Malware Problem

  babybell 19:12 01 Jun 2005

Hey Guys,

Friends laptop urgently needs help. He cannot access the internet as whatever address he types in it is always directed to an ad website. I ran McAfee and it found a trojan which i removed, i have ran adware and it found some bad registry entries, which i removed, and now spybot has found Hotbar, coolwwwsearch and all that junk. However, i remove the offending items and they appear again if i run the scan again. Also sex pages are appearing in my favourites folder, and if i delete them and watch carefully, suddenely they all reappear in front of my very eyes, please help!

  Indigo 1 19:18 01 Jun 2005

First you may need to disable system restore before you run a scan as it could be hiding there and re-appear each time you re-boot but be aware that disabling system restore will delete all your restore points, you can re-enable it afterwards.
Right click My Computer Icon then select Properties then click on restore tab and un tick the box.

Second you might need to use more than one tool to remove it, AdAware SE is highly recommended click here

As is SpyBot S&D click here

Also SpywareBlaster click here to prevent them getting in.

And one more that I would recommend is Ewido click here which is free to try but the only restrictions for not purchasing means you have to update and run it manually.

You must update all these products before you atually use them each time.

  eedcam 19:18 01 Jun 2005

You could try A2 It finds maware that spy bot misses click here

  babybell 19:36 01 Jun 2005

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = click here
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPQTW32.DLL
O13 - DefaultPrefix: click here=
O13 - WWW Prefix: click here=
O13 - Home Prefix: click here=
O13 - Mosaic Prefix: click here=
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) - click here
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - click here
O21 - SSODL: OLE Module - {03B1C4D9-BC71-8916-38AD-9DEA5D213614} - C:\WINDOWS\SYSTEM\rch.dll
O21 - SSODL: DDE Module - {DABB23E9-AC0D-3740-E3E5-4B37C80837E5} - C:\WINDOWS\SYSTEM\wirl.dll

  Fruit Bat /\0/\ 19:40 01 Jun 2005

Post the complete log including the header at Malware Removal forum click here the experts there will help you with this one.

It is very heavily infected with nowfind.

  Jak_1 20:02 01 Jun 2005

Sounds like coolweb, download CWShredder and that will sort the proble.

click here

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

iMac Pro review

25 book design and illustration tips

iMac Pro review

Idées cadeaux pour geeks et tech addicts