• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Glen41Bo191

CWS Highjacking

9 posts in this topic

Hi guys,

from what I read on the web, I think I have been infected by CWS (CoolWebSearch). I ran SpySweeper, Ad-Aware6.0 and SpyBotS&D1.3 without success to eradicate it. I also ran CWS Shredder without success.

The symptoms are :

- modification of IE start page

- modification of IF search page

- modification of IE default start page

- modification of IF default search page

those modification point to res://agywb.dll/index.html#96676 which is titled "Home Search"

- lauch of pop-up windows (independant window from IE, titled Only the Best)

All this happends when I start either the explorer, either IE (which is in fact more or less the same).

 

I tried some manual actions to eradicate it but I must miss something at some point so it keeps re-appearing. You will find hereafter the HJT log from this morning, I do not plan to change anything so I will follow your kind advices. I am running SpyBot to mask the effects but I do not like the idea that it is still there and I want to get rid of it. The HJT log was taken with the default start page corrected by SpyBot and the pop-up window left open.

 

I don't know if it is related but I have a program that is not running anymore (Primavera Project Planner), it says "Cannot find SHELL.DLL" when trying to start, uninstall or re-install this program. Once again, I do not know if this is related. Let's get rid of CWS first, we'll see after for this point.

 

Your help is very much appreciated.

 

===================================================

 

Logfile of HijackThis v1.98.0

Scan saved at 08:17:58, on 20/07/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Altiris\AClient\AClient.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

C:\WINNT\system32\crypserv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\netlv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\carpserv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE

C:\Program Files\Altiris\AClient\AClntUsr.EXE

C:\WINNT\system32\ipms32.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Notes\NLNOTES.EXE

C:\Program Files\MK Net Work\ZipMail LN\zmnotesm.exe

C:\Notes\naldaemn.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper

O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033

O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE

O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

===================================================

 

And here is the HJT log file when desactivating SpyBot S&D and running IE.

Thank you in advance for your help.

 

 

Logfile of HijackThis v1.98.0

Scan saved at 09:26:56, on 20/07/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Altiris\AClient\AClient.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

C:\WINNT\system32\crypserv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\netlv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\carpserv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE

C:\Program Files\Altiris\AClient\AClntUsr.EXE

C:\WINNT\system32\ipms32.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Notes\NLNOTES.EXE

C:\Program Files\MK Net Work\ZipMail LN\zmnotesm.exe

C:\Notes\naldaemn.EXE

D:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://agywb.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\agywb.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper

O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033

O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE

O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

Thank you,

G41

Share this post


Link to post
Share on other sites

Hey i was wondering if you problem had been fixed :keybrd:

 

If not download CWShredder from

this link:

Here

 

Install and run the program.

 

Tell me what the CWShredder has removed.

 

I hope i helped

 

Rob :cool:

Share this post


Link to post
Share on other sites

OOps sorry i missed where it said i did also run CWShredder sorry

 

Can u tell me which operating system u have because i know an easy way of getting rid of it in windows 2000

Share this post


Link to post
Share on other sites

Do not delete the appinit key - That is a valid windows help system registry entry.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0