Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log, please help.


  • This topic is locked This topic is locked
4 replies to this topic

#1 strick9

strick9

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 23 August 2004 - 07:57 AM

One of my Co-workers was surfing the web on my server and got the browser hijacked. This is a windows 2000 Server PC. Please help interperit this log for me.

Thanx in advance,
Bryce


Logfile of HijackThis v1.97.7
Scan saved at 9:03:35 AM, on 8/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
E:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
E:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
E:\Program Files\ComputerAssociates\ARCserve\RDS.EXE
E:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
E:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
E:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\LogWatNT.exe
E:\Program Files\NAVMSE\NAVESRV.EXE
C:\Program Files\NAV\rtvscan.exe
E:\Program Files\NAVMSE\NAVECTRL.EXE
E:\Program Files\NAVMSE\navesp.exe
E:\Program Files\NAVMSE\navesp.exe
E:\Program Files\NAVMSE\NAVELOG.EXE
E:\Program Files\NAVMSE\navesp.exe
E:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
E:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Symantec\Quarantine\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\lserver.exe
E:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\dns.exe
C:\Program Files\Symantec\Quarantine\Server\IcePack.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\modemshr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winmm64.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\NAV\VPC32.EXE
E:\public\utilities\software\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=cfh
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=cfh
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=cfh
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=cfh
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=cfh
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=cfh
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=cfh
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=cfh
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=cfh
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = MST:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8037.2605555556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silicon-wafers.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{153FEE48-4C27-4C63-96C3-014734F25AA4}: NameServer = 10.1.0.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEB2D83A-90CF-4D18-979A-3178E69E6D72}: NameServer = 10.1.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silicon-wafers.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{153FEE48-4C27-4C63-96C3-014734F25AA4}: NameServer = 10.1.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = silicon-wafers.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{153FEE48-4C27-4C63-96C3-014734F25AA4}: NameServer = 10.1.0.100

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:49 PM

Posted 23 August 2004 - 07:10 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site #1

or

HijackThis Download Site #2

Then Please follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers.

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site #1

or

HijackThis Download Site #2

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 strick9

strick9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 25 August 2004 - 08:15 AM

Did what you asked........please review this new HJT log.


Logfile of HijackThis v1.98.2
Scan saved at 9:20:21 AM, on 8/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
E:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
E:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
E:\Program Files\ComputerAssociates\ARCserve\RDS.EXE
E:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
E:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
E:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\LogWatNT.exe
E:\Program Files\NAVMSE\NAVESRV.EXE
C:\Program Files\NAV\rtvscan.exe
E:\Program Files\NAVMSE\NAVECTRL.EXE
E:\Program Files\NAVMSE\navesp.exe
E:\Program Files\NAVMSE\navesp.exe
E:\Program Files\NAVMSE\NAVELOG.EXE
E:\Program Files\NAVMSE\navesp.exe
E:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
E:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Symantec\Quarantine\Server\ScanExplicit.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\lserver.exe
E:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\dns.exe
C:\Program Files\Symantec\Quarantine\Server\IcePack.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\modemshr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\taskmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winmm64.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
E:\public\utilities\software\HJT\HijackThis.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\lxaiPSWX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=cfh
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=cfh
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=cfh
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=cfh
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=cfh
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=cfh
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=cfh
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=cfh
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=cfh
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=cfh
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=cfh
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = MST:8080
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\RunOnce: [LexInstall] C:\WINNT\system32\spool\DRIVERS\W32X86\3\lexgo.exe lxaiPSWX.EXE /F=Lexmark Z23-Z33 (Copy 1)/RICH/Session 1 /T=400
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silicon-wafers.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{153FEE48-4C27-4C63-96C3-014734F25AA4}: NameServer = 10.1.0.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEB2D83A-90CF-4D18-979A-3178E69E6D72}: NameServer = 10.1.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silicon-wafers.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{153FEE48-4C27-4C63-96C3-014734F25AA4}: NameServer = 10.1.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = silicon-wafers.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{153FEE48-4C27-4C63-96C3-014734F25AA4}: NameServer = 10.1.0.100

#4 strick9

strick9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 26 August 2004 - 06:38 AM

Come on, don't give up on me.

:thumbsup:

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:49 PM

Posted 26 August 2004 - 12:01 PM

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

CWShredder Download Site #1

or

CWShredder Download Site #2

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

CWShredder - How to remove CoolWebSearch with CWShredder

When you are done please post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users