Solved

CWShredder not working, log file attached.

Posted on 2004-04-07
3
360 Views
Last Modified: 2010-04-11
Dear experts,

I have a problem with the  home page setting of IE6.
Instead of www.google.de, some Coolwebsearch (CWS) page is my home page now.

tried a lot with
Spybot
ad aware 6

and at the end with the latest version of CWShredder.

nothing seems to working. everytime I set the home page as www.google.de , it chaged to about:blank with some spam search site,

tried to run the OS (Win XP) in safe mode and do the above methods, but fails

log file generated with hijack this is given below,

Logfile of HijackThis v1.97.7
Scan saved at 1:56:27 AM, on 4/8/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon.exe
C:\WIN98\system32\services.exe
C:\WIN98\system32\lsass.exe
C:\WIN98\system32\svchost.exe
C:\WIN98\System32\svchost.exe
C:\WIN98\system32\spoolsv.exe
C:\WIN98\System32\inetsrv\inetinfo.exe
C:\WIN98\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Internet download\Softwares and patches\log-generator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = proxy.olydorf.swh.mhn.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.olydorf.swh.mhn.de:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WIN98\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B5366465-D066-4C74-A4D9-36FCB4BA5FEC} - C:\WIN98\System32\pfh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0848.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F7BFC2-B6C4-4DB7-843C-0859E6056639}: Domain = stusta.swh.mhn.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F7BFC2-B6C4-4DB7-843C-0859E6056639}: NameServer = 10.150.128.2,10.150.127.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = stusta.swh.mhn.de


Please give your  suggestions to coup with this problem,

regards,
Afzal
0
Comment
Question by:maaziz7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Dale May
ID: 10780001
Cool Web Search is a very tenacious hijack program that has gone through alot of changes since it was first released.  Each change is designed to make it harder to detect and remove.CWShredder is your fix to this problem.
The advice I was going to give is as follows:  You need to get rid of the Microsoft java Vitural Machine, which is being exploted by the CWS program.
Microsoft has dropped support for MSJVM as of January 1st, so it is a security risk just waiting for an exploit to hit it.  You can uninstall MSJVM .  You will need to install the Sun Java software to replace MSJVM
d_may
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 100 total points
ID: 10792138
Make sure you have the latest version of CWShedder, at least ver. 1.55.
They have apparently addressed this, I tried to run it and Cool Web Search was blocking it (somebodies sneaky).
However, when I restarted, it came up with a dialogue telling me what was happening, then it ran only it had renamed
itself to random name - success.
Also, what d_may said above - Microsoft is dropping support for it's Java Virtual Machine.

Good luck!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10828933
Hi!

Yes, you have some things that should be removed.

Start your computer in Safe Mode, press F8 at startup repeatedly.
Close all browser windows and run Hijack This.
Check the following and only the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN98\System32\pfh.dll/sp.html (obfuscated)
 
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WIN98\twaintec.dll

O2 - BHO: (no name) - {B5366465-D066-4C74-A4D9-36FCB4BA5FEC} - C:\WIN98\System32\pfh.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,

Search in the C:\WIN98\System32\folder and delete pfh.dll.
Empty the recycle bin.
That should do it (keep your fingers crossed)!

Good luck!
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Guest Wireless in a Business Environment 6 126
SMTP connect() failed - WordPress 6 59
Windows 10 GUEST Account 10 28
What's API gateway/firewall & how it's used 10 50
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question