Tech Support Forum - View Single Post

E-Liam · 07-03-2004, 04:18 AM

Hi Walt,

CWS is what that is.. The most likely cause is that Adaware or similar (maybe even your AV) has picked it and tried to fix it.

Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)

O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set

Then please go here and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Then, once you’ve done that, please reboot and post a new log, and we'll see what's left.

Cheers

Liam

07-03-2004, 04:18 AM	#2 (permalink)
E-Liam Manager, On the Web Join Date: Jan 2004 Location: Bracknell, UK Posts: 929 OS: XP	Hi Walt, CWS is what that is.. The most likely cause is that Adaware or similar (maybe even your AV) has picked it and tried to fix it. Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button… R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated) O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set Then please go here and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button. CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended. Then, once you’ve done that, please reboot and post a new log, and we'll see what's left. Cheers Liam __________________ My Mother suggested a family outing... so I told her Uncle Bob was gay. (Trevor D.) Never argue with an idiot! They'll bring you down to their level and beat you with experience. --------------------------------------------------------------------------------- A member of the Alliance of Security Analysis Professionals since 2004.