Hijacked, maybe CoolWebSearch

[computingdoc]

I've been reading the "preliminary instructions ..." document with interest. I'm working on an infected computer as a "pro bono" favor. The machine's Norton Security Center was allowed to lapse in August, 2007. I persuaded the owner to renew his Norton software and it now runs on the computer. The computer is plagued with popups, some of which seem to be security warnings from the Windows XP system and others from a Internet Explorer which pops up by itself occasionally. The "security warning" popups sometimes have misspellings in them. One of them talks about "black door" trojans. Most all of the popups try to get the user to click to download some sort of software remedy for malware or viruses. Now that Norton is running, it is trapping various viruses every couple of minutes and mentioning a "downloader" as the type. I cannot get the computer to boot into Safe Mode, but I can get it to go into Safe Mode with Command Prompt. I found a suspicious DLL file with a random looking name, but I couldn't delete it, even in Safe Mode with Command Prompt. I was going to try to use KillBox, but then I discovered your step-by-step process and decided to work through that. Tools 2 and 3 in Step 10 seemed to fix some things and Norton had mentioned the Vundo virus on occasion. When I was looking at the problem more haphazardly, I think that I saw some things mentioning the CoolWebSearch trojan (right term?). The IE popups have been pornagraphic a couple of times, but usually are "security" websites, trying to encourage downloads.

I really appreciate the availability of tools for this type of problem. Thanks to all that contribute to the effort.

 

[howard_hopkinso]

Hello and welcome to Techspot.

That system sounds as if it`s in a right old state. TBH, Norton is one of the worst choices anyone can make in an AV programme. Not only is a system resource hog, but it`s not that good at killing infections either.

I suggest you post the requested log files once you`re done. I can then advise you further.

Regards Howard :wave: :wave:

This thread is for the use of computingdoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[computingdoc]

Thanks

Thanks Howard for the reply and willingness to help. I agree on your assessment of Norton. I use Zone Labs myself, but there's a money problem for the computer I'm volunteering with, so Norton will have to stay. I'm going to be back on the job on Sunday.

Computing Doc

 

[howard_hopkinso]

Money, should never be a problem when it comes to security software. There are lots of very good free programme available and all of them are preferable to that Symantec/Norton crapware. See Below.

AVG free or Avast antivirus programmes.

Zonealarm Kerio or Comodo free firewall programmes.

Spybot Search & Destroy.

Ad-Aware se personal.

Spyware Blaster.

AVG Antispyware.

Ccleaner.

Regards Howard

This thread is for the use of computingdoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[computingdoc]

ComboFix log

I wasn't allowed to post the log until I had 3 posts. Next post will have the log, hopefully.

 

[howard_hopkinso]

Log files are supposed to be posted as attachments and not copy and pasted. See HERE.

Regards Howard

This thread is for the use of computingdoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[computingdoc]

Sorry, log attached.

HJT log is attached

 

[howard_hopkinso]

Your HJT log is clean.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

SpywareBot<This is of dubious repute.

Close control panel.

Locate and delete the following bold files and/or folders(if there).


C:\Temp\bhr.exe
C:\Temp\setup.exe
C:\Program Files\SpywareBot

Reboot the system.

Post fresh Combofix and AVG Antispyware logs.

Also, please let me know the results of the Panda Antirootkit scan as per step11 of these instructions.

Regards Howard

This thread is for the use of computingdoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[computingdoc]

I've been getting a slew of virus and trojan messages from Norton. Some are dll files and some are exe files. I've attached the ComboFix and AVG logs. I probably won't be able to do the Panda until tomorrow.

I had time today to get the Panda result. It found 0 rootkits.

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

Also, please do the following.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

This thread is for the use of computingdoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[computingdoc]

Step completed

System is very quiet now. Logs attached:

 

[howard_hopkinso]

That all looks fine mate.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of computingdoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[computingdoc]

Thanks

Howard,
Thanks for all of your time and help.

Computing Doc

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.