Jump to content


Photo

CWS Highjacking


  • Please log in to reply
8 replies to this topic

#1 Glen41Bo191

Glen41Bo191

    Member

  • New Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 03:46 AM

Hi guys,
from what I read on the web, I think I have been infected by CWS (CoolWebSearch). I ran SpySweeper, Ad-Aware6.0 and SpyBotS&D1.3 without success to eradicate it. I also ran CWS Shredder without success.
The symptoms are :
- modification of IE start page
- modification of IF search page
- modification of IE default start page
- modification of IF default search page
those modification point to res://agywb.dll/index.html#96676 which is titled "Home Search"
- lauch of pop-up windows (independant window from IE, titled Only the Best)
All this happends when I start either the explorer, either IE (which is in fact more or less the same).

I tried some manual actions to eradicate it but I must miss something at some point so it keeps re-appearing. You will find hereafter the HJT log from this morning, I do not plan to change anything so I will follow your kind advices. I am running SpyBot to mask the effects but I do not like the idea that it is still there and I want to get rid of it. The HJT log was taken with the default start page corrected by SpyBot and the pop-up window left open.

I don't know if it is related but I have a program that is not running anymore (Primavera Project Planner), it says "Cannot find SHELL.DLL" when trying to start, uninstall or re-install this program. Once again, I do not know if this is related. Let's get rid of CWS first, we'll see after for this point.

Your help is very much appreciated.

===================================================

Logfile of HijackThis v1.98.0
Scan saved at 08:17:58, on 20/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\netlv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ipms32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Notes\NLNOTES.EXE
C:\Program Files\MK Net Work\ZipMail LN\zmnotesm.exe
C:\Notes\naldaemn.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

===================================================

And here is the HJT log file when desactivating SpyBot S&D and running IE.
Thank you in advance for your help.


Logfile of HijackThis v1.98.0
Scan saved at 09:26:56, on 20/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\netlv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ipms32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Notes\NLNOTES.EXE
C:\Program Files\MK Net Work\ZipMail LN\zmnotesm.exe
C:\Notes\naldaemn.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://agywb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\agywb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://agywb.dll/index.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9908A153-E8C7-53B8-A675-B9FE9F5CE6B5} - C:\WINNT\system32\mfcmq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\ZmailLn.EXE" 033
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [ipms32.exe] C:\WINNT\system32\ipms32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Thank you,
G41

#2 soccerob

soccerob

    Member

  • New Member
  • Pip
  • 3 posts

Posted 20 July 2004 - 06:56 AM

Hey i was wondering if you problem had been fixed :keybrd:

If not download CWShredder from
this link:
Here

Install and run the program.

Tell me what the CWShredder has removed.

I hope i helped

Rob :cool:

#3 soccerob

soccerob

    Member

  • New Member
  • Pip
  • 3 posts

Posted 20 July 2004 - 06:58 AM

OOps sorry i missed where it said i did also run CWShredder sorry

Can u tell me which operating system u have because i know an easy way of getting rid of it in windows 2000

#4 Glen41Bo191

Glen41Bo191

    Member

  • New Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 09:08 AM

I'm running on windows 2000 SP4.
Thanks for any help !

#5 Glen41Bo191

Glen41Bo191

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 July 2004 - 05:58 AM

repost

#6 Glen41Bo191

Glen41Bo191

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 July 2004 - 02:50 PM

Help !!!

#7 drunken_snowman

drunken_snowman

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 July 2004 - 05:47 PM

PGPhantom - Deleted incorrect advice.

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 July 2004 - 05:58 PM

Do not delete the appinit key - That is a valid windows help system registry entry.

#9 drunken_snowman

drunken_snowman

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 July 2004 - 06:06 PM

No its not...but anyway




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button