• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
boobits

Solution to the res:// Coolweb hijack--Worth a try

27 posts in this topic

*edit* forgot I also searched for dll's and added example

 

 

 

My computer is Windows XP

Browser was IE6

 

This is the order in which I ran programs to get rid of this horrible nightmare. I have rebooted many times with no sign of the return. So as far as I can tell..it's gone. I ran cwshredder with no luck..so I assume it did not work for you either.

 

 

1) I ran task manager and looked at all the processes that are running.

You are looking for .EXE extensions. I carefully looked and wrote down all the ones that looked the slightest bit off... such as MSinFd.exe that type of thing.

 

2) then go to http://www.liutilities.com/products/wintas.../processlibrary and look up the processes. If they don't show up flag those as potential problems.

 

3) Run Hikack this. Now what you are doing is cross referencing those .EXE's that you flagged in step 2. Now also look at the Hijack log for any .EXE's that show up under Windows\system and Windows\system32. Check those .EXE's that are in those locations at the liutilities website. IF they don't show up as valid ones..again...mark these as potential problems. You are also looking for .dll's that show up in the \system and \system32 locations. Again you need to make sure these are valid. Just type them into google. If they are not found. Mark them as a potential prob.

 

here is an example:

O2 - BHO: (no name) - {C6227AB8-1429-9D80-8BEE-55DC63DBF69B} - C:\WINDOWS\system32\mfcyz32.dll

 

C:\WINDOWS\system32\javamf.exe

 

 

4) INstall and run both adaware and spybot (be sure to update). Delete everything that shows up.

 

5) Now...remeber all those .EXE's (and dll's) that you flagged earlier as problems..well..now you need to start getting rid of them (again make sure you checked at that linutilities website first to make sure your not deleting valid .EXE's). You FIRST have to open task manager and end the process (or you will not be able to delete it). Once you have ended the process search for and delete the .EXE

Repeat this process for all of them

 

6) Now run Hijack this again and make sure all of the .EXE's you have flagged as problems are gone. If they are not..simply note the name..it WILL be in the taskmanager...end the process...then search and delete.

 

This has worked for me with no return of this horrible thing. Be SURE to look up ANY .EXE that looks off in any way...may take awile but you need to get them all.

 

7) Reboot your machine...Cold boot. That is..turn is off. Wait 10-15 secs then turn on again.

 

8) Go to step 1 just to make sure they are all gone.

 

Hope this works for you. If not...well...was worth a shot.

Edited by boobits

Share this post


Link to post
Share on other sites

Hey boobits, thats a great post. You infact did alot of things I did when I got hijacked by CWS. I posted my stats here but no one answered (it was busy) and I couldn't wait so I took action to beat that scumware.

 

Here are some other real helpful things to do along with what you posted.

 

1) Delete files in your temp and internet temp folders... if a file in one of those folders won't let you remove it, reboot and try again before you run any programs

 

2) Look at folders in your progam folder, if something dosn't look right, find out what it is

 

3) use the links in my signiture below :bounce:

Edited by 2arms

Share this post


Link to post
Share on other sites

I have started this approach, after CWShredder, Adaware, Spybot, and HJT have not rid me of my hijack problem.

 

Before I start IE, I change my homepage to "Blank."

I start IE. (Blank page appears.)

 

Check my homepage in "Options"..............Back to the hijack link.

Check Taskmanager............Odd EXE is running.

Close this Odd-EXE.

Delete Odd-EXE.

 

Start this again, possibly running HJT again.

Same thing happens, but the Odd-EXE changes.

 

Here are some of the names...............

 

Addis32

MFCET

MFCTA

SYSZF32

WINIR

D3IF

 

I do not believe I have gotten to them all.

Share this post


Link to post
Share on other sites

You may need to get them all at once. That is what did. I deleted them all in one go. I then went back through to see if I missed any. In my case i did not. I think it is important that when your deleting them that you do not open IE. I belief that triggers the beast to recreate random exe's and dll's.

Share this post


Link to post
Share on other sites

did you remove all the files in your temp and ie temp... that was the killing blow after i used all the programs

Share this post


Link to post
Share on other sites

Local Settings\Temporary Internet Files

 

windows\temp

Share this post


Link to post
Share on other sites

and make sure folder options are set to "view hidden"

Share this post


Link to post
Share on other sites

start... control panel... folder options... view... check show hidden

Share this post


Link to post
Share on other sites

THANK YOU SO MUCH.. your directions worked like a charm..

 

It seems there was one weird process iepy.exe or something that was the culprit..

 

I also used Trojan Hunter to identify a bunch of other "possible Trojans". They were recent files and small so I killed em all!!

 

I really appreciate your directions.. This thing was a insidious pain..

 

Andrew

Share this post


Link to post
Share on other sites

Boobits & 2arms: Interesting posts. I was advised to do this last night by a friend, when I got 'jacked. Items like Z.exe, IEHost.exe, Search.exe, Auto Update.exe and others are "known" and described. Others, such as (on my log) iedrdsur.exe, hfzkan.exe, and ifsppagn.exe are unknown. I think these may be part of my problem, but as I am new to this type of investigation, I'm wary about removing them. I've run Shredder, Spy-Bot, Ad-Aware and Spy Sweeper. Each (except Shredder) removes lots of stuff (Apropos, Clocksync, WebSearch Toolbar, Memory watcher, People on Page, Clear Search, When U and Cool Web Search. Ultimately, none completely kills it... Whatever it is. I know it's in there in the phantom exe and temp files, or something similar. Thanks for the super discussion and suggestions.

Share this post


Link to post
Share on other sites

It was hidden files in my temps that kept coming back to haunt me after every reboot. Other things ive done is run the programs in safe mode, as it stops the running of many spys.

And if you a Kazza Imesh etc. kinda person, I found spy sweeper from webroot.com helpful along with the other scanners here, cause as we all know tonns of crap gets into you PC from P2P programs.

Share this post


Link to post
Share on other sites

Oh well, I better be getting to bed...I'll check back and see how everyone's doing tomorrow, and try this a few more times...I appreciate everyone's help...

Share this post


Link to post
Share on other sites

aw toblerone... did you read the Informational links in my signiture, on how to use the programs, really makes a big difference

Share this post


Link to post
Share on other sites

I'll definately check 'em out tomorrow, it's almost 1 am where I'm at, and I was up past 3 last night trying to kill this thing...thanks though...

Share this post


Link to post
Share on other sites

I also have noton system works 2004 and internet security/firewall and i still found trojans using the online AV scan at trend micro

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0