• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
dawnrae

RE: Hijack This Log File

6 posts in this topic

I've gotten that blasted CWS spyware on my computer and have since tried to evict it. I ran adaware (the latest version/updated) and spybot search and destroy (the latest version/updated) and CWShredder. I then ran Hijack This as suggested and have created a log file. Is there someone willing to take a look at it and let me know if there are any lingering traces of it that I need to remove?

 

dawnrae

Share this post


Link to post
Share on other sites

If you copy and paste the log into this topic, someone will look at it for you.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 6:50:02 PM, on 6/1/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

D:\VIRUS FIGHTING STUFF\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Documents/start.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE

O4 - HKLM\..\RunServices: [sndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8040.8461805556

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

Share this post


Link to post
Share on other sites

Hello Dawnrae

 

I'm currently looking at your log and I'd like to cross check a couple of things.

 

Since you ran cwshredder have you had any of the browser problems you were having before?? Can you just let me know what was happening and if possible can you remember the names of any of the sites you were being redirected to. This may help identify the variant of coolwebsearch you had (there are many) and the likehood of any nasties remaining.

 

Also, are you familiar with this

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Documents/start.htm

 

Have you set something of your own to be loaded into your internet start page?

Share this post


Link to post
Share on other sites

Hello Scoff

 

Actually, I think I got to it before it started hijacking my browser, at least in a major way. I found in a routine scan with Norton Antivirus that my windows media player was "adware." I did some research and found this was a possible virus/trojanhorse/spyware and proceeded to download the cwshredder. It removed the wmplayer and several registry keys then I ran adaware and spybot S&D and removed several other questionable items like Alexa keys, cookies, and a DSO exploit and several other things. I also ran Norton's Windoctor to look for anything else in the registry.

My browser was never hijacked to my knowledge, i. e. it never redirected me to a site upon launch of IE, nor did it change my home page (which is -- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Documents/start.htm). I do know that I was having trouble searching a couple days before, frequently getting the "can't find this page" page. Assuming my memory isn't faulty, I think I may have actually visited a link a few days earlier that said something along the lines of "Cool Web Search" in the address or title, but I just could be confused from all the other stuff that I've looked on the nasty bugger. I do know that I was searching for information on a video game and visited a number of sites, I don't remember any specific ones.

Still, other than the search stutter and wmplayer.exe thing, I've had no other problems and I've run cwshredder several other times since instituting the measures above but have found nothing. I installed Spyblaster as a precaution, upped my IE Active X security levels and did a bit of tweaking in my Norton Firewall to hopefully prevent this particular nasty from coming back.

If there's anything else you would recommend me doing to prevent this and any other nasties from paying a visit to my computer, just let me know. I'm appreciative of all help and advice.

Thank you,

 

Dawn

Edited by dawnrae

Share this post


Link to post
Share on other sites

If you don't have the latest version of spybot (v1.3) I suggest you get it, it has a function called teatimer that can prevent unauthorised changes. If you have v1.2 uninstall it before installing the new version.

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

If you don't have an up to date hosts file it might be a good idea to replace it with a new one. This will help you block bad sites and ad servers. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

 

It may be worth reading How did I get infected in the first place?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0