XP SP2 - Explorer, Outlook, - ... hangup

XP SP2 - Explorer, Outlook, - ... hangup

Experience random behavior on XP SP2 home system recently.
Internet and Windows Explorer, Outlook and the like frequently hang up.
I use AdAware, CCleaner, McAfee, Spybot S&D, Zonealarm, ... on line.

Performed the lengthy HJT full cleaning sequence with all steps (Safe boot, Clean, ..) as clearly explained, which detected some BAD GUYS:
- bikini.exe
- Cookies/Tribalfusion + Com.com + BurstNet + YieldManager
- cws.olehelp

Can send all collected scan log files (off and on-line scans):
- activescan, hijackthis. jusched, spambayes

CCleaner does NOT get rid of CWS presence.

Look for help.

P.S. Will change over to Modzilla if IE is the cause.

Jack

 

If you have completed all the steps in our Read Me. Then please post all required logs as attachments.

 

Hi SPD,

Here are the results from all cleaning and scan efforts (HJT steps 0 to 6):
a. CWSshredder found CWS.Msconfig - does NOT disappear with SAFE mode clean
b. Bitdefender (only Normal boot possible) - no detected problems found and no file was generated
c. Panda Activescan (also only in Normal boot) - see file attached
d. HJT log generated - see file attached


Do I require any further testing ?

P.S. Would have a go if required with the combo Killbox.exe/PrevX1/Ewido as seen on http://techrepublic.com.com/5208-11183-0.html?forumID=89&threadID=195941&start=0. Approved ?

Many thanks in advance,
Jack

 

Windows Messeger is running in the background, and represents a security risk. Disable Windows Messenger by running Shoot The Messenger. If you are using this as your IM client then replace it with MSN Messenger.

PandaActive Scan shows that there is a Restigry Entry assoiciated with CWS. However, Panda gives no information on where it was found.

Download
- Pocket Killbox

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt and a fresh HijackThis log.

 

Hi again SPD,

Did perform the second clean up sequences.
The 2 requested files are attached (named them *_Jack.* this time).

Operation LOOKS normal again (seemingly all things work, speed is also back to normal).

Thanks already for all efforts. Hope all is cleared now.

If so, after checking these files, tell me man how to reward your precious work.

Kr, Jack

P.S. Your link above to Shoot the Messenger did not work, but found it anyway with a simple search:
http://www.majorgeeks.com/download.php?det=3703.

 

Both logs are clean.

Just to make sure there is nothing from CWS still on your computer run about:Buster twice while in Safe Mode.

REBOOT to Normal Mode.

Whichever scanners were finding CWS run them again. Is it gone.

 

Ran third cleaning sequence (AboutBuster, Activescan - origin of found CWS trace, and HJT) - 3 files attched - named *_Jack2.*

With ActiveScan found trace of CWS (registry) + minor other (SearchPortal).

Kr,
Jack

 

Download
- Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK'

Copy the contents of the WordPad window to Notepad.

Repeat for olehelp and OleHelp.

Attach the resulting Notepad file to your next post.

 

Hi SPD,

RegSearch gave NO results and no file was created with the seacrh words " cws.olehelp - olehelp or Olehelp".
Did a scan with "cws" alone just to test, see attached file.
All was done in NORMAL mode.
Found nothing.

Jack

 

May just be a false postive, many scanners have been doing that lately.