maaziz7
asked on
CWShredder not working, log file attached.
Dear experts,
I have a problem with the home page setting of IE6.
Instead of www.google.de, some Coolwebsearch (CWS) page is my home page now.
tried a lot with
Spybot
ad aware 6
and at the end with the latest version of CWShredder.
nothing seems to working. everytime I set the home page as www.google.de , it chaged to about:blank with some spam search site,
tried to run the OS (Win XP) in safe mode and do the above methods, but fails
log file generated with hijack this is given below,
Logfile of HijackThis v1.97.7
Scan saved at 1:56:27 AM, on 4/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon .exe
C:\WIN98\system32\services .exe
C:\WIN98\system32\lsass.ex e
C:\WIN98\system32\svchost. exe
C:\WIN98\System32\svchost. exe
C:\WIN98\system32\spoolsv. exe
C:\WIN98\System32\inetsrv\ inetinfo.e xe
C:\WIN98\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Internet download\Softwares and patches\log-generator.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,AutoConfigURL = proxy.olydorf.swh.mhn.de
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = proxy.olydorf.swh.mhn.de:8 080
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = ,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-D D56626C6C4 2} - C:\WIN98\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0 B27DDD11DB 2} - C:\Program Files\SpywareGuard\dlprote ct.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 3.dll
O2 - BHO: (no name) - {B5366465-D066-4C74-A4D9-3 6FCB4BA5FE C} - C:\WIN98\System32\pfh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WIN98\System32\msdxm.oc x
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 3.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain. exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 3.dll/cmse arch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar 3.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 3.dll/cmca che.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar 3.dll/cmsi milar.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0848.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-1 6A91B2EA10 3} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5 009F29E09E 1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{F 6F7BFC2-B6 C4-4DB7-84 3C-0859E60 56639}: Domain = stusta.swh.mhn.de
O17 - HKLM\System\CCS\Services\T cpip\..\{F 6F7BFC2-B6 C4-4DB7-84 3C-0859E60 56639}: NameServer = 10.150.128.2,10.150.127.2
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CS2\Services\T cpip\Param eters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = stusta.swh.mhn.de
Please give your suggestions to coup with this problem,
regards,
Afzal
I have a problem with the home page setting of IE6.
Instead of www.google.de, some Coolwebsearch (CWS) page is my home page now.
tried a lot with
Spybot
ad aware 6
and at the end with the latest version of CWShredder.
nothing seems to working. everytime I set the home page as www.google.de , it chaged to about:blank with some spam search site,
tried to run the OS (Win XP) in safe mode and do the above methods, but fails
log file generated with hijack this is given below,
Logfile of HijackThis v1.97.7
Scan saved at 1:56:27 AM, on 4/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon
C:\WIN98\system32\services
C:\WIN98\system32\lsass.ex
C:\WIN98\system32\svchost.
C:\WIN98\System32\svchost.
C:\WIN98\system32\spoolsv.
C:\WIN98\System32\inetsrv\
C:\WIN98\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Internet download\Softwares and patches\log-generator.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-D
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {B5366465-D066-4C74-A4D9-3
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O6 - HKLM\Software\Policies\Mic
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {7B297BFD-85E4-4092-B2AF-1
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
Please give your suggestions to coup with this problem,
regards,
Afzal
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi!
Yes, you have some things that should be removed.
Start your computer in Safe Mode, press F8 at startup repeatedly.
Close all browser windows and run Hijack This.
Check the following and only the following:
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WIN98\System32\pf h.dll/sp.h tml (obfuscated)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-D D56626C6C4 2} - C:\WIN98\twaintec.dll
O2 - BHO: (no name) - {B5366465-D066-4C74-A4D9-3 6FCB4BA5FE C} - C:\WIN98\System32\pfh.dll
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = ,
Search in the C:\WIN98\System32\folder and delete pfh.dll.
Empty the recycle bin.
That should do it (keep your fingers crossed)!
Good luck!
Yes, you have some things that should be removed.
Start your computer in Safe Mode, press F8 at startup repeatedly.
Close all browser windows and run Hijack This.
Check the following and only the following:
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-D
O2 - BHO: (no name) - {B5366465-D066-4C74-A4D9-3
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O6 - HKLM\Software\Policies\Mic
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
Search in the C:\WIN98\System32\folder and delete pfh.dll.
Empty the recycle bin.
That should do it (keep your fingers crossed)!
Good luck!
The advice I was going to give is as follows: You need to get rid of the Microsoft java Vitural Machine, which is being exploted by the CWS program.
Microsoft has dropped support for MSJVM as of January 1st, so it is a security risk just waiting for an exploit to hit it. You can uninstall MSJVM . You will need to install the Sun Java software to replace MSJVM
d_may