• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Dean F

IE6SP1 crashing after CWS infection

2 posts in this topic

After removing a piece of CoolWebSearch scumware from my PC two weeks ago, my IE6SP1 crashes (disappears from the screen with no error message taking all other open IE6 windows with it) whenever:


1) I click 'send' on hotmail;

2) I click 'post' on microsoft community forums

3) I click the 'Windows XP' link on windows update under the 'pick updates to install' menu. Strangely enough, clicking 'critical' and 'drivers' updates does not cause the same crash - I can review and download these at my leisure.


Have read the FAQ, run an up-to-date Norton scan in Safe Mode, run Spybot, CWShredder and AdAware - and nothing is found, apart from Spybot which comes up with its usual:

"DSO Exploit" bug and a warning about Download Accelerator adverts, neither of which I believe ought to affect the workings of internet explorer? In addition, I have reinstalled IE6, but even this didn't solve my problem.


I have an Microsoft technician helping me out at the moment, although nothing he's suggested has worked (i.e. what I've said I've tried above).


Does anyone have any ideas as to what to try next? It's a small, but rather irritating problem as there may be Windows XP Home updates that I might want to download - but I can't find out what they are!


Any advice would be gratefully received.


Thanks for your time,




PS. I was advised on the Microsoft community forums (which luckily i can post to from my pc at work) to paste my logfile here.



Logfile of HijackThis v1.97.7

Scan saved at 15:12:19, on 09/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:








C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe




C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe



C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BTopenworld\DialBTISurfTime.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Documents and Settings\Dan\My Documents\My Downloads\Spyware\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

provided by BTopenworld

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -


O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} -


O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program


O4 - HKLM\..\Run: [WinInit] Win86.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r


O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Run DAP (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: cpcScanner -

O16 - DPF: {161A7465-FEEE-4B40-8A85-ED752B93F73E} - file://E:\IntraLaunch.CAB

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -


O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -


O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -


O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -


O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -


O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) -https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class)-


O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -


O17 - HKLM\System\CCS\Services\Tcpip\..\{EC517488-3F26-4BDA-883B-B6855336A212}: NameServer =

Share this post

Link to post
Share on other sites

Problem solved.


Caused by a Trojan that neither Norton, nor any online virus scan was able to detect. Found the file lsd_f3.dll in the c:\windows\system32 folder, which was running within explorer and winlogon.exe. This explains why reinstalling IE6SP1 and the MSScript engine had no effect.


Removing all registry entries pertaining to this, the associated files it had created and rebooting has solved the problem. Am writing this in case anyone else gets stung in the same way as it's taken a loooong time to sort out :)


For more info, type "lsd_f3" into Google and read the first ten or so hits - should provide you with enough info to sort it out yourself if you feel confident.


If not, check:



Share this post

Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  
Followers 0