• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Corwin

Malware Removal

6 posts in this topic

I have followed the directions in this forum for removing the Cool Web Search Virus. This includes running the most recent versions of Spybot Search 1.208, Ad-Aware 6.0.1.181, CWS shredder 1.59, and AboutBuster 1.31. However, my computer still has the virus. Is there someone out there who knows how to get rid of my version of this pest? :scratchhead:

Share this post


Link to post
Share on other sites

Show us.........

download HijackThis from

http://www.spywareinfo.com/downloads/tools/HijackThis.exe

to a folder of your choice......doubleclick to open."Scan"...then "Save Log"...when it opens in notepad.......copy (edit..select all..copy) & paste (CTRL-V) the log into your next reply.......

Share this post


Link to post
Share on other sites

Below is the Hijack log you requested. The R0 and R1 listings are clearly malware. I checked the other Hijack listings by clicking on the process database links I found on this forum and searching for the listings in the databases. As far as I could tell, the other listings are not malware but maybe I missed one.

 

The instructions I read on this forum for using AboutBuster.exe stated to delete unknown O2 and O4 Hijack listings before running AboutBuster. I did that (I even tried deleting all of them) and tried the alternate suggestion of running AboutBuster with the computer in Safe mode. However, the virus persists.

 

I have noticed that Hijack can eliminate the malware listings if all Internet windows are closed (sometimes it takes more than one Hijack scan and delete cycle to accomplish this). However, the malware reappears in a Hijack scan after I start Internet Explorer, even when the computer is not connected to the Internet.

 

Thanks for your help.

 

Logfile of HijackThis v1.97.7

Scan saved at 5:22:10 PM, on 7/25/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\UNZIPPED\HYJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL (file missing)

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7871.6020949074

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dl

Edited by Corwin

Share this post


Link to post
Share on other sites

Sorry for the delay, if you still have problems post a fresh log please

Share this post


Link to post
Share on other sites

Problem solved, but thanks for inquiring. I searched the forums for someone that had the same version of the CWS virus. The fix-it instructions that person received were not directly applicable to my computer, but they enabled me to figure out how to get rid of the virus on my computer.

 

Is anyone going to take over for Merlin and periodically update CWS Shredder? AboutBuster 1.31 and CWS Shredder 1.59 could not eliminate this version of the CWS virus.

Edited by Corwin

Share this post


Link to post
Share on other sites

Glad you could solve your problem

About Buster 3.0 has been released.

I´m not sure about CWshredder.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

 

And also see TonyKlein's good advice

So how did I get infected in the first place?

 

Good luck :D

Edited by mmxx66

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0