• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gad_r

Am I infected with cool web search ?

9 posts in this topic

I have some problems with a trojan identified by CWSshredder, to belong to the CWS family...

 

After running the shredder and repeated attempts to reinstall IE6

I have managed to regain control of the default home site.

 

still any attempt to reach sites as yahoo, google, msn and many others is redirected to an ad selling spyware removal...

(http://www.e-shredder.com/)

 

from a little research I made it seems it is the MSSPI variant,

I tried a manual removal but got nowhere.

The current situation is like this:

there is no msspi file on my system...

CWSshredder keeps reporting an infected svchost service (as far as I got from the log).

looking in the internet connection chain settings on the registry (or with lspfix),

I have not found anything like msspi.dll

 

anybody got any idea what to do, not including a hard drive format...

 

many many thanks

Share this post


Link to post
Share on other sites

Please download hijackthis to its own folder like C:\hjt\, close all windows and browsers run it and post the log here.

Share this post


Link to post
Share on other sites
Please download hijackthis to its own folder like C:\hjt\, close all windows and browsers run it and post the log here.

 

I've run the hijack it util,

there are some entries in the registry, and internet settings that sould not be there,

is it safe to delete them (and will they be back in a second ? like the CSW plage).

hope it will tell you something about how to fix it...

 

here is my hijackthis log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:49:53 AM, on 08/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\system32\explorer.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\system32\explorer.exe

C:\WINDOWS\system32\winlogon.exe

C:\downloads\temp\hijak\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/tau.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxym.tau.ac.il:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {36D94354-B411-2B91-8056-61550DA12C68} - C:\WINDOWS\system32\lgjpiin.dll (disabled by BHODemon)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.slotch.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12f4352c5f8b4f...ip/RdxIE601.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4BF27822-A0F3-4F6C-9203-385E7F7A468A}: NameServer = 132.66.32.38 132.66.16.2

Edited by gad_r

Share this post


Link to post
Share on other sites

gad_r wait a moment, we´re working in your log.

Share this post


Link to post
Share on other sites

Hello please download About:Buster Version 1.25 and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Share this post


Link to post
Share on other sites

10x mmxx66 ,

finally got back to save my cumputer.

 

this is the about blaster log:

-- Scan 1 --------

About:Buster Version 1.27

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

and here is another hijackthis log' wich looks the same to me:

 

Logfile of HijackThis v1.98.0

Scan saved at 12:48:52 AM, on 13/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\system32\explorer.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\system32\explorer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\GetRight\getright.exe

C:\Program Files\GetRight\getright.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\downloads\temp\hijak\AboutBuster.exe

C:\Documents and Settings\Gadi\Desktop\AboutBuster.exe

C:\downloads\temp\hijak\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/tau.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxym.tau.ac.il:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {36D94354-B411-2B91-8056-61550DA12C68} - C:\WINDOWS\system32\lgjpiin.dll (disabled by BHODemon)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.slotch.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12f4352c5f8b4f...ip/RdxIE601.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4BF27822-A0F3-4F6C-9203-385E7F7A468A}: NameServer = 132.66.32.38 132.66.16.2

Share this post


Link to post
Share on other sites

We have a new CWS variant here Wait moment please.

Edited by mmxx66

Share this post


Link to post
Share on other sites

hi and thanks again,

 

the vx2 log is as follows:

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

Share this post


Link to post
Share on other sites

Move Hijack This out of the Temp folder.Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.

 

Print out these instructions so you can read them while you clean your system.

 

Now close all open windows AND browsers and check these items for HJT to fix

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O2 - BHO: (no name) - {36D94354-B411-2B91-8056-61550DA12C68} - C:\WINDOWS\system32\lgjpiin.dll (disabled by BHODemon)

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe

 

If you set these restrictions yourself, using a program like Spybot Search & Destroy or SpywareGuard, or your system adminiostrator put these into place, leave the following two 06 items; otherwise, FIX them both with HijackThis:

 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

 

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.slotch.com

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12f4352c5f8b4f...ip/RdxIE601.cab

 

Please reboot into safe mode - How do I boot into "Safe" mode?

Delete the folder

C:\WINDOWS\web

 

Delete the files

 

C:\WINDOWS\system32\explorer.exe<don´t worry it´s a bogus file.

C:\WINDOWS\system32\lgjpiin.dll

 

You may need to show hidden files to delete them.How to show all hidden and system files

 

Also delete the DIRECTORY CONTENTS (But not the directory)

* C:\Windows\Temp\

* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

 

Now disable System Restore, This can be done by following the Instructions for Your OS at http://www.vet.com.au/html/zoo/system_restore.htm.

 

restart, enable system restore and post a fresh log to give you further recommendations.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0