• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gotjacked

Hijacked to CWS 213.159.117.132

10 posts in this topic

We have had THE MOST FRUSTRATING two weeks in the history of owning computors...now going on 15 years!!

 

My son's computer has apparently had something downloaded in the form of trojan/worm/whatever related to the CoolWebSearch problem I have been reading about constantly for the past several days (including a major number of postings to this site - at least I'm not alone!).

 

It first became apparent after we had several calls charged to our phone bill to Sao Tome and, after a bit of investigation, noted the change in behaviour of IE Explorer on his machine. The home page constantly reverted away from his selected home page to another (in the browser showing as "http://213.159.117.132/index.php") web page. In addition, trying to use the computer's explorer function was impossible as the system froze after expanding the tree in the left pane beyond the second level of folders resulting in the need for cntrl-alt-del every minute or two.

 

To sum up:

1. Dial-up modem is redirected from default provider to some site that cause per-minute long distance calls (Sao Tome)

2. Home page is redirected to "http://213.159.117.132/index.php"

3. Windows explorer function is rendered useless

4. None of this is evident when running in Safe Mode

 

I have run every suggested piece of downloadable CW-related removal software that I can find, including the latest versions of CW Shredder, Spy Hunter, Spy Ferret, Hijack This, Ad-Aware, Spybot S&D, Spy Sweeper, and probably a couple others but this problem persists.

 

From what I have read - I suspect there is a hidden .dll that I have not been able to reveal as the culprit (or a style sheet tucked away somewhere) that resets the web page at each start-up but as you can see I have run out of options and seek help from the experts here.

 

Also, from below you can see that IE Explorer is rather old and probably full of security holes and, no, we don't have antivirus software running, which will change shortly, but in the meantime I have to get rid of this plague before anything else happens.

 

I have included below the usual stuff from HJT, both the scan log and the start-up log for all to peruse. The scan was done after logging onto the net for about 30 seconds when my modem took off to some other web-provider and the home pages were altered from that set manually while in SafeMode. Deleting the R0 and R1 entries in the log below makes no difference on subsequent start-ups, so although that would be a good starting suggestion, so far it seems to be pointless. All the other entries in the log appear to make sense as far as the other software running on start-up....so....what's next?? I should mention that I had previously cleaned out the Temp folder (and the Hosts file in Windows), as I see below that something was reset into the Temp folder on the latest net log-on:

 

***********************************

Logfile of HijackThis v1.97.7

Scan saved at 9:57:07 PM, on 18-06-04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Program Files\Netscape\Users\r_kbr\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~2\SDHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\DLPROTECT.DLL

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\Accessories\AbsoluteStartUp\ASMon.exe

O4 - HKLM\..\Run: [anvshell] anvshell.exe

O4 - HKLM\..\Run: [CookieCop] C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Net Buddy] "C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE"

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [spyHunter] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - Startup: SpywareGuard.lnk = C:\Program Files\Accessories\SpyWareGuard\sgmain.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

*************************

 

 

StartupList report, 18-06-04, 10:33:06 AM

StartupList version: 1.52

Started from : C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE

Detected: Windows 98 SE (Win9x 4.10.2222A)

Detected: Internet Explorer v5.50 SP1 (5.50.4522.1800)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\ACCESSORIES\ABSOLUTESTARTUP\ASMON.EXE

C:\WINDOWS\ANVSHELL.EXE

C:\PROGRAM FILES\COOKIE COP\COOKIECOP.EXE

C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE

C:\WINDOWS\STARTUPMONITOR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM32\WINTIME.EXE

C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGMAIN.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGBHP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\TEMP\XWXLOAD.EXE

C:\WINDOWS\TEMP\MSLDF.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\WINDOWS\Start Menu\Programs\StartUp]

SpywareGuard.lnk = C:\Program Files\Accessories\SpyWareGuard\sgmain.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Absolute StartUp monitor = C:\Program Files\Accessories\AbsoluteStartUp\ASMon.exe

anvshell = anvshell.exe

CookieCop = C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

Net Buddy = "C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE"

Run StartupMonitor = StartupMonitor.exe

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun

SystemTray = SysTray.Exe

WinTime = C:\WINDOWS\system32\wintime.exe

SpyHunter = C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=EXPLORER.EXE

SCRNSAVE.EXE=

drivers=MMSYSTEM.DLL POWER.DRV

 

--------------------------------------------------

 

C:\WINDOWS\WININIT.BAK listing:

(Created 7/6/2004, 22:55:2)

 

[rename]

C:\WINDOWS\SYSTEM\IoSubSys\SmartVSD.VxD=C:\WINDOWS\SYSTEM\SmartVSD.VxD

 

--------------------------------------------------

 

C:\AUTOEXEC.BAT listing:

 

SET TEMP=C:\TEMP

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\PROGRA~1\ACCESS~1\SPYBOT~2\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

SpywareGuard Download Protection - C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Liquid Audio Auto Update Agent.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

System: C:\WINDOWS\system32\system32.dll

 

--------------------------------------------------

End of report, 4,388 bytes

Report generated in 0.059 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

**********************************************

 

PLEASE - SOMEONE out there must have the cure!!!!!!! - thanks to anyone with a hint at an answer to this.....gotjacked

Share this post


Link to post
Share on other sites

Please, next time before escelating the issue - Read the pinned posts and perform the procedures as suggested.

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  2. Run either of these free online virus scans.

[*]How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Run this program as soon as possible.

[*]How to use Spybot to remove Spyware <= Please check this link for instructions on how to download, install and then use spybot. Run this as soon as possible as it may catch things that adaware misses.

[*]Download, install and run Tojan Hunter (Trial)

Please post another HijackThis log when you have completed these procedures.

Share this post


Link to post
Share on other sites

I've run Spybot S&D, CWShredder, and Ad-Aware a number of times with no success - but will try again. I haven't tried to scan with HouseCall via Trend Micro because of the redirection problem - although I can try to connect while in Safe Mode(?). I have just located TrojanHunter this am and will try it this evening and repost another HJT log when completed.

Share this post


Link to post
Share on other sites

Please be sure to update the programs if you already have them. Some, especially CW Shredder are updated frequently to combat new infections - CWS is at vresion 1.59.0.

Share this post


Link to post
Share on other sites

The latest update of CW Shredder and AVG caught the malware - both the homepage hijacking and the dialer....many thanks for suggesting sticking with the most recent versions. Adding revised HOSTS file and restricted sites to reduce risk of reinfection.

Share this post


Link to post
Share on other sites

Please post an updated HijackThis log and I will verify that all your infections have been erradicated.

Share this post


Link to post
Share on other sites

My latest log from HJT as requested - and all still seems to be running well:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:45:19 AM, on 27-06-04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\ACCESSORIES\ABSOLUTESTARTUP\ASMON.EXE

C:\WINDOWS\ANVSHELL.EXE

C:\PROGRAM FILES\ACCESSORIES\AVGFREE\AVGCC32.EXE

C:\PROGRAM FILES\COOKIE COP\COOKIECOP.EXE

C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE

C:\WINDOWS\STARTUPMONITOR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\ACCESSORIES\TROJANHUNTER\THGUARD.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGMAIN.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGBHP.EXE

C:\PROGRAM FILES\ACCESSORIES\HIJACK THIS\HIJACKTHIS.EXE

 

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Program Files\Netscape\Users\ron_koob\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~2\SDHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\DLPROTECT.DLL

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\Accessories\AbsoluteStartUp\ASMon.exe

O4 - HKLM\..\Run: [anvshell] anvshell.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\ACCESS~1\AVGFREE\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [CookieCop] C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Net Buddy] "C:\PROGRAM FILES\NET BUDDYPRO\NETBUDDY.EXE"

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\ACCESSORIES\TROJANHUNTER\THGUARD.EXE"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

O4 - Startup: SpywareGuard.lnk = C:\Program Files\Accessories\SpyWareGuard\sgmain.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

 

Let me know if anything else should be fixed - thanks again.

Share this post


Link to post
Share on other sites

Your log is looking clean but ...

 

Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative - Especially updating IE to v6.0 SP1.

 

Also ...

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0