coolwwwsearch.leftover

[ragingbull]

I tried deleting it with spybot but it keeps coming back. and it seems like my internet browsing has been affected by this stupid spyware/malware. so pls. help me and take a look at my hjt log file. I would gladly appreciate it.
 
 
 Logfile of HijackThis v1.99.1
 Scan saved at 4:04:53 PM, on 3/22/2007
 Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)
 
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\system32\spoolsv.exe
 C:\WINDOWS\System32\nvsvc32.exe
 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 C:\WINDOWS\System32\wuauclt.exe
 C:\WINDOWS\Explorer.EXE
 C:\WINDOWS\System32\rundll32.exe
 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
 C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
 C:\Program Files\iTunes\iTunesHelper.exe
 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
 C:\Program Files\Messenger\msmsgs.exe
 C:\Program Files\iPod\bin\iPodService.exe
 C:\Program Files\Mozilla Firefox\firefox.exe
 C:\Program Files\uTorrent\utorrent.exe
 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
 C:\Program Files\HijackThis\HijackThis.exe
 
 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
 O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
 O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
 O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
 O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
 O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
 O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
 O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
 O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
 O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
 O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
 O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
 O16 - DPF: Win32 Classes -
 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
 O17 - HKLM\System\CCS\Services\Tcpip\..\{FE592684-E146-4E7F-934F-5FC546207E51}: NameServer = 210.4.2.61 202.78.97.41
 O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
 O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[guestolo]

Can you do another scan with Spybot
When the scan is done, right click in the results pane and save a report of what was found to your desktop
Then copy>>Paste back here the contents please

[ragingbull]

[quote name=\'guestolo\' post=\'304835\' date=\'Mar 22 2007, 08:08 AM\']Can you do another scan with Spybot
When the scan is done, right click in the results pane and save a report of what was found to your desktop
Then copy>>Paste back here the contents please[/quote]

here's the spybot scan report:

--- Report generated: 2007-03-23 09:36 ---

CoolWWWSearch.Leftovers: Code storage database (Registry key, fixed)
  HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\Win32 Classes

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
 

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
 

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
 

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
 

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
 

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
 

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)
 

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)
 

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)
 

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)
 

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)
 


--- Spybot - Search & Destroy version: 1.4  (build: 20050523) ---

2007-03-10 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-07 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-14 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2007-03-07 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-03-07 Includes\Trojans.sbi (*)
2007-03-07 Includes\DialerC.sbi (*)
2007-03-07 Includes\HijackersC.sbi (*)
2007-03-07 Includes\KeyloggersC.sbi (*)
2007-03-07 Includes\MalwareC.sbi (*)
2007-03-07 Includes\PUPSC.sbi (*)
2007-03-07 Includes\SecurityC.sbi (*)
2007-03-07 Includes\SpybotsC.sbi (*)
2007-03-07 Includes\TrojansC.sbi (*)

[guestolo]

Can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as Export.bat

Save this file on the desktop

 

Code: [Select]

regedit /e Export.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database"


Double click on Export.bat, a text file will open, can you copy>paste back here the contents please

[guestolo]

As the original poster has not returned, I'll lock this topic