PPRuNe Forums - View Single Post - help please
Thread: help please
View Single Post
Old 19th Nov 2004, 13:54
  #2 (permalink)  
Naples Air Center, Inc.
The Oracle
 
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes on 0 Posts
Devlin Carnet,

You have been hit by serveral Malware Programs including CoolWebSearch.

These arfe either Spyware or highly suspect:

C:\Program Files\Windows SyncroAd\SyncroAd.exe

C:\WINDOWS\emsw.exe

C:\WINDOWS\System32\clulegih.exe

C:\Documents and Settings\x\Application Data\osrr.exe

C:\WINDOWS\System32\w?nspool.exe

C:\Program Files\Windows SyncroAd\WinSync.exe

C:\WINDOWS\System32\golumm\services.exe

Now have HJT! fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fast-search.org

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteBar\ELITEB~1.DLL

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteBar\ELITEB~1.DLL

O4 - HKLM\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe

O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe

O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wintzn32.exe

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O4 - HKLM\..\Run: [p0] C:\documents and settings\x\local settings\temp\p0.exe

O4 - HKLM\..\Run: [lB] C:\documents and settings\x\local settings\temp\lB.exe

O4 - HKLM\..\Run: [L] C:\documents and settings\ x\local settings\temp\L.exe

O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

O4 - HKCU\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\x\HXIUL.EXE

O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe

O4 - HKCU\..\Run: [Ko08RgK2U] clulegih.exe

O4 - HKCU\..\Run: [Pldo] C:\Documents and Settings\ x\Application Data\osrr.exe

O4 - HKCU\..\Run: [Ibrx] C:\WINDOWS\System32\w?nspool.exe

O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mhtml!http://81.9.3.86//scripts//dw//chm.chm?id=dp::/win.exe

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

O16 - DPF: {12C5D0C2-3DA8-16A4-D9B4-62644D0DFAE7} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {14C85530-DDB3-7953-8BD6-37EC45890F02} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {1E3E231C-9DB4-4AD8-F591-72F6090FDEDE} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/us/ringtone/ringtone.exe

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab

Once you fix the list above, make sure you run:

Ad-Aware SE Personal Edition 1.05

and

CWShredder

Take Care,

Richard
Naples Air Center, Inc. is offline