• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jonata

recurring coolwebsearch

16 posts in this topic

I have run Ad Aware, cwshredder, spybot, startpageguard and others and they seem to remove coolwebsearch mostly... but then 15 minutes later (often after opening and closing Outlook Express or sending an email... Coolwebsearch is back again! I just ran Hijack This, but don't know enough about this stuff to know what to do with this data. see below for log.

 

thanks!!!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:43:02 AM, on 5/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\CFusionMX\runtime\bin\jrunsvc.exe

C:\CFusionMX\db\slserver52\bin\swagent.exe

C:\CFusionMX\db\slserver52\bin\swstrtr.exe

C:\CFusionMX\runtime\bin\jrun.exe

C:\CFusionMX\db\slserver52\bin\swsoc.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security Professional\NISUM.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\slserv.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Norton Internet Security Professional\SymPxSvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\WFXSVC.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\mHotkey.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Norton Internet Security Professional\NISSERV.EXE

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE

C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\slrundll.exe

C:\Program Files\Norton Internet Security Professional\ATRACK.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Citrix\ICA Client\wfica32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jon\My Documents\My Received Files\New Folder\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cfhjn.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {803A141F-20D2-4051-A8D4-F94F9D7ACD5A} - C:\WINDOWS\System32\mnd.dll (file missing)

O2 - BHO: (no name) - {A2B882A5-B9C2-49BD-A50E-3926D35EDC5C} - C:\WINDOWS\System32\gifp.dll (file missing)

O2 - BHO: (no name) - {A96B0204-D921-4493-B822-F173C73FC436} - C:\WINDOWS\System32\dpodlma.dll__SpybotSDDisabled (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {DA0844DE-ED2C-4A66-9541-23086DDE1A1C} - C:\WINDOWS\System32\lecadp.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

hijackthis.log

Share this post


Link to post
Share on other sites

Jonata

 

Download Find All and CopyLock. Unzip them to a permanent folder each.

 

Run Find_All.bat (from Find All.zip) by doubleclicking on it. It will produce a textfile. Post that here.

 

I will ask one of the moderators to move this topic to forum Malware Removal. done!

_______

Wiskonst

Edited by dave38

Share this post


Link to post
Share on other sites

Found another copy of CopyLock. Ran Find_All.bat pasted results. What do I do next?

 

Thanks For Your Help!!!

 

-Jon

 

Possible bad file(s) found... (locked)

\\?\C:\WINDOWS\System32\D3DIEM.DLL +++ File read error

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{803A141F-20D2-4051-A8D4-F94F9D7ACD5A}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9AF41189-3E74-4A55-8580-4A627004D8CE}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2B882A5-B9C2-49BD-A50E-3926D35EDC5C}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A96B0204-D921-4493-B822-F173C73FC436}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA0844DE-ED2C-4A66-9541-23086DDE1A1C}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{09C44958-C89E-4937-8A52-60037433C5C4}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{09C44958-C89E-4937-8A52-60037433C5C4}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

Share this post


Link to post
Share on other sites

Sorry to have overlooked your reply, Jonata

 

Perform the following operations with all browser windows closed (save this post to a file and print it):

 

Go to Start > Run and type 'regedt32' (without quotes).

Select window 'HKEY_LOCAL_MACHINE'.

In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.

In Explorer select 'Browser Helper Objects'.

In menu Security choose Edit Permissions. A dialog appears.

The upper listpane must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.

Then click the Advanced button below. A second panel appears.

Here uncheck 'Inherit from parents the permissions ...' and click OK.

In the main dialog also uncheck 'Inherit from parents ...' and click OK.

Close Regedt32.

 

As you have a stubborn variant of Coolwebsearch, the following phase may require a few trials.

 

Start CopyLock. Have no browser windows open.

 

Check 'Show Source Path' and 'Allow Downgrade' and click Add.

Choose Files to Rename. Browse to C:\Windows\System32. Type in the box below 'D3DIEM.DLL' (without quotes) and click Add. The text in the Source box should read 'C:\WINDOWS\System32\D3DIEM.DLL'.

In the destination box type 'C:\WINDOWS\System32\jump.txt' and click OK.

In the main panel click Apply. If all goes well a message says '1 file successfully replaced'. Click OK.

When asked to reboot, do so.

If not, close CopyLock.

 

In Explorer drag (without copy) the file 'jump.txt' to an other folder.

 

Then please download a new version of Find All, unzip it to a folder, run Find_All.cmd (doubleclick) and post the result here.

_______

Wiskonst

Edited by Wiskonst

Share this post


Link to post
Share on other sites

Was unable to locate d3diem.dll. It gets stranger... I ran a defrag recently and got a message that that exact file couldn't be defragmented and that it is fragmented in 3 sections. I searched the entire drive for the file but can't find it, yet the defrag seemed to know about it... any ideas??

 

 

-Jon

Share this post


Link to post
Share on other sites

Jonata

 

It is a feature of this infection that you cannot see the file d3diem.dll (which is a random name BTW) from Explorer or an other file viewer.

 

Could you perform the rename of it in CopyLock as per my previous instructions?

(You will not see the file in CopyLock either; just type the name in the box under the browse pane.)

 

Also did you do the locking of the BHO keys in regedt32 ?

_______

Wiskonst

Edited by Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst,

 

I did the BHO thing as per your instructions, but copylock doesn't seem to allow me to type in an address. It seems to want me to browse to the fiule... which I can't see. Any ideas... its still keeps coming back.

Share this post


Link to post
Share on other sites

Wiskonst,

 

Ran HiJackThis... heres the log... does this show anything?

 

Logfile of HijackThis v1.97.7

Scan saved at 4:42:31 PM, on 6/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\CFusionMX\runtime\bin\jrunsvc.exe

C:\CFusionMX\db\slserver52\bin\swagent.exe

C:\CFusionMX\db\slserver52\bin\swstrtr.exe

C:\CFusionMX\runtime\bin\jrun.exe

C:\CFusionMX\db\slserver52\bin\swsoc.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security Professional\NISUM.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\slserv.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Norton Internet Security Professional\SymPxSvc.exe

C:\WINDOWS\System32\WFXSVC.EXE

C:\Program Files\Norton Internet Security Professional\NISSERV.EXE

C:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE

C:\WINDOWS\slrundll.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Norton Internet Security Professional\ATRACK.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Jon\My Documents\My Received Files\New Folder\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pauproxy.agere.com:8000

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites
Wiskonst,

 

I did the BHO thing as per your instructions, but copylock doesn't seem to allow me to type in an address. It seems to want me to browse to the fiule... which I can't see. Any ideas... its still keeps coming back.

Jonata

 

You should not type the filename d3diem.dll in the Sourcebox, but choose Browse and type it in the filenamebox under the browsepane.

 

Could you give it one more try? If it doesn't work we will use an other program.

 

In Hijack This the infection has changed it's appearance, but it is still there.

_______

wiskonst

Share this post


Link to post
Share on other sites

i figured out what you meant and typed it in the path under the browsepane. After I did and click the Add button I got an error saying the file was not found.

 

 

-Jon

Share this post


Link to post
Share on other sites

Jonata

 

OK, please download dllfix and unzip it to a folder (download is a selfunzipper). Run start.bat by doubleclicking it.

Choose option 2 (Run Fix).

Then choose option 1 (Enter DLL name manually).

You will see the sentence: 'Enter full name and hit Enter C:\Windows\System32\'

At the end of the sentence at the red cursor type 'd3diem.dll' (without quotes and no spaces in front of it) and hit the Enter key.

You will see a message 'Restart in 14 seconds'. Let the reboot go on.

During reboot you will see a DOS window. Folder C:\Windows\System32 is scanned in two passes.

 

After completion of the boot please a new Find_All result plus the log.txt you find in the dllfix folder.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst,

 

Ran as you suggested. Here are the results. First the dllfix log and then the find all log. Does this mean its gone?

 

Thanks!

-Jon

 

 

DLLFIX LOG:

 

CWSDLL/Searchx Appinit Fix By Shadowwar

Version 3.02 061404

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Tue 06/15/2004

09:15 PM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Deleting Filter text

Running from C:\Documents and Settings\Jon\Desktop\dllfix

Scanning for Locked File

If this repeats 4 times than you may have another

Locked File not related to About:blank Hijack

Unlocking Locked File

 

C:\WINDOWS\System32\D3DIEM.DLL

Scanning For main hijacker.

Processing File Manually

C:\WINDOWS\system32\d3diem.dll

Md5 Check of C:\WINDOWS\system32\d3diem.dll

 

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249

Md5 matched known baddies.

Processing and Deleting File.

Processing ACL of: <\\?\C:\WINDOWS\system32\d3diem.dll>

 

SetACL finished successfully.

 

File was successfully Deleted.

Please Run Hijackthis or Cwshredder to finish cleanup.

 

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

 

 

 

 

 

 

FIND ALL LOG:

 

Possible bad file(s) found... (locked)

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"Appinit_Dlls"=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

Share this post


Link to post
Share on other sites

Jonata

 

Yes, the main reinstaller has gone now.

But the remnants must be cleaned up.

 

First be sure to have the latest version of CWShredder and the latest reference file of Ad Aware. Also the latest virus definitions for Norton.

Then please boot into Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode').

There run CWShredder without any other programs running. Click the Fix button and let it finish.

Then still in Safe Mode do a Norton virusscan and a scan with Ad Aware. Let them fix all they find.

 

Then boot to normal mode again, let Hijack This do a scan and post the log here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Hi,

 

I've been following this thread with great interest, having had the same problem.

 

This morning, I downloaded the latest version of CWS Shredder, and I'm thinking it's been updated to get rid of this particularly evil little sod. I've run AdAware (latest update, 15th June apparently), and also Spybot. It would appear, after 2 reboots, that finally I am rid of the scourge that is the current incarnation of CWS. :D

 

So, a big Thanks to Wiskonst, you've probably been helping at least one more person than you realised. :thumbsup:

Share this post


Link to post
Share on other sites

Beetwaste

 

I think you had a slightly different variant of CWS, Beetwaste.

It comes in many flavours, see Coolwebsearch Chronicles.

Glad you got rid of it.

 

If CWS reoccurs, post a Hijack This log in an own thread on this forum.

_______

Wiskonst

 

Consider a donation to Merijn, writer of CWShredder

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0