HELP!!! ***res://<random>.dll/<random>.html#<random>*** HELP!!!

T

The Stull Demon

Hi.

Trying to remove BRAND *NEW* VARIANT of CoolWebSearch Malware from my
75-year old Dad's PC. NOTHING WORKS. Do not suggest *ANYTHING* old. I
REPEAT: DO NOT SUGGEST ANY OLD IDEAS!!! I've tried *EVERYTHING* that
is *OLD*. OK? Don't tell me to use the shredder - it DOES NOT WORK.
Don't tell me to use Ad-Aware or *ANY* of the current spyware removers
-- THEY DO NOT WORK!!! DON'T SUGGEST ANYTHING THAT'S NOT BRAND NEW!!!
So... with that in mind... this is a variant that DOES NOT have a
current fix. Understand??? Could someone please develop one? SOON? And
can we find the bastards that created this BRAND NEW CWS variant and
try and convict and sentence them --- ASAP???!!! Cuz they suck.

Here's the scan that hijackthis created:

Logfile of HijackThis v1.97.7
Scan saved at 2:03:17 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\winbu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\crkz32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\Netscape\NETSCA~1\Netscp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\[name]\Local Settings\Temp\Temporary
Directory 6 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\whwwf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://whwwf.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://whwwf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\whwwf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://whwwf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINDOWS\whwwf.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and
Settings\[name]\Application
Data\Mozilla\Profiles\default\w0kzwsxi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and
Settings\[name]\Application
Data\Mozilla\Profiles\default\w0kzwsxi.slt\prefs.js)
O2 - BHO: (no name) -



OK, NOW WHAT???!!!
 
C

Carey Frisch [MVP]

Since you tried "everything", then you need to prepare
for a "clean install" of Windows XP.

The Windows XP CD is bootable and contains all the tools necessary
to partition and format your drive. Follow this procedure and allow
Windows XP to partition and format your drive:

NOTE: It would be best to physically disconnect all your peripheral hardware
devices, except the monitor, mouse and keyboard, before installing XP.

NOTE: If you have an internal Zip Drive installed, physically disconnect the
EIDE and power cable to it before proceeding, otherwise your main
hard drive may not be assigned the customary C: drive letter.
After installing Windows XP, you may then reconnect it.

1. Open your BIOS and set your "CD Drive as the first bootable device".

===> Accessing Motherboard BIOS
===> http://www.michaelstevenstech.com/bios_manufacturer.htm

2. Insert your Windows XP CD in the CD Drive and reboot your computer.
3. You'll see a message to boot to the CD....follow the instructions.
4. The setup menu will appear and you should elect to delete all the existing
Windows partitions, then create a new partition, then format the primary
partition (preferably NTFS) and proceed to install Windows XP.

5. Clean Install Windows XP
http://michaelstevenstech.com/cleanxpinstall.html

[Courtesy of Michael Stevens, MS-MVP]

6. ==> Immediately after installing Windows XP, turn on XP's Firewall.
==> http://www.microsoft.com/security/protect/

7. After Windows XP is installed, visit the Windows Update website
and download the available "Critical Updates".

8. After installing the critical updates, be sure and visit the support website
of the manufacturer of the computer to download and install any
available Windows XP compatible drivers, such as video adapter
and audio drivers.

9. If you happen to run into any installation difficulties, use the following resources:

How to Troubleshoot Windows XP Problems During Installation
http://support.microsoft.com/default.aspx?scid=kb;EN-US;310064

Troubleshooting Windows XP Setup
http://www.kellys-korner-xp.com/xp_setup.htm

[Courtesy of MS-MVP Kelly Theriot]

To secure your computer and prevent possible future security breeches,
consider installing a first-rate, comprehensive, internet security program:

Norton Internet Security 2004
http://www.symantec.com/sabu/nis/nis_pe/

-- Includes Norton AntiVirus 2004
-- Includes Norton Personal Firewall
-- Includes prevention of annoying web pop-ups
-- Includes Parental Controls
-- All in one, easy-to-install package

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

---------------------------------------------------------------------------------


| Hi.
|
| Trying to remove BRAND *NEW* VARIANT of CoolWebSearch Malware from my
| 75-year old Dad's PC. NOTHING WORKS. Do not suggest *ANYTHING* old. I
| REPEAT: DO NOT SUGGEST ANY OLD IDEAS!!! I've tried *EVERYTHING* that
| is *OLD*. OK? Don't tell me to use the shredder - it DOES NOT WORK.
| Don't tell me to use Ad-Aware or *ANY* of the current spyware removers
| -- THEY DO NOT WORK!!! DON'T SUGGEST ANYTHING THAT'S NOT BRAND NEW!!!
| So... with that in mind... this is a variant that DOES NOT have a
| current fix. Understand??? Could someone please develop one? SOON? And
| can we find the bastards that created this BRAND NEW CWS variant and
| try and convict and sentence them --- ASAP???!!! Cuz they suck.
|
| Here's the scan that hijackthis created:
|
| Logfile of HijackThis v1.97.7
| Scan saved at 2:03:17 PM, on 6/28/2004
| Platform: Windows XP SP1 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
|
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\Program Files\Norton AntiVirus\navapsvc.exe
| C:\WINDOWS\System32\svchost.exe
| C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
| C:\WINDOWS\winbu.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Common Files\Microsoft Shared\Works
| Shared\WkUFind.exe
| C:\WINDOWS\System32\hkcmd.exe
| C:\PROGRA~1\NORTON~1\navapw32.exe
| C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
| C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
| C:\Program Files\BroadJump\Client Foundation\CFD.exe
| C:\Program Files\Common Files\Real\Update_OB\realsched.exe
| C:\Program Files\Winamp\Winampa.exe
| C:\WINDOWS\System32\hphmon05.exe
| C:\Program Files\Microsoft IntelliPoint\point32.exe
| C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
| C:\WINDOWS\crkz32.exe
| C:\Program Files\Messenger\msmsgs.exe
| C:\Program Files\Common Files\Microsoft Shared\Works
| Shared\wkcalrem.exe
| C:\WINDOWS\System32\HPZipm12.exe
| C:\PROGRA~1\Netscape\NETSCA~1\Netscp.exe
| C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
| C:\Documents and Settings\[name]\Local Settings\Temp\Temporary
| Directory 6 for hijackthis.zip\HijackThis.exe
|
| R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
| res://C:\WINDOWS\whwwf.dll/sp.html#96676
| R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
| res://whwwf.dll/index.html#96676
| R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
| res://whwwf.dll/index.html#96676
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
| res://C:\WINDOWS\whwwf.dll/sp.html#96676
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
| res://whwwf.dll/index.html#96676
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
| = res://C:\WINDOWS\whwwf.dll/sp.html#96676
| N3 - Netscape 7: user_pref("browser.startup.homepage",
| "http://home.netscape.com/"); (C:\Documents and
| Settings\[name]\Application
| Data\Mozilla\Profiles\default\w0kzwsxi.slt\prefs.js)
| N3 - Netscape 7: user_pref("browser.search.defaultengine",
| "http://www.google.com/"); (C:\Documents and
| Settings\[name]\Application
| Data\Mozilla\Profiles\default\w0kzwsxi.slt\prefs.js)
| O2 - BHO: (no name) -
|
|
|
| OK, NOW WHAT???!!!
 
S

Savut

Deal with crkz32.exe and winbu.exe, they are unknow to me.
Take them out of the startup
Reinstall IE6 and tools

Savut

The Stull Demon said:
Hi.

Trying to remove BRAND *NEW* VARIANT of CoolWebSearch Malware from my
75-year old Dad's PC. NOTHING WORKS. Do not suggest *ANYTHING* old. I
REPEAT: DO NOT SUGGEST ANY OLD IDEAS!!! I've tried *EVERYTHING* that
is *OLD*. OK? Don't tell me to use the shredder - it DOES NOT WORK.
Don't tell me to use Ad-Aware or *ANY* of the current spyware removers
-- THEY DO NOT WORK!!! DON'T SUGGEST ANYTHING THAT'S NOT BRAND NEW!!!
So... with that in mind... this is a variant that DOES NOT have a
current fix. Understand??? Could someone please develop one? SOON? And
can we find the bastards that created this BRAND NEW CWS variant and
try and convict and sentence them --- ASAP???!!! Cuz they suck.

Here's the scan that hijackthis created:

Logfile of HijackThis v1.97.7
Scan saved at 2:03:17 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\winbu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\crkz32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\Netscape\NETSCA~1\Netscp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\[name]\Local Settings\Temp\Temporary
Directory 6 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\whwwf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://whwwf.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://whwwf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\whwwf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://whwwf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINDOWS\whwwf.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and
Settings\[name]\Application
Data\Mozilla\Profiles\default\w0kzwsxi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and
Settings\[name]\Application
Data\Mozilla\Profiles\default\w0kzwsxi.slt\prefs.js)
O2 - BHO: (no name) -



OK, NOW WHAT???!!!
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can't reboot-Plz analyze HJT Log 1
problems with IE6 1
Windows XP Rundll32.exe not responding while shutting down 2
IBIS TOOLBAR 2
computer sending emails 17
FIRE! FIRE! HELP!!!!!!!!!!!! 4
Windows 7 "Windows cannot find svchost.exe?" 1
Window XP: How to eliminate the "about:blank" homepage 6

Top