Help - Search - Members - Calendar
Full Version: problems with CWS_AnalyzeIE, Ehttp Hijacker and Na
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
mavericktc
Dec 23 2004, 10:37 AM
hey. iv got some problems with CWS_AnalyzeIE, Ehttp Hijacker and NavExcel




Logfile of HijackThis v1.99.0
Scan saved at 11:35:39, on 2004-12-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\htpatch.exe
C:\Program\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\PC\Mina dokument\Virus\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.se
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [VetTray] C:\Program\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [zSPGuard] c:\program\pjw\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TestDriveOR3.exe] C:\DOCUME~1\PC\SKRIVB~1\TESTDR~1.EXE /r
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - Global Startup: EZ Firewall.lnk = C:\Program\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Blockera alla bilder från samma sida - C:\Program\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Lägg till i AD Svartlistan - C:\Program\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Markera - C:\Program\Avant Browser\Highlight.htm
O8 - Extra context menu item: Sök - C:\Program\Avant Browser\Search.htm
O8 - Extra context menu item: Öppna alla länkar på sidan... - C:\Program\Avant Browser\OpenAllLinks.htm
O9 - Extra button: Informationshanteraren - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program\Delade filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: START_PAGE_URL=http://www.home.se
O15 - Trusted Zone: http://www.aladdinsuthyrning.se
O15 - Trusted Zone: http://www.burn-it.se
O15 - Trusted Zone: www.viainternet.foreningssparbanken.se
O15 - Trusted Zone: http://www.hertz.com
O15 - Trusted Zone: www.jmedata.se
O15 - Trusted Zone: http://www.lundqvistbil.se
O15 - Trusted Zone: webmail.norrteljetidning.se
O15 - Trusted Zone: http://www.regroupimmobilier.com
O15 - Trusted Zone: http://www.umax.co.uk
O15 - Trusted Zone: www.webroot.com
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program\Delade filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service - Unknown - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Bobbi Flekman
Dec 23 2004, 01:36 PM
Hi mavericktc,

You have a CoolWebSearch Infection. Please download CoolWebShredder, from http://www.intermute.com/spysubtract/cwshr...r_download.html
Extract CWShredder to its own folder. Restart in Safe Mode (How do I Safe Boot my computer?) and run the program.

Be sure all open windows are closed. Click the "Fix ->" button.

Make sure you let it fix all CWS Remnants.

Afterwards restart your computer.

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

There are restrictions set on Control Panel. If you or your system administrator has not put this restriction on Control Panel, also check this item.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?

O15 - Trusted Zone: http://www.aladdinsuthyrning.se
O15 - Trusted Zone: http://www.burn-it.se
O15 - Trusted Zone: www.viainternet.foreningssparbanken.se
O15 - Trusted Zone: http://www.hertz.com
O15 - Trusted Zone: www.jmedata.se
O15 - Trusted Zone: http://www.lundqvistbil.se
O15 - Trusted Zone: webmail.norrteljetidning.se
O15 - Trusted Zone: http://www.regroupimmobilier.com
O15 - Trusted Zone: http://www.umax.co.uk
O15 - Trusted Zone: www.webroot.com

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Show hidden files. How do I show hidden files?

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\web\related.htm

Restart your computer and post a new log in this thread.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.