Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

CWS.smartsearch.2 HijackThis hulp gewenst

None
23 antwoorden
  • Hallo,

    Ik heb net mijn systeem even gecheckt op evt. spyware. Eerst Adaware gedaan, alles was goed. Toen Spybot Search & Destroy ook alles goed.
    maar toen ik CWShredder uitvoerde kreeg ik de volgende melding:

    You have a variant of the coolwebsearch Trojan (CWS.smartsearch.2) that has attempted to close CWShreadder. To counter this, CWShredder is now starting with a random string of text in the title bar.
    CWShredder is still functioning fine, it has not been corrupted.
    If you feel you should not be getting this error and you are not infected, restart CWShredder and this warning should not appear again.

    ik kan ook de website niet meer openen waar je het programma kunt downloaden en ook de updatefunctie vanuit mijn versie 1.57.0 werkt niet.

    Ik heb een logfile van HijackThis gemaakt. Wil er misschien iemand naar kijken?
    Logfile of HijackThis v1.97.7
    Scan saved at 0:18:01, on 8-7-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\SMSC\Seticon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ruud\Menu Start\Programma's\AntiSpyware\CWShredder.exe
    C:\Documents and Settings\Ruud\Menu Start\Programma's\AntiSpyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\EASYCO~1\PCCLEA~1.0\POP-UP~1.DLL
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: Easy Computing Pop-up Blocker (HKLM)
    O9 - Extra 'Tools' menuitem: PC Cleaner 2.0 Pop-up Blocker (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.5065046296
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

    Ik heb xp home.

    Alvast bedankt!!
  • ik kijk even voor je, kan een lastige worden
  • lastige viel wel mee :D hij lijkt me schoon, je kan cw shredder nog een keer proberen maar dan eerst even dit programma runnen, lijkt me echter niet nodig want ik kan in de log geen sporen van coolwebsearch vinden.
  • bedankt!

    ik heb je progje uitgevoerd en dat zei inderdaad dat er niets is aangetroffen. Maar toch raar dan dat die toch in eerste instantie die melding gaf?
  • ik kan nu trouwens nog steeds geen updates uitvoeren. Als ik dat probeer loopt het programma vast en krijg ik de melding "dit programma reageert niet" en ik klik dan maar op "nu beeindigen". Ook de link naar het programma krijg ik niet geopend

    www.spywareinfo.com/~merijn/downloads.html

    krijg dan de standaard melding

    De pagina kan niet worden weergegeven.
    De pagina waarnaar u zoekt, is momenteel niet beschikbaar. Er zijn mogelijk technische problemen met de website of u moet mogelijk uw browserinstellingen aanpassen.
    etc. etc. :(
    ——————————————————————————–
  • die website ben ik niet zo kapot van, heb altijd het gevoel dat hij er snel uitligt en dergelijke, probeer het morgen nog eens om een nieuwe te downloaden anders
  • heb vanochtend mijn computer aangezet en CWS weer geprobeerd maar kreeg opnieuw die melding:


    You have a variant of the coolwebsearch Trojan (CWS.smartsearch.2) that has attempted to close CWShreadder. To counter this, CWShredder is now starting with a random string of text in the title bar.
    CWShredder is still functioning fine, it has not been corrupted.
    If you feel you should not be getting this error and you are not infected, restart CWShredder and this warning should not appear again.

    De website is nog steeds onbereikbaar en bij een poging om vanuit het programma naar updates te zoeken loopt het programma nog steeds vast .

    Via een andere site heb ik inmiddels de laatste versie 1.59.0.1 kunnen dowloaden, maar als ik die start krijg ik opnieuw dezelfde melding over de CWS.smartsearch.2 trojan
  • probeer eens een online virusscan dan, misschien dat die iets vind,

    owjah, heb je niks in de ignorelist staan bij hijackthis??
  • de RAV geeft geen virus aan evenals mijn norton overigens. De melding dat een cws.smartsearch.2 variant heeft geprobeerd cwshredder te beeindigen blijft echter bestaan. Als ik in de viruslijst van norton en panda (zit op mijn notebook) kijk zie ik daar ook geen cws.smartsearch.2 trojan tussen staan. Via google krijg ik wel een aantal verwijzingen, maar daar wordt ik niet veel wijzer van. :-?
  • verwijder alles van cwshredder eens en download het dan eens opnieuw, kijk eens wat er dan gebeurt. kijk ook wat er gebeurt als je hem in safe mode laat scannen. misschien kan ik je zo beter helpen.
  • heb cws verwijderd toen opnieuw gedownload en vervolgens in safe mode gestart. CWS startte normaal op en ik kon ook de update weer uitvoeren en de site van merijn bereiken. Ook na een herstart in gewone modus deed alles het weer goed. Ik snap er niets meer van. Als die eerst die melding geeft, kan dat cws.smartsearch.2 dinges toch niet zomaar ineens weer weg zijn zonder dat de antivirus of een van de spyware removals dat aangeeft? :o

    overigens heb ik via de site van merijn een oplossing gevonden om de trojan te verwijderen. Zou met een tooltje via onderstaande link moeten kunnen. Echter… die kan ik nu dus niet openen. Ligt dit aan mijn pc? zou iemand van jullie dat even willen proberen? misschien ligt het ook wel gewoon aan de link

    http://www.safer-networking.org/files/delcwssk.zip
  • ik krijg ook een 404 foutmelding, misschien morgen nog eens proberen het is laat dus het zou kunnen dat ze met onderhoud oid bezig zijn :wink:
  • probeer deze link eens :wink:

    edit: als het gelukt is, kom dan nog maar een keer met een nieuwe log
  • jouw link naar delcwwsk.zip werkt wel! :D progje geeft een schoon systeem aan! De melding is ook weg gebleven bij het starten van CWS. Heb een nieuwe hijack log gemaakt:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:54:31, on 10-7-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\SMSC\Seticon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ruud\Menu Start\Programma's\AntiSpyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\EASYCO~1\PCCLEA~1.0\POP-UP~1.DLL
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: Easy Computing Pop-up Blocker (HKLM)
    O9 - Extra 'Tools' menuitem: PC Cleaner 2.0 Pop-up Blocker (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.5065046296
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan
    avonline.cab
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

    Voor zover ik het heb bekeken zitten er maar 2 verschillen in nl.

    C:\Documents and Settings\Ruud\Menu Start\Programma's\AntiSpyware\CWShredder.exe

    en

    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan
    avonline.cab

    dat laatste lijkt mij door de online scan te komen niet? en het eerste zie ik wel CWSshredder staan.
  • ik kijk nog even maar als dat idd de 2 verschillen zijn dan lijkt het me dat ie schoon is. die 016 is van de online scan en die andere is van cwshredder :wink:

    edit: hij lijkt me helemaal clean, goedzo :wink:

    edit2, ik zie dat je nog een oude versie van hijackthis gebruikt, het is aan te raden om de nieuwe te gebruiken. er zitten nog wel enkele bugs in en die zijn voor zover mij bekend:

    [code:1:c780133296]F0 - system.ini: Shell=[/code:1:c780133296]die kan je negeren

    [code:1:c780133296]F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe[/code:1:c780133296] het bestand userinit.exe is nu slechts een voorbeeld, hiermee moet je afhankelijk van het bestand opletten wat je doet.

    en een 09 item die aangeeft (no name) en (no file) moet je negeren, kan namelijk zijn dat er wel iets zit.

    gr d.
  • ik heb je nieuwste versie gedownload en voor de zekerheid nog maar even een logje gemaakt. Nu ook opgeslagen in aparte directory. Zag net in de faq dat dat beter was. Heb ik de eerste keer overheen gelezen :oops: Had hem nu in een map antispyware op de c schijf geplaatst met de rest van de antispyware. Of was dat ook goed?

    in ieder geval mijn log ziet er nu zo uit:

    Logfile of HijackThis v1.98.0
    Scan saved at 12:33:54, on 10-7-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\SMSC\Seticon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\EASYCO~1\PCCLEA~1.0\POP-UP~1.DLL
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: Easy Computing Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\EASYCO~1\PCCLEA~1.0\POP-UP~1.DLL
    O9 - Extra 'Tools' menuitem: PC Cleaner 2.0 Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\EASYCO~1\PCCLEA~1.0\POP-UP~1.DLL
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan
    avonline.cab
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

    toch wel een paar verschilletjes nu:

    de regel:

    C:\Program Files\Internet Explorer\iexplore.exe

    is nu weg en waar eerst dit stond

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    staat nu

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    verder mis ik onderaan nu het hele stuk

    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.5065046296
  • [quote:e29739a949="rev"]Had hem nu in een map antispyware op de c schijf geplaatst met de rest van de antispyware. Of was dat ook goed?[/quote:e29739a949]Was ook goed.
    [quote:e29739a949="rev"]de regel:
    C:\Program Files\Internet Explorer\iexplore.exe
    is nu weg ….[/quote:e29739a949]
    Internet explorer stond waarschijnlijk niet open toen je deze log nam.
    [quote:e29739a949="rev"]….en waar eerst dit stond
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    staat nu

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll[/quote:e29739a949]
    Gaat over hetzelfde.
    [quote:e29739a949="rev"]
    verder mis ik onderaan nu het hele stuk

    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.5065046296[/quote:e29739a949]Staan op de 'white list' van hijackThis. Niks om je zorgen over te maken.

    Log lijkt me clean.

    groeten,
    Marc
  • ik heb nu al een paar dagen geen last meer van die rare melding dus dan zal het ook wel weer goed zijn allemaal!

    Iedereen bedankt voor de hulp! :D
  • Mijn eerste bijdrage aan deze forum :P
    Even voor de duidelijkheid. Er bestaat een variant van CWS die bijna onmogelijk is om te verwijderen. Alle spyware, virusscanner, tooltjes programmas ten spijt lukt het niet om deze versie te verwijderen.
    Dat komt omdat een dll bestandje gebruikt wordt met erg vreemde eigenschappen. Hij is totaal onzichtbaar in windows, zegmaar stealth. Met een tooltje genaamd xfind.exe kan je onregelmatigheden in een directory vinden.

    1e oplossing, format c: :evil:
    2e oplossing werkt zeer effectief en daar komt xfind bij te pas plus de recovery console van microsucks. Het hele verhaal is te vinden op http://www.pcsympathy.com/sutra1203.html#1203.
    Toch post ik hem hier maar ff.
    ————————————————————————————–
    If you have recently been infected with CWS and could not get rid of it with anybody's advise or spyware removal programm. The solution was found!

    I found a method posted somewhere on the web, which I copied and tried with my computer consultant.

    IT WORKED!!!!!!!!!!!!!!!!!!!!

    Below is a summary of the event, which was submitted by us to Ad-Aware and MS. Microsoft needs to fix their system. Please read below the summary:

    Good Luck,

    Christoph

    +++++++++++++++++++++++++++++++++++++++++++

    SUMMARY
    =======

    SUBJECT: CoolWWW spyware persistance and removal.


    PROBLEM: Anti-spyware programs (e.g., Spysweeper, Ad-aware Pro, PestPatrol)
    do not remove the cause (a "super"-hidden .dll program) but only remove
    symptom files and registry settings.

    From original posting by someone else: "This dll is loaded with very strange
    file permissions. It has all permissions but ‘copy’ denied to everyone,
    including administrators. This set of permissions makes the file completely
    invisible inside windows. You cannot see it using File explorer or DOS
    prompts like dir. It also can not have its attributes set so that you can
    see it."


    SOLUTION: Manual removal by using a revealing xfind.com error message,
    then by using theWindows XP Recovery Console.

    NOTE: the byte verifier patch does not protect against the latest variations
    (6/24/04-7/7/04) of CoolWWW.

    ===============


    INSTRUCTIONS

    Step 1
    Download xfind.com
    (Note: at least a few programs are named xfind, so do not just search the
    web and download any one of these. I did this and wasted time with
    xfind.exe, which is not a bad program but not the one needed for our task.)

    Download from here:
    http://home.mnet-online.de/horst.muc/int/find23.zip (direct download of zip
    file)
    or
    http://home.mnet-online.de/horst.muc/index.html (parent page of download;
    click the "Find" link then download [9k])


    Step 2
    Install xfind.com (simply unzip it; I prefer running it from the c:\, and
    so I dragged a copy of xfind.com to c:\, which is also called the "root"
    directory.


    Step 3
    (a) Run xfind.com in a command line window. Click Start, Run, type CMD
    (then click OK). A black window opens with a blinking white cursor. Type
    cd \ or cd\ (I forget which) then press enter. The cursor should now show
    "C:" and not "C:\Windows."

    (b) type this:
    xfind "gibberishjdkfkd" c:\windows\system32\ *.dll
    (then press the "Enter" key on your keyboard).

    ("gibberishjdkfkd" can really be anything, but the results are clearer
    if
    you type something strange so it won't be found inside any legitimate
    files). We're hoping for an error message, not actually finding a file
    containing the search text.

    © Now wait…. If it comes back with a read error about a file, that's
    good! The file it complained about is the evil program (.dll file). WRITE
    the file name down EXACTLY as listed in the error message (for example,
    Mofohell.dll).

    From the original posting about this by someone else: "This dll is loaded
    with very strange file permissions. It has all permissions but copy denied
    to everyone, including administrators. This set of permissions makes the
    file completely invisible inside windows. You cannot see it using File
    explorer or DOS prompts like dir. It also can not have its attributes set so
    that you can see it."


    Step 4
    Prepare to remove the evil program. This can't be done in normal Windows
    nor in Safe Mode. Showing system and hidden files doesn't help. You must
    restart in a special mode called the "Recovery Console," which is not
    available until you install it separately.

    (a) Find a Windows XP Home or Professional installation CD. While still in
    Windows, insert the CD then exit any automatic window that appears.

    (b) Click Start, Run, type the following:
    d:\i386\winnt32.exe /cmdcons
    (then click OK) and follow the instructions to install the Recovery Console
    (click yes, ok, etc.). Restart the computer. (NOTE: if your CD drive is a
    different letter than "d" type your CD drive’s letter instead of "d.")


    Step 5
    Rename or delete the evil program from within the Recovery Console.
    (a) Restart the computer and press the F8 function key before Windows starts
    as if you're trying to get into Safe Mode.

    Choose "Return to OS Menu" where you will see at least two choices:
    “Windows XP Home” (or Professional) and “Recovery Console.” Use the arrow
    keys and Enter key to highlight and select "Recovery Console."

    (b) When prompted, select the choice listing the Windows directory your
    computer normally uses (usually "C:\Windows").

    © When prompted, type the Administrator password (which might be blank on
    your system) and press the Enter key.

    You're now in the Recovery Console and can control the evil program file.

    (d) Type cd \ (or CD\ – I forget which), then cd windows , then
    cd system32 , then (to confirm that it’s present) type dir
    MOFOHELL.dll (but substitute the name of the evil program you found
    on your system). If it doesn't find anything, type this: attrib -h
    MOFOHELL.dll (and press Enter), then type this: attrib -r MOFOHELL.dll
    (and press Enter).

    (e) Rename or delete it. I renamed it to be really safe in case it was
    something good (doubtful). Type this:
    ren mofohell.dll harmless.btch (substituting the name of your evil
    program for mofohell.dll)
    (then press the Enter key).

    (f) type this:
    dir harmless.btch
    (then press Enter) to confirm it's there.


    Step 6
    Type this: EXIT (and press Enter) to reboot.
    Press F8 to enter SAFE MODE as Window starts.


    Step 7
    Use the registry editor to find the evil reference to the evil program, both
    of which were hidden before renaming the latter.
    (a) Click Start, Run, then type this: regedit (and click OK).
    (b) Use the up-arrow and scroll to the top then click once on "My Computer"
    then click the EDIT menu and click FIND. Type the name of the evil program
    (e.g., mofohell.dll ) and click find. Delete the entry on the RIGHT side
    of the window that contains the name of the evil program (e.g.,
    mofohell.dll); click once on the evil name then tap the keyboard's DELETE
    key ONCE. Click the EDIT menu and click "FIND NEXT" and repeat. If it
    is
    not found, stop looking and exit the registry editor.


    Step 8
    Scan your entire computer using the anti-spyware programs you have (which
    you updated BEFORE all of this). I prefer running at least two (Spysweeper
    and Ad-aware Pro) – one at a time, of course.


    Step 9
    Run HijackThis and delete any suspicious BHO entries and other known bad
    stuff.


    Step 10
    Empty every Temp folder, Temporary Internet folder and Cookie folder on your
    computer. Empty the Recycle Bin.


    Step 11
    Turn security up to high in the Internet Options control panel (HIGH for
    every category: Internet, Local Area Network, Trusted Sites [delete any
    trusted sites listed] and Restricted sites. Go to the Advanced tab and
    click the button "Restore Defaults" then modify individual check box items
    manually if you want; go to the Programs tab and click the button "Reset Web
    Settings" but uncheck the "reset home page prompt unless you like MS's
    default page. Click OK.


    Step 12
    Utter the phrase, "Oooo Ahhhh, devilware, be GONE!" then spit out of the
    window over your LEFT shoulder.


    Step 13
    Restart your computer.


    Step 14
    Go online and download other browsers to use for everything but Windows
    Update. Download Firefox from mozilla.org and Opera from opera.com and
    install both. They're safer than Internet Explorer (a.k.a., the Devil's
    Helper).

    To run Windows Update, first go to the Internet Options control panel,
    Security tab, click the Internet category icon, then click the DEFAULT
    button, then OK. Then run Windows Update. Afterwards, go back to the
    Internet Options control panel and slide the security back up to HIGH for
    the Internet category, then click OK, and continue using Mozilla's Firefox
    and/or Opera for web browsing.


    Step 15
    Delete the renamed evil program (e.g., harmless.btch), which Spysweeper will
    identify as coolwww even with its different name.

    It's as simple as that!
    As simple as 1,2,3ab,4abc,5abcdef,6,7abc,8,9,10,11,12,13,14,15!!!"

    Total elapse time: 45 minutes to 1.5 hr depending on the number of files
    your anti-spyware programs scan.


    Step 16 (optional)
    Buy a Mac, which doesn't have spyware problems, and throw away your
    vulnerable Windows PC.

    ================
    ================

    MICROSOFT CULPABILITY


    (1) Microsoft allows by design or by flaw the creation of "super"-hidden
    files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to
    find and remove this stuff.


    (2) Also…Hey Microsoft!! Fix the design flaws that allow anything to write
    to the registry and place files on the computer as users browse the web with
    IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove
    Coolwww without xfind or a clean install.


    ================
    ================

    NOTE:

    None of these solutions are mine. The fix of using xfind was from an online
    posting that a client found and emailed me. Here's the full text of that
    posting:

    "Coolweb is a 2 stage infection. This fix is not for inexperienced users.
    You need to understand how to use the recovery console and also the registry
    editor. Everything here is for a W2K install which is what I have. Should be
    similar for XP.

    First how the infection works:

    1) A small dll is loaded onto your machine in the \winnt\systems32
    directory. I do not know the method of infection. My machine had the
    ByteVerifier patch so it wasn't through that backdoor.
    2) This dll is loaded with very strange file permissions. It has all
    permissions but copy denied to everyone, including administrators. This set
    of permissions makes the file completely invisible inside windows. You can
    not see it using File explorer or dos prompts like dir. It also can not have
    its attributes set so that you can see it.
    3) This little dll (resaf.dll on my machine, but proably different on each
    install) hooks itself to the HLKM/Software/Current

    Version/WindowsNT/Windows/AppInit_DLLs registry key. Of course you can't see
    the entry and searching for it will reveal

    nothing. Probably uses the same permissions trick but I was unable to verify
    this.
    4) Once this dll is running it can do whatever it wants. What it does is
    load a full set of secondary infection files. It

    creates a file in your temp directory call sp.html. This is the file that is
    displayed each time you start IE. It also creates a bunch of registry
    entries to enforce this as the start page.
    5) Next a second dll is loaded. This one you can see and remove. Of course
    it just comes back a few hours later. Not sure what this does.
    6) Latest cut of Adaware gets rid of all of the secondary infections, but is
    unable to find the primary infection. After about 2-3 hours the infection
    just keeps coming back.

    How to get rid of this.
    1) You need a tool to find the nasty dll. A tool called "xfind" ( find
    it
    here http://home.mnet-online.de/horst.muc/index.html) does a text serach for
    a string within all files in the \winnt\system32 directory. Run it from the
    command line as XFIND "anything" C:\winnt\system32\*.dll. It turns out
    that
    the string itself is unimportant, it is the fact that this utility is unable
    to open the file that reveals the dlls identity. The utility posts an unable
    to read reaf.dll notice. This is your first clue.
    2) Run adaware with the latest reference file and cleanup the secondary
    infection. Run it until no further infection is found. It may take a couple
    of passes.
    3) Now you know the name of the file we need a way to get rid of it. Not
    possible inside Windows that I can see. Tried killbox and other programs but
    they are not able to find it. Using your original windows cd, start the
    recovery console..

    This is done by booting from the cd and then when it finishes loading
    selecting R for repair and C for recovery console. Log in as requested and
    you are at a command prompt. The file can now be seen using dir. I just
    renamed it at this point in case I was wrong and it was a real windows file.
    I could then get it back if I needed it.
    4) Restart the machine in windows. Using regedit, search for the
    AppInit_DLLs key. The value will now be visible. Delete the value, not the
    key!
    5) The dll will now also be visible and can be deleted.
    6) Run adaware one more time to make sure all of the secondary infection is
    gone and your done.

    I would like to thank the dedicated folks at adawre I could not do without
    them. Also the kind folks who wrote the utilities I used to get this thing
    off. Good luck.
  • Hallo XLR8R,

    Je hebt het over de about:blank hijack.
    Deze is inderdaad moeilijk te verwijderen.
    Procedure die je aanreikt lijkt me wat omslachtig.

    Andere oplossingen met een een woordje uitleg over deze hijack staan hier beschreven.

    groeten,
    Marc

    edit 1:
    voor de duidelijkheid: de door XLR8R beschreven procedure is niet van toepassing voor het probleem van de topicstarter.

    edit 2: die verborgen DLL wordt (in de meeste gevallen) ook getoond in een hijackthislog bij O20.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.