Don's Home Technology Virus and Security CoolWebSearch (CWS) | Contact |
See: http://www.spywareinfo.com/~merijn/cwschronicles.html
This usually gets installed by just visiting a web page or being redirected to a page when you type a domain name wrong which exploits a security hole in Microsofts JavaVM. Make sure you run the security updates (Select "Windows Update" from the Tools menu in IE) from microsoft to prevent this in the future. CoolWebSearch (CWS) variants:
CWS.Alfasearch.2: A mutation of this variant exists, that hijacks IE to www.find-itnow.com, drops bookmarks in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as well as bogus runtime errors at system startup. IE will quit with message "Error has occured... msiesh.dll". It drops a fake Winlogon.exe file in the 'All Users' Startup group of the Start Menu, or in the Startup group of the current user. The file is always running, and hard to remove. If CWShredder repeatedly reports removing this variant, it cannot remove winlogon.exe. To remove this file manually, move it out of the Startup folder, restart, and then delete the file. Solution posted by dvk01 at TechSupportForum.com/ worked for us:
First download CWshredder from http://www.thespykiller.co.uk then Run it _____________________________________________________ Then search for and delete the file IEengine.exe
Then have HJT (HijackThis v1.97.7) fix these: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe ___________________________________
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O4 - HKLM\..\Run: [ie] iexplore.exe
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [cmd32] C:\configs.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe
O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url= O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=
O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://216.240.137.40/g1.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19056d45646a1e...ip/RdxIE601.cab
Restart to safe mode.
How to start your computer in safe mode
Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK"
Now find and delete:
The C:\configs.exe file The C:\windows\configs.exe file The c:\windows\dllhelp.exe file
Do a file search for iexplore.exe and let me know exactly what locations you find it in. It should only be in the C:\Program File\Internet Explorer folder, but you are going to have a bogus one somewhere.
_____________________________________________________ CWShredder fixed it |