• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
colevalley

CWS and HSA Hijack

4 posts in this topic

My PC was hijacked by, I think, CWS and Home Search Assistent. I ran Ad-aware and it found and removed things. But the problem continued to return as soon as I rebooted. I ran CWShredder and it found nothing. I then loaded and ran Hijackthis and I used it to repair several things. Right now the problem has stopped. However, the HSA is still on my PC and I had to unenable the "Enable Third-PartyBrowser Extensions". As soon as I re-enable it, which is needed for example to use the Google toolbar, the hijack problem returns. I would like someone to review the following Hijackthis log to tell me if there is more that I can fix to completely get rid of this malicious pest. The log was generated with the "Enable Third-Party Browser Extensions" turned off.

 

Thanks.

 

Logfile of HijackThis v1.98.0

Scan saved at 12:46:26 PM, on 6/30/2004

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Roxio\GoBack\GBPoll.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\WINNT\System32\tp4serv.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\WINNT\System32\RunDll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

C:\Program Files\D-Link AirPlus\WLANMON.exe

C:\Program Files\Roxio\GoBack\GBTray.exe

C:\pilot\HOTSYNC.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINNT\system32\ntvdm.exe

C:\WINNT\System32\wuauclt.exe

C:\Program Files\Qualcomm\Eudora\Eudora.exe

C:\Downloads & Upgrades\Spyware Killers\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attglobal.net/

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AC06F490-A31B-E69E-5E88-AF21E0B00656} - C:\WINNT\system32\mfcfc32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O4 - Startup: HotSync Manager 2.0.lnk = C:\pilot\HOTSYNC.EXE

O4 - Startup: HotSync Manager.lnk = C:\pilot\HOTSYNC.EXE

O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

O4 - Global Startup: D-Link AirPlus DWL-650+ Utility.lnk = C:\Program Files\D-Link AirPlus\WLANMON.exe

O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab

O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab

O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab

O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/asl.../AcpControl.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://liveca06.custhelp.com/6006-b266h/rnl/java/RntX.cab

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Share this post


Link to post
Share on other sites

Run a new HijackThis scan and mark these items for removal:

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {AC06F490-A31B-E69E-5E88-AF21E0B00656} - C:\WINNT\system32\mfcfc32.dll

 

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

 

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Close HJT when done.

 

Reboot your computer, open Windows Explorer and delete this file:

 

C:\WINNT\system32\mfcfc32.dll

 

Now, re-enable Third-Party Browser Extensions.

 

Post a followup HijackThis log with Third-Party Browser Extensions enabled, and say if your problems persist.

Edited by Fireflyer

Share this post


Link to post
Share on other sites
Run a new HijackThis scan and mark these items for removal:

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {AC06F490-A31B-E69E-5E88-AF21E0B00656} - C:\WINNT\system32\mfcfc32.dll

 

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

 

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Close HJT when done.

 

Reboot your computer, open Windows Explorer and delete this file:

 

C:\WINNT\system32\mfcfc32.dll

 

Now, re-enable Third-Party Browser Extensions.

 

Post a followup HijackThis log with Third-Party Browser Extensions enabled, and say if your problems persist.

I have the same problem as the above guy.... but this is what i got from Hijackthis:

 

Logfile of HijackThis v1.98.0

Scan saved at 9:14:02 PM, on 7/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NProtect.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\NORTON~3\WinFax\WFXSWTCH.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\taskmgn.exe

C:\Documents and Settings\Family\Desktop\hijackthis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~3\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A5FA5263-5044-4D18-B44D-2DEFD6190341}: NameServer = 134.124.15.136 134.124.15.13

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - C:\WINDOWS\DOWNLO~1\mimectl.dll

Share this post


Link to post
Share on other sites

mrman,

 

Don't think I'm insensitive to your problems, but please read the FAQ and the LARGE RED TYPE at the top of the page that says:

 

DO NOT POST YOUR LOG FILE INTO SOMEONE ELSE'S TOPIC! START YOUR OWN.

 

Help us help you.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0