• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Guru

CWS - very persistent

2 posts in this topic

Hi,

 

I have a few different malware that I simply can't get rid of even though I have tried CWSShredder, Ad-aware, Pest-Patrol and Spybot.

 

On of them is CoolWebSearch.

 

Before I found this great site I tried a few things that might have made it more difficult to get rid of all the malware but I hope you can help me anyway.

 

THE SITUATION:

Around 2 weeks ago I noticed the first problems and now I have done this:

1) checked with Pest-patrol (older version) - found and removed some stuff but it reappeared.

 

2) Got tired of ie and installed the new version of Mozilla Firefox in the hope that I wouldn't be troubled there. Uninstalled ie at the same time (as much as it does through the 'add/remove windows components).

 

3) Last week I downloaded and installed Ad-aware and Spybot and since then I have run them both several times and often found the same malware. I let those 2 programs remove it just to find it in full action again after a few hours. I have rebooted my pc after each removal.

 

4) I then tried CWSShredder and 2 times it has removed CWS.Searchx for me but it still reappears after sometime. I have rebooted my pc after each removal.

 

5) Now I give up and hope you can help me. Belowe you post the HijackThis log and the Ad-aware log (run before the HijackThis but I didn't remove anything)

 

 

HIJACKTHIS LOG:

 

Logfile of HijackThis v1.97.7

Scan saved at 16:59:47, on 28-06-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Daemon\daemon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Applications\Utopia\Angel.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\SetPoint\kem.exe

D:\INSTALLED STUFF\Trillian\trillian.exe

C:\PROGRAM FILES\LOGITECH\SETPOINT\KHALMNPR.EXE

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

D:\INSTALLED STUFF\Protein Folding\distribfold\foldtrajlite.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\srvany.exe

C:\WINDOWS\system32\resetservice.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Overnet\overnet.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O1 - Hosts: 64.24.234.120 swirve.com # Added by Utopia Angel

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [utopia Angel] "D:\Applications\Utopia\Angel.exe"

O4 - Startup: Trillian.lnk = ?

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Opslag (HKLM)

O9 - Extra button: @btrez.dll,-4015 (HKLM)

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.bgbank.dk/html/activex/BG/Menu.cab

O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} (Seagate DiscWizard English) - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Sa...G/e-Safekey.cab

 

 

 

AD-AWARE LOG: (without the running processes as they are in the HijackThis log)

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Page

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Bar

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Search

Value : SearchAssistant

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Page

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Bar

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Search

Value : SearchAssistant

Data : "file://C:\DOCUME~1\JANFEJ~1\LOCALS~1\Temp\sp.html"

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{2129F864-A3BD-4FBC-8E8A-359AF7524EF7}

 

 

CoolWebSearch Object recognized!

Type : File

Data : lmmi.dll

Object : c:\windows\system32\

FileSize : 30 KB

Created on : 28-06-2004 11:34:53

Last accessed : 28-06-2004 14:12:48

Last modified : 28-06-2004 11:34:53

 

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{5B777822-6CE8-464B-9220-5A75C86B45A3}

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{D35B9CC3-4C99-4D19-951C-56E7351CB6F4}

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{E0E8A8E4-E874-49BE-A6F1-09AF2F06F92E}

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : PROTOCOLS\Filter\text/html

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : PROTOCOLS\Filter\text/plain

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 14

Objects found so far: 15

 

 

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : File

Data : sp.html

Object : c:\docume~1\janfej~1\locals~1\temp\

FileSize : 7 KB

Created on : 28-06-2004 11:34:56

Last accessed : 28-06-2004 14:42:43

Last modified : 28-06-2004 14:42:43

 

 

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 1

Objects found so far: 16

 

 

17:05:14 Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:01:18:453

Objects scanned :45762

Objects identified :16

Objects ignored :0

New objects :16

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0