• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
spits

CWS.searchx, coolwebsearch

17 posts in this topic

I have some problems with my pc. Could someone look at my Highjack this filelog and tell me what's wrong and what I can do too repair this? I have tried Ad-aware and cwshredder but it still comes back.....

 

Logfile of HijackThis v1.97.7

Scan saved at 13:02:55, on 27.06.2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\scagent.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Documents and Settings\Gisle\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startsiden.no/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll

O2 - BHO: (no name) - {FD008DEC-0164-48EF-B35D-68B4490B93F7} - C:\WINDOWS\madopew.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [spyFerret] C:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/

O15 - Trusted Zone: www.parmann-foss.no

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8048.4705324074

O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://flash.vg.no/codvg/cabs/cssweb.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab

O19 - User stylesheet: C:\WINDOWS\color.css

Share this post


Link to post
Share on other sites

Move Hijackthis off your desktop (extract from zip)into a permanent folder. Example:

c:\program files\hijackthis\hijackthis.exe

 

This will allow backups to be made and saved By hijackthis in case something goes wrong.

 

Download the latest version of Ad-Aware, and check to make sure you have the most recent updates.

http://www.lavasoftusa.com/support/download/

 

Download and install APM from: (don't run it yet we will get to that in a minute)

http://www.diamondcs.com.au/index.php?page=apm

 

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,

O2 - BHO: (no name) - {FD008DEC-0164-48EF-B35D-68B4490B93F7} - C:\WINDOWS\madopew.dll

Then start APM.

In the upper window select explorer.exe

In the lower window find and rightclick the O2 - BHO: entry from above.

Select Unload DLL and click OK on the prompts that follow.

 

Reboot and scan with AdAware to remove the txt and html protocol association.

 

Then reboot and run another hijackthis scan and post your new log here.

Share this post


Link to post
Share on other sites

Thank you for helping me. I have tried to do as you said, but when i went into APM and clicked on Internet explorer i didn't find 02-BHO in the lower window???. Here is the new log from highjack this. What can i do now?? Again, thank rou for helping me!!

 

Logfile of HijackThis v1.97.7

Scan saved at 22:06:20, on 27.06.2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\scagent.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Gisle\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe

O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [spyFerret] C:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/

O15 - Trusted Zone: www.parmann-foss.no

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8048.4705324074

O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://flash.vg.no/codvg/cabs/cssweb.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:

c:\program files\hijackthis\hijackthis.exe

 

This will allow backups to be made and saved By hijackthis in case something goes wrong.

 

Place a check next to the following entries, then close all open windows except hijackthis and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Gisle\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html

O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe

O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe

Then reboot into safe mode and delete these files.

Svchosts.exe (notice the spelling, do not delete svchost.exe by mistake)

 

You may have to enable hidden files to find all the files.

 

Then reboot and run another hijackhtis scan and post your new log here.

Share this post


Link to post
Share on other sites

Here come's the new log. Thank you very much for helping me. Hope this one look's fine.

 

Logfile of HijackThis v1.97.7

Scan saved at 01:10:22, on 28.06.2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\scagent.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Gisle\Local Settings\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startsiden.no/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [spyFerret] C:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe /updaterun

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/

O15 - Trusted Zone: www.parmann-foss.no

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8048.4705324074

O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://flash.vg.no/codvg/cabs/cssweb.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I tried to run CWShredder and it still find CWS.Searchx!!!!! But my pc is looking fine now. Seems like about:blank is gone. Is there still something with my log that's not good?

Share this post


Link to post
Share on other sites

SpyFerret is not one of the better spyware removal programs available.

You would be mutch better served by spybot and ad-aware.

 

Other than that your log looks good.

 

Does CW shredder remove the files and then find them again the next time you run it?

Share this post


Link to post
Share on other sites

OK, then i will remove SpyFerret....

 

Yes, CW Shredder find CWS.searchx and removes it. When i run the CWS.Shredder one's more it still find CWS.Sheacrhx.

 

Ad-aware don't find anything now and that's good....

 

Do yoy have more great tip to solve this CWS.searcx problem?

Share this post


Link to post
Share on other sites

Thank you Racktracker for very good help!!!! You have maid my pc too run much faster and now i hope you can help me to find a solution to make the CWS.searcx to go away.

Share this post


Link to post
Share on other sites

Here comes the FINDnFIX log. Hope you can locate what's wrong!!! Again, thank you for taking your time.

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is FAT32.

C: is not dirty.

 

28.06.2004

7:10pm up 0 days, 0:05

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

One or more CON code pages invalid for given keyboard code

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group SPITS\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

NA

 

Auditing:

NA

 

Owner: \Everyone

 

Primary Group: \Everyone

 

 

 

»»»»»»Backups created...»»»»»»

7:12pm up 0 days, 0:08

28.06.2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-27-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 268 06-27-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuota,

 

**File C:\FINDnFIX\WIN.TXT

Share this post


Link to post
Share on other sites

Run these free online virus scans.

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/co...n_principal.htm

 

Open Adaware and check to see that you have the most recent updates.

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"

Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

 

Run shredder again and see is searchx shows up.

 

Thanks FAL

I mistakenly thought that was a positive hit for the registry key.

Edited by Racktracker

Share this post


Link to post
Share on other sites
Click Start>Run and type regedit.

Press enter.

 

Navigate to:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

 

If __NS_Service_3 exists , right click on it and choose delete from the menu.

 

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

 

If LEGACY___NS_Service_3

exists then right click on it and choose delete from the menu.

 

Close regedit.

I does not exist! :weee:

 

I only added this check to find the other cws variant...

Hence the output: :scratchhead:

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

;)

Share this post


Link to post
Share on other sites

Hej Racktracker! Now I have done what you said an unfortunately CWS.Searckx came back when I ran CWShredder...

 

Here is the result of scanning with Trendmicro:

Infected files found with Trendmicro

 

 

TROJ PORNDIAL.BP C:\ WINDOWS \system\teen.exe

VBS STARTPAGE.I C:\WINDOWS\odbc.hta

TROJ DELF.CY C:\WINDOWS\fierm.exe

JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…TROJ DELF.CY C:\Documents and Settings\Gisl…

DOS MASSMSG.A C:\Documents and Settings\Gisl…

TROJ ISTBAR.K C:\Documents and Settings\Gisl…

TROJ XMEDIA.E C:\System Volume Information\_...

TROJ PORNDIAL.BP C:\System Volume Information\_...

VBS STARTPAGE.I C:\System Volume Information\_...

 

 

I deleted all this files…

Share this post


Link to post
Share on other sites

upps not finished with my last reply...

 

Infected files found with Trendmicro

 

 

TROJ PORNDIAL.BP C:\ WINDOWS \system\teen.exe

VBS STARTPAGE.I C:\WINDOWS\odbc.hta

TROJ DELF.CY C:\WINDOWS\fierm.exe

JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…JAVA BYTEVER.A C:\Documents and Settings\Gisl…TROJ DELF.CY C:\Documents and Settings\Gisl…

DOS MASSMSG.A C:\Documents and Settings\Gisl…

TROJ ISTBAR.K C:\Documents and Settings\Gisl…

TROJ XMEDIA.E C:\System Volume Information\_...

TROJ PORNDIAL.BP C:\System Volume Information\_...

VBS STARTPAGE.I C:\System Volume Information\_...

 

 

I deleted all this files…(I hope!!!)

 

Here is the result of scanning with Activescan

 

Incident Status Location

 

Virus:Trj/Downloader.JT Disinfected Operating system

Virus:Trj/Downloader.JT Disinfected C:\WINDOWS\system32\regsvc.exe

Virus:Trj/Downloader.JT Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KUD5LV20\exe[1].bin

Virus:Trj/Xmedia.C Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\l101[1].exe

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].jar[Counter.class]

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].RB0[Counter.class]

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].RB0[Parser.class]

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\GBIUMZ4V\nocheat[1].RB0[Dummy.class]

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\V23QCZQ3\playup_pr25[1].RB0[VerifierBug.class]

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\V23QCZQ3\playup_pr25[1].RB0[Dummy.class]

Virus:Trj/Runet.A Disinfected C:\Documents and Settings\Gisle\Local Settings\Temporary Internet Files\Content.IE5\FZX9EK8B\load[1].htm

Virus:W32/Netsky.D.worm Disinfected Personal Folders\Deleted Items\Re: Your website\your_website.pif

Virus:W32/Netsky.D.worm Disinfected Personal Folders\Deleted Items\Re: Document\your_document.pif

Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Shocking document\document05.doc .pif

Virus:W32/Mitglieder.V.worm Disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp

Virus:Trj/StartPage.FH Disinfected C:\RECYCLED\Dc47.zip\backup-20040627-214502-382.dll

Virus:Trj/Runet.A Disinfected C:\FOUND.029\FILE0005.CHK

Virus:Trj/Runet.A Disinfected C:\FOUND.029\FILE0006.CHK

I hope i did everything right. I am not so familiar with this kind of operations with my pc........

 

So it seems this one (CWS.Searchx) is a tricky one.... My only trust to get this away is you Ricktracker, so i hope you not will give it up..... Thank you so much for your kindness and I hope you will reply me as soon as possible... Sorry my bad english!!

Share this post


Link to post
Share on other sites

IT's GONE!!!!!!!!!!!! I tried CWShredder ones more time and now everything seem to be okej. It look's like CWShredder finally managed to delete the file.......

 

If you don't have any more comment's from my recent reply's I want take more of your time.... Thank you once again Racktracker!!!! This forum is very helpfull and i will talk to my friends about it!!!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0