• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0


2 posts in this topic

I have a nasty variant of a CWS infection. Besides hijacking my home page in IE to the address listed in the title, it seems to be blocking my download of HijackThis and my access to the merijin site as well as my access to the hijack article mentioned in your FAQ, http://www.spywareinfo.com/articles/hijacked/#removal


So, I haven't been able to read that document, and may well be making errors in my posting -- leaving out stuff, including useless info, etc. Bear with me please, I will correct anything brought to my attention.


The folks at HP Instant Support were able to email me copies of Ad-aware 6.0 and HijackThis. Running them according to HP's instructions did not solve my problem, however. My log from HijackThis follows.


While checking other threads for similar problems I encountered fmango's post and Autodad's response. If Autodad's response is applicable to my situation, I can follow it and save somebody some time. Let me know.


Thanks in advance for any help offered.


Logfile of HijackThis v1.97.7

Scan saved at 3:28:17 PM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:







C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe


C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe



C:\Program Files\Norton AntiVirus\navapsvc.exe


C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




C:\Program Files\Common Files\Symantec Shared\ccApp.exe


C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qbcqv.dll/sp.html#27063

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qbcqv.dll/index.html#27063

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qbcqv.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qbcqv.dll/sp.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qbcqv.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qbcqv.dll/sp.html#27063

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {B82F7027-29C0-F4B5-B656-3805CE1E8738} - C:\WINDOWS\system32\winlj.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize


O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [nethq32.exe] C:\WINDOWS\nethq32.exe

O4 - HKLM\..\RunOnce: [apivf.exe] C:\WINDOWS\apivf.exe

O4 - HKLM\..\RunOnce: [crjh32.exe] C:\WINDOWS\system32\crjh32.exe

O4 - HKLM\..\RunOnce: [aping32.exe] C:\WINDOWS\system32\aping32.exe

O4 - HKLM\..\RunOnce: [atlvu.exe] C:\WINDOWS\atlvu.exe

O4 - HKLM\..\RunOnce: [crwb.exe] C:\WINDOWS\system32\crwb.exe

O4 - HKLM\..\RunOnce: [addrb.exe] C:\WINDOWS\system32\addrb.exe

O4 - HKLM\..\RunOnce: [atlgf.exe] C:\WINDOWS\atlgf.exe

O4 - HKLM\..\RunOnce: [netrq32.exe] C:\WINDOWS\netrq32.exe

O4 - HKLM\..\RunOnce: [ipwp32.exe] C:\WINDOWS\ipwp32.exe

O4 - HKLM\..\RunOnce: [atlkv.exe] C:\WINDOWS\atlkv.exe

O4 - HKLM\..\RunOnce: [javaon.exe] C:\WINDOWS\system32\javaon.exe

O4 - HKLM\..\RunOnce: [d3mp.exe] C:\WINDOWS\system32\d3mp.exe

O4 - HKLM\..\RunOnce: [ntib.exe] C:\WINDOWS\ntib.exe

O4 - HKLM\..\RunOnce: [added.exe] C:\WINDOWS\system32\added.exe

O4 - HKLM\..\RunOnce: [nthn32.exe] C:\WINDOWS\system32\nthn32.exe

O4 - HKLM\..\RunOnce: [mfcvi.exe] C:\WINDOWS\mfcvi.exe

O4 - HKLM\..\RunOnce: [appwi.exe] C:\WINDOWS\appwi.exe

O4 - HKLM\..\RunOnce: [netip32.exe] C:\WINDOWS\system32\netip32.exe

O4 - HKLM\..\RunOnce: [addmh.exe] C:\WINDOWS\system32\addmh.exe

O4 - HKLM\..\RunOnce: [apiti32.exe] C:\WINDOWS\apiti32.exe

O4 - HKLM\..\RunOnce: [d3af32.exe] C:\WINDOWS\d3af32.exe

O4 - HKLM\..\RunOnce: [ipoz32.exe] C:\WINDOWS\ipoz32.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: MktBrowser (HKLM)

O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.6108564815

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post

Link to post
Share on other sites

Woo-hoo, I got lucky! I used a combination of Ad-aware, Spybot, SpySubtract, and Hijackthis and I'm clean. At least for the moment. No need for any help just now (fingers crossed).


Thanks anyhow for all the tutorials and other help in getting me up to speed on keeping malware out of my computer.

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0