

Hi cromwell_4 and welcome to Best Techie!

Have you altered your Host file at all? It has a lot of interesting entries.

I need to see a Copy of you Hosts File and a HijackThis log from Normal Mode please!

Open HijackThis-> Click Config-> Click Misc Tools-> Click Open Hosts File Manager-> Click Open in Notepad->

Copy&Paste the entire Contents of that Notepad Page to your Next Post!

Thanks,

:thumbsup:

Excal

Sign In

Another Coolwebsearch Infection

Recommended Posts

cromwell_4

Link to post

Share on other sites

Excal

Link to post

Share on other sites

Browse

Activity