Hi

I have aquired a browser hijacker. It is named cool web search. I have been looking at this forum & have downloaded Hijackthis.

This is what i have done so far..

Run spybot adaware & spy subtract. all have recognised the spyware & have deleted it.

When i open IE again the spyware is re-instaled

I have tried CWS shredder which is part of spy subtract. It does not recognise it & say there is no CWS.

I have tried to change my homepage in internet options but it still goes back to 'about blank' which has all these crappy search options.

About blank was on the hijackthis log file. I deleted it tried to load IE again & it came back again.

I'm gussing i have to use regedit but have had no experience in this.

So here is the log file from hijack this. Any help would be very much apreciated.

Simon

Attached Files

Log-1.txt (10.1 KB, 1 views)

Hi Simon, welcome to PCHF

Make a system restore point - then put a tick next to the following log entries and select fix.

C:\WINDOWS\ntku32.exe
C:\WINDOWS\system32\sysia32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\damci.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\damci.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\damci.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\damci.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\damci.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\damci.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\damci.dll/sp.html#44768
O2 - BHO: Class - {41F3D01F-6C89-A15F-70E9-32BE0CB61C71} - C:\WINDOWS\system32\ntyo32.dll
O4 - HKLM\..\Run: [ntku32.exe] C:\WINDOWS\ntku32.exe
O4 - HKLM\..\RunOnce: [ntmd32.exe] C:\WINDOWS\system32\ntmd32.exe
O4 - HKLM\..\RunOnce: [sysia32.exe] C:\WINDOWS\system32\sysia32.exe
O23 - Service: Network Security Service (NSS) ( 11F??#????`I) - Unknown owner - C:\WINDOWS\sdkmc32.exe

Before re-booting re-run: Ad-aware, Spybot and CWS.

Re-boot and let us know how you get on.

Hi Hengis

Thank you for the swift reply.

i deleted the r1 etc, but i couldnt delete the C: extensions.

When i re-booted my spyware program stated that an attempt to change IE's hompage. This happened 9 time. This is a sticky fella aye. Got me pulling my hair out.

Do i have to explore the C: drive to delete the C: extensions?

Attached is the new log file.

Regards

Simon

Attached Files

Log-2.txt (9.2 KB, 3 views)

Could you install Microsoft Antispyware this should help to prevent anything trying to change the homepage.
Also run Stinger, this program should remove any trojans which are normally associated with these "Toolbars"

Next your log file, you can delete the following entries:

O4 - HKLM\..\RunOnce: [d3xs.exe] C:\WINDOWS\d3xs.exe
O4 - HKLM\..\RunOnce: [sdkmc32.exe] C:\WINDOWS\sdkmc32.exe
O4 - HKLM\..\Run: [ntku32.exe] C:\WINDOWS\ntku32.exe
O23 - Service: Network Security Service (NSS) ( 11F??#????`I) - Unknown owner - C:\WINDOWS\sdkmc32.exe

Once you have deleted those entries from HijackThis and installed both Stinger and Microsoft Antispyware, boot your machine into safe-mode and run spybot,stinger and ms antispy.

Let us know how you get on.

It would be a good idea to explore C and delete those files. (just use normal windows explorer)

Hi Zimbo.

Looks like it's pretty much sorted. Thank you to you & Hengis

I keep getting 7 spywares that Adaware finds. These are classed as low risk but this dosnt instil confidence.

Worth showing you guys another log?

Thanks for the help again.

Simon

Happy to help Simon

Post a new log if u like - sounds like we got it tho

Don't forget to Recommend a Friend