• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jessadam

Hijacked by CoolWebSearch (new variant?)

4 posts in this topic

Hi there,

 

My computer (Windows XP with SP1 and all updates current) has been hijacked by CWS. I suspect this is a new variant, as I have done extensive research and cannot find the exact problems or filenames described anywhere. The main symptoms are:

 

- Home page defaults to res://hcydl.dll/index.html#[nnnn], regardless of the home page listed in IE Settings.

 

- Pop-Up Killer is disabled.

 

- Google search (through toolbar or web page) brings up an additional page with links to various CSW search tools and/or several popups advertising removal tools. Most of them have "search-all-fast" somewhere in the page title.

 

I have read and followed the FAQ and the removal instructions, with no luck. I have run current versions of the following:

 

- Hijack This (see below)

 

- Ad-aware (finds a CWS process named "C:\Windows\netnh.exe and 7 CWS registry entries -- it claims to fix them, but they keep reappearing)

 

- SpyBot S&D (finds 5 "DSO Exploit" entries -- it claims to fix them but they keep reappearing)

 

- CWShredder (claims my system is clean)

 

- Antivirus, and various other spyware tools, all of which either find nothing or are incapable of fixing/cleaning what they find.

 

Following is the HijackThis log. Any help or suggestions will be much appreciated. At this stage, reformatting is looking like an attractive option. Thanks in advance.

 

Logfile of HijackThis v1.98.0

Scan saved at 10:33:02 AM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Atievxx.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\netnh.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\msxz32.exe

C:\PROGRA~1\SecCopy\SecCopy.exe

C:\Documents and Settings\Adam Rovner\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hcydl.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcydl.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hcydl.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hcydl.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hcydl.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcydl.dll/index.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {13B849C1-8710-E1DB-94A7-65402EF986A8} - C:\WINDOWS\system32\ipqj32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [msxz32.exe] C:\WINDOWS\msxz32.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

Share this post


Link to post
Share on other sites

Hello jessadam,

 

Can you please send me the following files as a zipped package please:

 

hcydl.dll

ipqj32.dll

msxz32.exe

 

Please send them to this e-mail address

 

Once you do that, please follow the instructions below:

 

First: With all other browsers closed, please fix the following items:

 

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

 

Reboot, and follow the instructions below:

 

Second: Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button:

 

O2 - BHO: (no name) - {13B849C1-8710-E1DB-94A7-65402EF986A8} - C:\WINDOWS\system32\ipqj32.dll

O4 - HKLM\..\Run: [msxz32.exe] C:\WINDOWS\msxz32.exe

 

Download About:Buster from either of the following locations.

 

http://www.atribune.org/downloads/AboutBuster.zip

http://tools.zerosrealm.com/AboutBuster.zip

 

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!! Run AboutBuster.exe, click OK, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log. Reboot, and post a new HijackThis log along with the two reports from About:Buster.

 

Good Luck :)

Edited by splintercell990

Share this post


Link to post
Share on other sites

Hi,

 

I followed your instructions precisely, but it does not seem to have helped (except the file names are different now). The "R3 - Default URLSearchHook is missing" and "FO - system.ini: Shell=" entries were right back in HijackThis as soon as I ran it again after fixing them. Was I supposed to fix them again after the reboot?

 

Here are the logs:

 

New HijackThis log:

 

Logfile of HijackThis v1.98.0

Scan saved at 2:59:00 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\SecCopy\SecCopy.exe

C:\WINDOWS\System32\Atievxx.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\netwf.exe

C:\WINDOWS\system32\crpu.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Adam Rovner\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epzpi.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epzpi.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epzpi.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\epzpi.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epzpi.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epzpi.dll/index.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {84A6699D-3390-E792-6F21-462788E62709} - C:\WINDOWS\apiss.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [crpu.exe] C:\WINDOWS\system32\crpu.exe

O4 - HKLM\..\RunOnce: [netwf.exe] C:\WINDOWS\netwf.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

 

 

First About:Buster log:

 

About:Buster Version 1.23

Removed! : C:\WINDOWS\basdqb.dat

Removed! : C:\WINDOWS\caxaaj.dat

Removed! : C:\WINDOWS\hcydl.dll

Removed! : C:\WINDOWS\ipzy.exe

Removed! : C:\WINDOWS\ldkorp.dat

Removed! : C:\WINDOWS\mqvnw.dat

Removed! : C:\WINDOWS\msxz32.exe

Removed! : C:\WINDOWS\mvpqb.dat

Removed! : C:\WINDOWS\nctpid.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

Second About:Buster log:

 

About:Buster Version 1.23

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0