• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rickslate

Computer Infected by New Trojan

4 posts in this topic

I have a trojan on my system that I can't remove (I think it's cws.smartsearch.2)…

 

Here's as much as I can offer on what's happening: It automatically closes CWShredder. I can't even open Norton. It shuts down the Spybot installation process. It has been changing the IE6 home page to random sites. A number of sites now just display "Free Search Online" (http://hhrkss.outhost.info/) - the URL is hidden. And Internet Explorer automatically shuts down when I go to sites that offer downloads of spyware removal programs and online help forums. When I actually get off a download of these programs, it will fail at 99% with the error: "Cannot read from source file or disk."

 

I successfully got a few programs by emailing them to myself from another computer and then running them through "Run…" in the Start menu because the trojan makes these programs invisible through Windows. I successfully ran Ad-Aware 6, Spy Sweeper, and CoolWWWSearch.SmartKiller. None of the programs removed the trojan so I still can't open CWShredder or Norton and it's still playing tricks with IE6.

 

SmartKiller gave me this message: "CoolWWWSearch.SmartKiller (v1/v2) has not been found on your system." CWShredder offers the message: "You have a varient of Coolwebsearch trojan (CWS.Smartsearch.2) that has attempted to close CWShredder… CWShredder is still functioning fine…" It successfully changed the program title but it keeps shutting down. To keep the program open, I have to keep clicking through the OK boxes as fast as I can (otherwise it closes) but when the program gets to its multi-stage scan, it shuts down.

 

Any suggestions? Please help me.

 

Thanks,

Rick

Edited by rickslate

Share this post


Link to post
Share on other sites

If this helps at all, here's my startup log...

 

StartupList report, 06/26/2004, 1:08:46 PM

StartupList version: 1.52

Started from : C:\Documents and Settings\gottli1_rick\Desktop\StartupList.EXE

Detected: Windows 2000 SP3 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINNT\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\inetsrv\inetinfo.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\AGRSMMSG.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Sony Handheld\HOTSYNC.EXE

C:\Program Files\Microsoft Office\OFFICE11\ONENOTE.EXE

C:\Program Files\Google\ggviewer67-23.exe

C:\Documents and Settings\gottli1_rick\Desktop\StartupList.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\gottli1_rick\Start Menu\Programs\Startup]

PowerReg Scheduler V3.exe

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

TrackPointSrv = tp4serv.exe

ATIModeChange = Ati2mdxx.exe

AtiPTA = atiptaxx.exe

AGRSMMSG = AGRSMMSG.exe

Synchronization Manager = mobsync.exe /logon

PRPCMonitor = PRPCUI.exe

TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

TP4EX = tp4ex.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg

POINTER = C:\Program Files\Microsoft Hardware\Mouse\point32.exe

HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

QD FastAndSafe =

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

Network Service = C:\WINNT\svhost.exe -sr -0

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

ctfmon.exe = ctfmon.exe

SightSpeed = "C:\Program Files\SightSpeed\SightSpeed.exe -minimized"

SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\system32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {rickslate: EDITED OUT FOR SECURITY}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Norton AntiVirus - Scan my computer.job

Norton SystemWorks One Button Checkup.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[QuickTime Object]

InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[{26CBF141-7D0F-46E1-AA06-718958B6E4D2}]

CODEBASE = http://download.ebay.com/turbo_lister/US/install.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

 

[MSN Money Charting]

InProcServer32 = C:\WINNT\Downloaded Program Files\inv13.ocx

CODEBASE = http://fdl.msn.com/public/investor/v13/invinstl.exe

 

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]

CODEBASE = http://207.188.7.150/10d2a8b754f625bf9219/netzip/RdxIE2.cab

 

[{6CB5E471-C305-11D3-99A8-000086395495}]

CODEBASE = http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

 

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]

CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7752.8500694444

 

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]

CODEBASE = http://windowsupdate.microsoft.com/R980/V3...en/actsetup.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

End of report, 7,779 bytes

Report generated in 4.637 seconds

 

Command line options:

  /verbose  - to add additional info on each section

  /complete - to include empty sections and unsuspicious data

  /full    - to include several rarely-important sections

  /force9x  - to include Win9x-only startups even if running on WinNT

  /forcent  - to include WinNT-only startups even if running on Win9x

  /forceall - to include all Win9x and WinNT startups, regardless of platform

  /history  - to list version history only

Share this post


Link to post
Share on other sites

Please help me! I really need my computer to work today.

 

$10.00 (through Amazon or PayPal) to the first person who offers a solution that works.

 

Thanks in advance for any help, Rick

Edited by rickslate

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0