Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CWShredder never finds anything

  • Please log in to reply
3 replies to this topic

#1 mrne72


  • Members
  • 15 posts
  • Local time:07:47 PM

Posted 15 November 2004 - 10:03 PM

Hello, I'm trying to get rid of the same ol swapx.cc homepage hijacker it seems. But there's a swerve in mine, Spybot finds coolweb, Ad-Aware finds coolweb, but The CWShredder can find no trace of it anywhere. Everything comes up not infected, or none found. I have the same hijackthis entries as others I've been seeing with it, even greg-search on a random occasion. The most recent log follows:
Logfile of HijackThis v1.97.7
Scan saved at 7:34:51 PM, on 11/15/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\0E95Z0~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4395/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0899DE7-E9B5-4242-B472-5853C242D946}: NameServer =

I went through all the steps in the selfhelp guide to manual removing the CWS SWAPX infection, but think I may just not have the actual infection, just something else, since I didn't have the O20 entry on the list as it said. One main question I have, is if there's some way the thing can tap into the user accounts, I only have the one since I'm the only one using this computer, but this thing has it tendrils deep in everything and popped right back up after I went through all the work to rid the thing of it. The winlogin.exe entry also shows it's ugly little head every so often too, but I don't see it consistantly. Any help on this would be great :thumbsup:

BC AdBot (Login to Remove)


#2 ddeerrff



  • Malware Response Team
  • 2,738 posts
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:05:47 PM

Posted 16 November 2004 - 12:57 PM

You are using an old version of HijackThis. V1.97.7 does not list 020 entries.

Please download and install the newest version, v1.98.2, from this HijackThis download site.

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue as otherwise the infections could reoccur. Go to Windows Update and if it asks to install software, allow it to do so. Install the offered Service Pack (SP), reboot as requested and return until you have installed all available critical updates.

Then post a new HijackThis log using the latest version of HJT.

#3 mrne72

  • Topic Starter

  • Members
  • 15 posts
  • Local time:07:47 PM

Posted 16 November 2004 - 05:28 PM

Sorry about the post, I have so many different spy/ad-ware checking programs on here, I forgot which I had updated and which I hadn't. The update found that elusive O20 entry first scan. woohoo!! So I'm going to go ahead when I have the time and use the manual removal instructions again and see what comes of it. That stupid dll might be the only thing standing between me and sane surfing, lol.

Thanks again, I'll post results of my efforts.
Have a happy!

P.S. Does anyone even know who wrote the CoolWebSearch nuisance?

#4 Grinler


    Lawrence Abrams

  • Admin
  • 43,660 posts
  • Gender:Male
  • Location:USA
  • Local time:06:47 PM

Posted 17 November 2004 - 10:29 AM

Please reply to the existing topic instead of making a new topic when discussing the same issue

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users