• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
seymour

just another version of CWS?

11 posts in this topic

Hi there!

 

On my Internet Explorer there are some kind search pages as default home page and search page when i open it up. It seems like a version of CWS but allthough I tried to destroy it now for just about a whole day (also having read your FAQs - great work by the way) I don't get it.

I'll post the log of HJT with the hope that anyone can help me:

 

Logfile of HijackThis v1.97.7

Scan saved at 18:51:55, on 27.06.2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\monitor.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\Dit.exe

C:\PROGRA~1\CA\ETRUST~1\realmon.exe

C:\WINDOWS\mHotkey.exe

C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe

C:\WINDOWS\System32\PRISMSTA.EXE

C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\kxmixer.exe

C:\WINDOWS\System32\taskswitch.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\CNYHKey.exe

C:\WINDOWS\DitExp.exe

C:\Programme\TechniSat DVB\bin\Server4PC.exe

C:\Programme\CA\eTrust Antivirus\InoRpc.exe

C:\Programme\CA\eTrust Antivirus\InoRT.exe

C:\Programme\CA\eTrust Antivirus\InoTask.exe

C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Programme\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\FlashGet\flashget.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.14/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.14/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.14/ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.14/ie

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/

F0 - system.ini: Shell=Explorer.exe monitor.exe

F2 - REG:system.ini: Shell=Explorer.exe monitor.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Dit] Dit.exe

O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [PCMService] "C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe"

O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programme\Excid.com Aps\eTrust Antivirus Registration\EzAntivirusRegistrationCheck.exe

O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START

O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM\..\Run: [THGuard] C:\Programme\TrojanHunter 3.9\THGuard.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [monitor] Explorer.exe monitor.exe

O4 - Global Startup: Kontrollfeld für die kabellose Tastatur.lnk = C:\WINDOWS\CNYHKey.exe

O4 - Global Startup: Server4PC.lnk = C:\Programme\TechniSat DVB\bin\Server4PC.exe

O8 - Extra context menu item: Alles mit FlashGet laden - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Mit FlashGet laden - C:\PROGRA~1\FlashGet\jc_link.htm

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O13 - DefaultPrefix: http://195.225.176.14/pre.pl?

O13 - WWW Prefix: http://195.225.176.14/pre.pl?

O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37884.393599537

 

Thanks for your work,

seymour

Share this post


Link to post
Share on other sites

Try adaware. www.lavasoft.com. :wave:

Share this post


Link to post
Share on other sites

I already did...

 

I tried Ad-Aware, Spybot, eTrust, CWSShredder but none worked finally.

After the elemination the CWS came back.

Edited by seymour

Share this post


Link to post
Share on other sites

ok, try first downloading spywareblaster from www.javacoolsoftware.com. use 'tools' - 'browser options' which will show the hijacker. delete and put your own

pages back in. this should hold your pages in place temporarily. download patch from microsoft security updates (Q831167). If your pages reset to the hijacker do the process again and download the whole explorer package and when prompted if

you want to use the new version click yes. I did this and it worked, replaced the hijacker start,home, default pages and search assistant and the hijacker hasn't come back. it's certainly worth a try. run your antispyware programs at the end to remove anything left lurking! good luck :thumbsup:

Share this post


Link to post
Share on other sites

I tried to get the start and search pages turned back to about:blank manually before and I tried a second time with spywareblaster now but allthough I didn't allow the change back to the CWS page through TeaTimer it changes back to the CWS pages before I'm finished with getting them to about:blank

 

When I tried to execute the Microsoft patch I was reminded that that is the patch for a 64-bit XP which is not mine.

 

Anyway, thanks for some first help, I'm looking forward to some more! ;)

Share this post


Link to post
Share on other sites

did you try re-installing explorer?

 

also get microsoft to scan for critical updates.

Edited by jedi

Share this post


Link to post
Share on other sites

both didn't brought any solution

 

I have all actual security updates and also a reinstallation of the internet-explorer didn't worked

Share this post


Link to post
Share on other sites

Restart computer in Safe mode!

 

Open Taskmanager:

If "monitor.exe" is active, terminate the process.

 

Find and delete:

WINDOWS\monitor.exe file

 

In hijackthis fix checked:

 

*All- R1/R0/F0/F2/ lines

*O4 - HKCU\..\Run: [monitor] Explorer.exe monitor.exe

*All-O13 - lines

 

Reboot to normal mode, run hijackthis again and

compare to the pointed entries, fix checked any that turned up again.

Run and post new log!

Share this post


Link to post
Share on other sites

first I didn't found any monitor.exe in the windows folder (there also was a message when I startet up my computer that there is no monitor.exe) BUT

after I processed through the other steps and after a second reboot the CWS seems to be destroyed!!!

 

I did another check with Spybot and removed some final things

 

Here one more time my final log:

 

Logfile of HijackThis v1.97.7

Scan saved at 16:14:35, on 29.06.2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\Dit.exe

C:\PROGRA~1\CA\ETRUST~1\realmon.exe

C:\WINDOWS\mHotkey.exe

C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe

C:\WINDOWS\System32\PRISMSTA.EXE

C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\kxmixer.exe

C:\WINDOWS\System32\taskswitch.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\CNYHKey.exe

C:\Programme\TechniSat DVB\bin\Server4PC.exe

C:\WINDOWS\DitExp.exe

C:\Programme\CA\eTrust Antivirus\InoRpc.exe

C:\Programme\CA\eTrust Antivirus\InoRT.exe

C:\Programme\CA\eTrust Antivirus\InoTask.exe

C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Programme\Internet Explorer\IEXPLORE.EXE

C:\Programme\Spybot - Search & Destroy\SpybotSD.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Dit] Dit.exe

O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [PCMService] "C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe"

O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programme\Excid.com Aps\eTrust Antivirus Registration\EzAntivirusRegistrationCheck.exe

O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START

O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Kontrollfeld für die kabellose Tastatur.lnk = C:\WINDOWS\CNYHKey.exe

O4 - Global Startup: Server4PC.lnk = C:\Programme\TechniSat DVB\bin\Server4PC.exe

O8 - Extra context menu item: Alles mit FlashGet laden - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Mit FlashGet laden - C:\PROGRA~1\FlashGet\jc_link.htm

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37884.393599537

 

It seems to be all done. If not please correct me.

And a big THANKS to you!!! You're doing a great job!

Share this post


Link to post
Share on other sites

Glad we could help :D

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0