Jump to content


CWS with Office XP configuration popups

  • Please log in to reply
1 reply to this topic

#1 canova



  • New Member
  • Pip
  • 2 posts

Posted 26 June 2004 - 03:29 PM

On Wed. evening 6/23 I got infected by CoolWebSearch. In one of the popup windows, I could do a "view source." It had HTML comments that said you could remove the hijacker by going to "Add/Remove Programs" and removing "iefeat1", but I looked and it didn't exist. The page then said to go to their web site as 8ad.com and use the link at the bottom of the page. This told me that it couldn't find and remove "WinShow."
I used the latest version of AdAware 6 (build 181) with the latest data file, and it proceeded to find and remove several things related to CoolWebSearch. But it's not gone; it keeps replacing itself.
Symptoms: My browser default page is reset to "res://marka.dll/index..." every time I try to change it. That DLL file, viewed in textpad contained lots of literal strings containing HMTL pages that it dished out. If I deleted the DLL, it was replaced the next time I went on line. I have defeated this so far by replacing the DLL with a 0 byte file named "marka.dll". This has partly disabled the thing.
I have tried CWSShredder, SpyBot, and now I have Hijack This on the machine. I'm not sure what to remove with Hijack This.
I found and deleted a couple of folders "winlink" and "winshow" in my Documents and Settings Application Data folder.
Each time AdAware or any other tool deletes files from Windows or System32 folders, they get replaced with new version with different names. The names are usually ms**32.exe, d3**.exe or some other consistent pattern with 2 random letters in the name.
I also found and deleted a js file, but unfortunately, I don't remember which files it mainpulated. It was trying to delete and replace some files in Program Files, but I've found nothing in there that has timestamps of 6/23 or later.
Following your site's instructions, I'm not including my HT log until someone asks for it.
The current behavior is:
After a reboot, the first time I start IE I get a series of 1 to 3 Office XP reconfiguration boxes. Letting them complete or cancelling them seems to have no effect. It get the same behavior each time I open a newly recieved email message in Outlook Express. Emails arleady opened don't cause this. My IE home page still gets reset to the "res://marka.dll/index.html#96676" URL all the time, but since the DLL is empty, it doesn't take me anywhere.
I'm running XP Home edition with SP1 and ALL security patches. I have Norton Antivirus 2002 with the most recent virus definitions.

Please help. As you can see, I'm not a complete novice, but this has me stumped and very frustrated. Thank you in advance.

#2 canova



  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 08:17 AM

I'm free at last!!!

The res://****.dll thing is gone. I've rebooted 3 times now and it's still gone.
AdAware, SpyBot and HiJackThis all come up clean.
There are no mysterious processes running.
I'm free!!

The information is all right here in this forum, just not all in one place. It's scattered about in the various postings that you all have made.

When you run HiJackThis. look for a mysterious entry like:
O4 - HKLM\..\Run: [appsa32.exe] C:\WINDOWS\system32\appsa32.exe

Before you have HijackThis fix it, do CTRL-ALT-DEL and look at the processes tab. Find the process running (appsa32.exe) and stop it.
If you don't do this, it will just replace itself under a new alias after HijackThis has removed it.
Once you've stopped the running process (and I had 2 of them,BTW), have HijackThis fix not only the item, above, but also anything suspicious like this:
O2 - BHO: (no name) - {55F4B2C0-1BA9-30E2-C41A-87A1C59255C2} - C:\WINDOWS\addjp.dll
as well as all the R1 items that look bogus.

Then have AdAware and SpyBot do their thing.

My home page stays put where I want it, my Google searches are no longer hijacked, and I no longer get the Offic XP pop ups the first time I launch IE after a reboot.

My HiJackThis logs look clean after 3 reboots:
Logfile of HijackThis v1.97.7
Scan saved at 8:20:05 AM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doug\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S73.tmp"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7863.3670949074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thank you everyone for all your experimentation. The pieces were all here.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button