Jump to content


Photo

Solution to the res:// Coolweb hijack--Worth a try


  • Please log in to reply
26 replies to this topic

#1 boobits

boobits

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 15 June 2004 - 07:45 PM

*edit* forgot I also searched for dll's and added example



My computer is Windows XP
Browser was IE6

This is the order in which I ran programs to get rid of this horrible nightmare. I have rebooted many times with no sign of the return. So as far as I can tell..it's gone. I ran cwshredder with no luck..so I assume it did not work for you either.


1) I ran task manager and looked at all the processes that are running.
You are looking for .EXE extensions. I carefully looked and wrote down all the ones that looked the slightest bit off... such as MSinFd.exe that type of thing.

2) then go to http://www.liutiliti.../processlibrary and look up the processes. If they don't show up flag those as potential problems.

3) Run Hikack this. Now what you are doing is cross referencing those .EXE's that you flagged in step 2. Now also look at the Hijack log for any .EXE's that show up under Windows\system and Windows\system32. Check those .EXE's that are in those locations at the liutilities website. IF they don't show up as valid ones..again...mark these as potential problems. You are also looking for .dll's that show up in the \system and \system32 locations. Again you need to make sure these are valid. Just type them into google. If they are not found. Mark them as a potential prob.

here is an example:
O2 - BHO: (no name) - {C6227AB8-1429-9D80-8BEE-55DC63DBF69B} - C:\WINDOWS\system32\mfcyz32.dll

C:\WINDOWS\system32\javamf.exe


4) INstall and run both adaware and spybot (be sure to update). Delete everything that shows up.

5) Now...remeber all those .EXE's (and dll's) that you flagged earlier as problems..well..now you need to start getting rid of them (again make sure you checked at that linutilities website first to make sure your not deleting valid .EXE's). You FIRST have to open task manager and end the process (or you will not be able to delete it). Once you have ended the process search for and delete the .EXE
Repeat this process for all of them

6) Now run Hijack this again and make sure all of the .EXE's you have flagged as problems are gone. If they are not..simply note the name..it WILL be in the taskmanager...end the process...then search and delete.

This has worked for me with no return of this horrible thing. Be SURE to look up ANY .EXE that looks off in any way...may take awile but you need to get them all.

7) Reboot your machine...Cold boot. That is..turn is off. Wait 10-15 secs then turn on again.

8) Go to step 1 just to make sure they are all gone.

Hope this works for you. If not...well...was worth a shot.

Edited by boobits, 15 June 2004 - 08:05 PM.


#2 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 08:16 PM

Hey boobits, thats a great post. You infact did alot of things I did when I got hijacked by CWS. I posted my stats here but no one answered (it was busy) and I couldn't wait so I took action to beat that scumware.

Here are some other real helpful things to do along with what you posted.

1) Delete files in your temp and internet temp folders... if a file in one of those folders won't let you remove it, reboot and try again before you run any programs

2) Look at folders in your progam folder, if something dosn't look right, find out what it is

3) use the links in my signiture below :bounce:

Edited by 2arms, 15 June 2004 - 09:17 PM.


#3 wazmix

wazmix

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 June 2004 - 09:18 PM

I have started this approach, after CWShredder, Adaware, Spybot, and HJT have not rid me of my hijack problem.

Before I start IE, I change my homepage to "Blank."
I start IE. (Blank page appears.)

Check my homepage in "Options"..............Back to the hijack link.
Check Taskmanager............Odd EXE is running.
Close this Odd-EXE.
Delete Odd-EXE.

Start this again, possibly running HJT again.
Same thing happens, but the Odd-EXE changes.

Here are some of the names...............

Addis32
MFCET
MFCTA
SYSZF32
WINIR
D3IF

I do not believe I have gotten to them all.

#4 boobits

boobits

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 15 June 2004 - 09:21 PM

You may need to get them all at once. That is what did. I deleted them all in one go. I then went back through to see if I missed any. In my case i did not. I think it is important that when your deleting them that you do not open IE. I belief that triggers the beast to recreate random exe's and dll's.

#5 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 09:24 PM

thanks, I'll give this a try...

#6 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 09:25 PM

did you remove all the files in your temp and ie temp... that was the killing blow after i used all the programs

#7 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 09:32 PM

question: how do you delete temp and ie temp files? where are they located?

#8 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 09:35 PM

Local Settings\Temporary Internet Files

windows\temp

#9 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 09:36 PM

and make sure folder options are set to "view hidden"

#10 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 09:46 PM

sorry, bit slow...but how do we change folder options? Ain't very "computery"...

#11 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 09:54 PM

start... control panel... folder options... view... check show hidden

#12 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 10:05 PM

thanks...I'll try this again from the start....

#13 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 10:10 PM

Good luck =)

#14 lanea

lanea

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 June 2004 - 10:13 PM

THANK YOU SO MUCH.. your directions worked like a charm..

It seems there was one weird process iepy.exe or something that was the culprit..

I also used Trojan Hunter to identify a bunch of other "possible Trojans". They were recent files and small so I killed em all!!

I really appreciate your directions.. This thing was a insidious pain..

Andrew

#15 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 10:19 PM

Good for you =) Glad to hear that!!!

#16 McPick

McPick

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 June 2004 - 10:26 PM

Boobits & 2arms: Interesting posts. I was advised to do this last night by a friend, when I got 'jacked. Items like Z.exe, IEHost.exe, Search.exe, Auto Update.exe and others are "known" and described. Others, such as (on my log) iedrdsur.exe, hfzkan.exe, and ifsppagn.exe are unknown. I think these may be part of my problem, but as I am new to this type of investigation, I'm wary about removing them. I've run Shredder, Spy-Bot, Ad-Aware and Spy Sweeper. Each (except Shredder) removes lots of stuff (Apropos, Clocksync, WebSearch Toolbar, Memory watcher, People on Page, Clear Search, When U and Cool Web Search. Ultimately, none completely kills it... Whatever it is. I know it's in there in the phantom exe and temp files, or something similar. Thanks for the super discussion and suggestions.

#17 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 10:28 PM

arggg...still ain't happening for me... :rofl:

#18 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 10:36 PM

It was hidden files in my temps that kept coming back to haunt me after every reboot. Other things ive done is run the programs in safe mode, as it stops the running of many spys.
And if you a Kazza Imesh etc. kinda person, I found spy sweeper from webroot.com helpful along with the other scanners here, cause as we all know tonns of crap gets into you PC from P2P programs.

#19 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 10:38 PM

Oh well, I better be getting to bed...I'll check back and see how everyone's doing tomorrow, and try this a few more times...I appreciate everyone's help...

#20 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 10:40 PM

aw toblerone... did you read the Informational links in my signiture, on how to use the programs, really makes a big difference

#21 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 10:42 PM

I'll definately check 'em out tomorrow, it's almost 1 am where I'm at, and I was up past 3 last night trying to kill this thing...thanks though...

#22 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 15 June 2004 - 10:44 PM

If you folks want to learn about spyware and the fixes for it, or to share your ideas with beginners, see http://www.spywarein...hp?showtopic=34
We do a lot of collaborating there.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#23 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 10:44 PM

I also have noton system works 2004 and internet security/firewall and i still found trojans using the online AV scan at trend micro

#24 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 10:44 PM

thanks i will

#25 2arms

2arms

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2004 - 11:25 PM

and of course update you windows

#26 boobits

boobits

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 15 June 2004 - 11:28 PM

it's good to know it worked for someone :D

#27 boobits

boobits

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 01:07 AM

CNM thanks for the link =)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button