• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
SilentThunder

Need Help With New CWS Hijacker

2 posts in this topic

Ok, it happened to me too. I got hit with this damned CWS Homepage hijacker..

 

Here is what happened:::

I was cruising the web, hit a page that auto-popped-up another page and then got a "Malicious Script" warning from Norton Antivirus. I told Norton Antivirus to stop the script

 

Here are the symtoms:::

Every time I run Internet Explorer it defaults to "res://rsdrd.dll/index.html#96676" as the homepage.

 

What I've tried:::

The first thing I did was to download the most recent copy of CWS Shredder that I could find and run it.....it did nothing...it couldn't even find any part of the CWS Hijacker on my system. After cursing, I continued on...

On the folder options of my computer I set it to show all hidden files and folders and then ran a search for that .dll file but could not find it anywhere on the computer. I booted up in Safe Mode, and started up Zone Alarm which I have set up to require conformation before any program can access the internet. I then started up Ad-Aware 6.0 with the "01R324 22.06.2004" Reference File loaded and ran a complete scan of my root "C:" drive, which is where Windows XP SP1 is installed with all the latest security updates. After running a complete scan with Ad-Aware, I started up HijackThis and found all of the registry entries that made reference to "res://rsdrd.dll/index.html#96676" and selected them and "fixed" them while still in Safe Mode. The problem is that after rebooting back into Normal Mode the CWS hijacker is still taking over my homepage. Every time I run Ad-Aware it finds an executable file that it says is part of the hijacker software, and the executable file always has a related *.pf file in the Prefetch sub-folder of Windows. But when I search for that executable, I never find it....only the pre-fetch file. Does anyone have any suggestions on what I can do to get rid of this short of having to do a clean install? I've spent the last 2 1/2 years trying to get this computer set up like I like it and now that I have it that way it seems like I might have to start from scratch (insert cursing ad infinitum...). Thanks in advance.

Share this post


Link to post
Share on other sites

This is a current copy of my HijackThis Log:::

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:16:36 AM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe

C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

C:\WINDOWS\LTSMMSG.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe

C:\WINDOWS\system32\addnt32.exe

C:\Program Files\Comcast\Comcast_Devmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\cref.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\Installers\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rsdrd.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rsdrd.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rsdrd.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rsdrd.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {A2CBCB60-0591-9C17-A18A-6983C427DB1E} - C:\WINDOWS\d3tn.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [addnt32.exe] C:\WINDOWS\system32\addnt32.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spySweeper] "d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [spySweeper_BT01] "d:\Program Files\Webroot\Spy Sweeper\Bt01.exe" /SpySweeper_BT01

O4 - HKLM\..\RunOnce: [cref.exe] C:\WINDOWS\cref.exe

O4 - HKLM\..\RunOnce: [atlbi.exe] C:\WINDOWS\atlbi.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Help (HKCU)

O9 - Extra button: WeatherBug (HKCU)

O9 - Extra button: Support (HKCU)

O9 - Extra button: ComcastHSI (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O15 - Trusted Zone: http://CAWestCorp-ca.west.com

O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7869.8490277778

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0