• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
stlouis

Problems with Cool Web Search

7 posts in this topic

Gentlemen:

 

I have a case of Cool Web Search that I have been trying to resolve for several weeks. My browser is directed to 0Websearch.com. I used to get an occasional download of On-Line Casino, but that hasn't happened in a while.

 

I include the following HijackThis log. If I fix the following listings they just return on boot up.

 

R0 HKCU

04 HKLM Run [xp system]...

04 HKCU Run [xp system]...

 

I used to have the folder C:\Windows\INETDATA\SERVICES>EXE on my drive but it is no longer there, so I can't remove it. I think the problem is a DLL which I can't identify that keeps reloading this junk. I have Ad-Aware and Spybot, and Ad-Watch detects changes to the registry when I boot up. It can't remove them.

Any suggestions?

 

Logfile of HijackThis v1.98.0

Scan saved at 9:09:40 AM, on 07/22/2004

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE

C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\MSOFFICE\OFFICE\OUTLOOK.EXE

C:\WINDOWS\SYSTEM\MAPISP32.EXE

C:\WINDOWS\SYSTEM\AWFXEX32.EXE

C:\MARK\DOWNLOAD\HIJACK\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.rcn.com/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe

O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\200442614409_mcinfo.exe /insfin

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\MCAFEE.COM\SHARED\MCAPPINS.EXE /v=3 /cleanup

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe

O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

O4 - HKCU\..\RunServices: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab

O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

O20 - AppInit_DLLs: APITRAP.DLL

Share this post


Link to post
Share on other sites

Hello, stlouis,

 

Disable Adwatch and unlock registry settings or it can revert to earlier registry settings. You can enable it after your problem is fixed.

http://www.lavahelp.com/faq/adwatchauto.shtml

** Note: You will probably have to close this in Task Manager first.

Reboot, and double-check to be sure it is no longer running at Startup.

 

Please download CWShredder

Extract CWShredder to its own folder.

Reboot, into safe mode, this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safemode and press the <Enter> key.

Run the program.

Click the "Fix" button and follow the instructions you will receive.

Make sure you let it fix all CWS Remnants.

and reboot.

 

 

Make sure your computer is configured to show all folders/files:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Run HJT.

Have Hijack This fix all of the following that remain in your log by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/

F1 - win.ini: run=C:\WINDOWS\INETDATA\SERVICES.EXE

 

Reboot into Safemode this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Look for: C:\WINDOWS\INETDATA\SERVICES.EXE and see if it shows up now so that you can delete.

 

Reboot normally.

Run Adaware again being sure it is configured this way:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

"Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

"Let Windows remove files in use after reboot."

Press "Scan Now"

Check option "Use Custom scanning options"

Check option "Activate In-Depth Scan"

Press "Select drives\folders to scan"

Select the active partition which is usually C:

Press "Next" to let Ad-aware scan your drives...

If it finds "bad" files and registry keys, press "Next" again

Right-click in that pane and choose "select all"

Press "next"

When it asks to remove all checked items, Press "OK"

 

Please delete your temporary files by deleting all files and folders that are in those folders (Do not delete the temp folder itself)

For example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, being sure to also select "Delete All Offline Content".

 

Reboot, and run HJT. Please post a fresh log. Let us know if the problem is gone. Thanks.

Share this post


Link to post
Share on other sites

BB:

 

Thanks for the quick response. A few questions before I begin. Most of these things I have done already so they are not new to me. I didn't have Ad-Watch running on start-up. I usually just turn it on myself.

 

Don't know what you mean by "unlock registry settings" in Ad-Watch.

 

When I run HJ THis in safe mode do you want me to fix the following:

 

R0 HKCU etc.

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

 

These are showing in my current log. You have F1 listed. I don't see this in my log.

 

I have all files showing and I configured Ad-Aware as you requested a while ago.

 

Thanks for all.

 

Stlou

Share this post


Link to post
Share on other sites

Hello again,

Is it Lavasoft Ad-watch that you are using?

If so, it remembers registry settings and reverts to them the next time the program is run so it must be unlocked in order for some (malware) settings to be cleaned, or you will not be able to get rid of the malware. Check your "Memory and Registry" settings in Ad-watch to be sure that they are not locked. There is a screenshot on the webpage that I posted earlier.

http://www.lavahelp.com/faq/adwatchauto.shtml

 

Sorry about the typo in my last post. Do have HJT fix these four items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

O4 - HKCU\..\RunServices: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE

 

Then reboot into Safemode, look for this, and delete services.exe:

C:\WINDOWS\INETDATA\SERVICES.EXE <--delete only this file

 

Reboot normally, scan with Ad-aware, and clean the temps.

Share this post


Link to post
Share on other sites

BB:

 

You seemed to have batted this particular bug.

 

I've rebooted several times and no found no traces. Thanks a lot. It was a real pain to get rid of, with much wasted time. I have downloaded the Microsoft fix to Virtual Machine so I'm hoping this won't happen again. If I'd kept my software up to date this probably wouldn't have occurred in the first place.

 

Keep up the good work.

 

Stlouis

Share this post


Link to post
Share on other sites

That is good news. You did a great job!

 

I have downloaded the Microsoft fix to Virtual Machine

Are you referring to Sun Java? That has updates as well, so keep an eye on it.

 

Here is my standard prevention speech:

1. Visit Windows Update:

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

2. Adjust your security settings for ActiveX:

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

 

3. Download and install the following free programs:

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html

Periodically check for updates.

 

4. Keep your antivirus software and firewall software up to date.

Note: Zone Alarm Firewall (Zone Labs)http://www.zonelabs.com/store/content/home.jsp is free.

 

5. You might consider installing Mozilla or Firefox. It seems to have fewer vulnerabilities than IE.

http://www.mozilla.org/

 

6. Check for updates in Adaware frequently as they sometimes can update daily.

I would check for updates in SpyBot once a week or so.

I scan with each at least weekly.

 

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

:wave:

Share this post


Link to post
Share on other sites

Glad we could help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0