Jump to content


CoolWeb Hijack??

  • Please log in to reply
1 reply to this topic

#1 Mish


    “I am evil Homer…”

  • Full Member
  • Pip
  • 9 posts

Posted 12 July 2004 - 06:36 AM

Dear all,

I've been trying everything I can think of for a week or so to sought this out, so if some kind soul can assist, well you know... I'd be really grateful!

This will be a bit long winded as I'm not sure which bit might be the key ingredient - so bear with me and I'll spell it all out.

Problem first appeared last week with a huge system slow down and some start page redirections. Then when trying to install The Ultimate TroubleShooter (TUT) from www.AnswersThatWork.com (to check out what was sucking the life out of my system in the background) - I keep getting the following error message when starting the installed ATW program:

"This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it"


The ATW support people kindly gave me the following tip:
"There is CURRENTLY only one piece of software which outputs this error message in the world, and that is the "CoolWebSearch" virus. Windows does not have that as one of the error messages that it can display, and nor does TUT."

Well OK - I can deal with that? I ran Ad-Aware, Spybot and CWShredder (V1.59.1) in both normal and safe modes, but all said my system was clean. Have latest Norton installed and ran an online panda scan - nothing. System seems to be running OK now, but I still get the error message - so apparently its not clean/OK? I've been through all the FAQ pages and read everything I can find relating to this problem in the forums and at Merijn.com.

I did notice that the Spybot startup tool showed the following Key/Value/Command Line, which it identifyed as a CoolWeb component:
HK_CU:Run ctfmon.exe C:\windows\system32\ctfmon.exe

The process cftmon.exe is running on my system and if I end it a few minutes later it reloads itself and can be seen as a process in task manager again shortly after. Also if I disable cftmon.exe by ticking the checkbox on Spybot (tools/system startup) next to this value and reboot, it somehow removes the check and reloades its self (thereby changing the value/preference I had entered in Spybot system startup tool).

Same thing happens with HijackThis - if I fix the registry autorun entry cftmon.exe it removes it only for it to be back again if I do a later scan. If I remove that one the same thing happens and I just start collecting multiple entries in the backup log.

So... any assistance welcome and appreciated. HijackThis log below.

StartupList report, 11/07/2004, 18:00:49
StartupList version: 1.52.2
Started from : C:\CWS\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options

Running processes:

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

UC_Start = C:\IBMTools\Updater\ucstartup.exe
TPKMAPHELPER = C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
S3TRAY2 = S3Tray2.exe
ibmmessages = C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
BMMLREF = C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
BluetoothAuthenticationAgent = rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
ATIModeChange = Ati2mdxx.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
HydraVisionDesktopManager = C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
QCWLICON = C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
QCTray = C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


Autorun entries from Registry:

PlaxoUpdate = C:\WINDOWS\Plaxo\\InstallStub.exe -a
IBM RecordNow! =
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}


Enumerating Task Scheduler jobs:

Symantec NetDetect.job


Enumerating Download Program Files:

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.micr...b?1083849155024

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[EPUImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPUWalcontrol.dll
CODEBASE = http://tools.ebayimg...ol_v1-0-3-9.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[IBM Access Support]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IbmEgath.dll
CODEBASE = https://www.pc.ibm.c...er/IbmEgath.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7998.6890046296

[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft...ols/SassCln.CAB

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.s...ta/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[acpRunner Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\acpController.dll
CODEBASE = https://www-3.ibm.co.../AcpControl.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.s.../ActiveData.cab

[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPScontrol.dll
CODEBASE = http://tools.ebayimg...ol_v1-0-3-0.cab

[Secure Delivery]
CODEBASE = http://content.konti...current/kdx.cab


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 8,352 bytes
Report generated in 0.801 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#2 terryb



  • Full Member
  • Pip
  • 51 posts

Posted 12 July 2004 - 04:19 PM

CTFMon comes with Microsoft Office XP and Windows XP – It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. As long as the Text Services & Speech are enabled in the Control Panel, this program will force itself back into your list of background programs. But, it's no big deal.

Recommendation :
Disable “Text Services & Speech” in the Control Panel if you are not using them. Then, disable CTFMon using Startup Manager. (Note that if you use Word, Excel or PowerPoint to write in different languages, then you will be using “Text Services & Speech” facilities).

*HOWEVER!!! If it's ctfmon.dll that is on your computer, then You have the W32.Mydoom.B@mm virus.
There are two more free online scans that may or may not help:
Mcafee's Stinger and Housecall (housecall.antivirus.com)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!