Jump to content


Photo

CWS_NS3 I hate this!!!!!!


  • Please log in to reply
26 replies to this topic

#1 carefree

carefree

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 04:07 AM

I have been hijacked by something called CWS_NS3

I have tried several things to kill this. I have run Adaware, Spybot and Spaysweeper all in safe mode and while these seem to temporarily kill it, it always comes back.

Any help appreciated, the HijackThis file is below:

Logfile of HijackThis v1.97.7
Scan saved at 10:06:19, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
:rofl:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\winjp32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\d3ct.exe
C:\Documents and Settings\Julian McIntyre\My Documents\HijackThis.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D74EF1BA-9E44-CB6B-6CC0-9035E64ABD6A} - C:\WINDOWS\system32\d3eu.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winjp32.exe] C:\WINDOWS\winjp32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [MNSIndex] C:\Program Files\Max Net Shield\MNSIndex.exe
O4 - HKCU\..\RunOnce: [MNShist] C:\Program Files\Max Net Shield\MNSHist.exe MNSErase
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Microsoftョ JavaScriptョ Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Microsoftョ JavaScriptョ Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38165.654537037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...alls/yab_af.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7308CC70-A092-4FC6-9F5C-EBCA66EFFBD8}: NameServer = 192.168.0.12

#2 1st_evil

1st_evil

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 28 June 2004 - 04:38 AM

SAME HERE MAN WTF!!!

#3 carefree

carefree

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 04:47 AM

Let me know if you figure out how to kill it.

If I can't figure it out soon then I may use the old-fashioned method.......taking a hammer to my laptop!

#4 carefree

carefree

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 05:45 AM

OK, after a few more attempts I appear to have stopped the home page hijacks and pop ups (at least temporarily). However a side effect appears to be that I cannot delete my internet history (even though the local settings files are empty).

Any ideas?

#5 1st_evil

1st_evil

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 28 June 2004 - 05:56 AM

dude I havent even gone to bed yet and its 6 30 am IT WONT GO AWAY WHO CREATED HTIS BETTER HOPE I DONT FIND HIM!!! THAT ASSHOLE!!!!

#6 jeangreg

jeangreg

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 07:09 PM

I have the same problem here.....we need to find a cure ASAP I am going crazy......somebody has found something yet ???

#7 haynesnpa

haynesnpa

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 08:18 PM

There is some recent info on handling browser hijackers at:

http://www.spywarein...ked/prevent.php

There is also CWShredder, but htis does not appear to have been kept current, because the CWS POS is continually being changed to reflect security measures.

Hope this helps.

Dennis

#8 berean_315

berean_315

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 08:18 PM

I have the same problem as well! What a pain.

The following was posted by someone earlier:


Just Got off the phone with the Folks at Webroot (spysweeper)
And they are working on a solution to this new variant of CWS_NS3 / Cws_NS3 Hijacker
They may be posting a new update Thur or Fri.


#9 jeangreg

jeangreg

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 10:53 PM

Ok I guess we should give them couple days ..... I have to get some sleep anyway...... Thanks for your support folks

JG

Edited by jeangreg, 30 June 2004 - 10:53 PM.


#10 Tommygun

Tommygun

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 01:41 AM

Well I've been reading this thread for the past few days and trying to find some solutions. I'm pretty sure I have, but it may only work in my case since this CWS has so many variations. Whenever it redirected me to another site it always starts with res:// and was followed by a dll and some other stuff that I didn't pay a whole lot of attention too. I then went to C:\WINDOWS\system32 and looked for a dll that matched the one that was in the URL. I deleted it entirely. (make sure you can see hidden files. After that I reset my internet options and it seems to work. (I have also shutdown Internet Explorer and restarted it and it did not revert back to the old search page. Also I haven't seen any popups yet. Hope this is helpful to someone because I'm sure it drove you guys pretty crazy too.

#11 kill_spyware_mike

kill_spyware_mike

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 July 2004 - 03:14 AM

:techsupport:

i also, like many of you and my personal friends, am infected with CWS_NS3/CWS_NS3 hijacker.

i was infected with the same thing about.. 4 months ago. we reformatted my computer because we had NO idea how to get rid of it. I got infected with it AGAIN about a week ago... i used the system restore program and went back about 2 weeks to where i made one of my first restore points. it was fine until about... 8 hours ago where i found that i had it again. i tried using system restore again to go back until i could get some help, but all my previous restore points were gone..? none were there!

i use a software called SPYSWEEPER, and it works very well (cost about $30). since i reinstalled it 3 days ago... i have removed 435 traces of spyware... NOT A LIE! 435 traces on my computer of CWS_NS3!!!

look in your add/remove programs thing in the control panel. theres probably something called Home Search Assistent in there, along with search extender.. blah blah...CAN'T GET RID OF IT

(my homepage starts with res:// NOT http:// ! its called HOME SEARCH)

thats all i know, other than its annoying. ive been trying to get rid of it almost all night

Edited by kill_spyware_mike, 01 July 2004 - 03:21 AM.


#12 kill_spyware_mike

kill_spyware_mike

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 July 2004 - 03:57 AM

my spysweeper log...


04:51 AM Sweeping memory for active software.
Found: Memory-resident Software CWS_NS3, version 1
04:51 AM Memory sweep has completed.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
Found: CWS_NS3 registry trace.
04:52 AM Registry sweep completed.
04:52 AM Full sweep on all local drives initiated.
04:52 AM Now sweeping drive C:
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
Found Adware: CWS_NS3, version 1
04:57 AM Full Sweep has completed. Elapsed time 0 hours, 6 minutes, 11 seconds.
Files swept: 17,708
Software Located: 22
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined registry traces of: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3
Spy Sweeper quarantined: CWS_NS3

#13 kill_spyware_mike

kill_spyware_mike

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 July 2004 - 04:21 AM

Logfile of HijackThis v1.98.0
Scan saved at 5:20:30 AM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javapv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mfchu.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bydjb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bydjb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bydjb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bydjb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bydjb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bydjb.dll/index.html#96676
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {0DB27B81-1712-7464-869A-0E16A2436BED} - C:\WINDOWS\syswx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [javapv.exe] C:\WINDOWS\system32\javapv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [mfchu.exe] C:\WINDOWS\system32\mfchu.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe



in hijackthis i scanned, found this. i 'fixed' the top 7 (R1,R0,R1,R1,R1,R0,R3) and it temporarily disabled it, i got to change my homepage and it stayed like that for about..3 mins, then went back to it again

#14 checchiamd

checchiamd

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 05:13 AM

I am on day 3. the last 48 hours straight wrestling with CWS_NS3. Spysweeper is workin gon the problem. I have bought their software. I recommend it to everyone. For a quick fix of the re-route homepage aggrivation use the shield in options of spysweeper. set your homepage and protect it, then tell it to fix without notifying you and alot of the headache is out of the way. CWS_NS3 is still being battled with your spyware and antivirus but spysweeper is keeping your homepage protected from changing. It is 6 in the AM and I am out of coffee- goodnight and good luck. I hope my tip helps some of you out there.

:techsupport:

#15 webdenis12

webdenis12

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 02:18 PM

I got same thing

got someking of CWS_NS3, I'm trying to remove but its coming back after couple minutes or after reboot. It also running processes and if I remove its coming back with diff name.

What I did try:

Try run SpySweeper, it detect it, and told me it removed it but it coming back

Try to run Adware, same thing.

Try to run CWSSweeper ( or something like that) it didnt detect it at all.

I try everything, this ****** CoolWebSearch coming back alled NS3

anyone can call Lavasoft and Spysweepr and tell them it not actuallly removing that *****

#16 wizbang

wizbang

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 05:50 PM

i'm no where near an expert and i've been trying to fix my computer because of the cws_ns3...i used adaware, spysweeper, and hijack this and removed most of the files from it. the only thing left is a proxy override that comes back after i restart the computer. if i delet that i have no problems but if i don't a popup comes on when i open explorer and all of the files come back...i just don't know how t get rid of the proxy override

#17 webdenis12

webdenis12

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 06:30 PM

ok GOOD NEWS GUYS!!!!!!!!!!!!!!!!!!!!!

Spy Sweeper just released new defenition update that removes that software.
How do I know if it actually removes it? bc I got it myself
and it remove it!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 100%

Download now!!!!!!1

#18 vadim

vadim

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 07:33 PM

I downloaded it, and while it had appeared to work, when I ran SpySweeper again, it picked up CWS_NS3 (although not the HiJacker). Is this still a problem?

#19 webdenis12

webdenis12

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 08:12 PM

hmm my Spy Sweeper removed everything, nothing is showing up

#20 Keyno

Keyno

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 11:51 AM

Hello guys,

Those whom don't have Spy Sweeper, I mighthave found away to keep it from coming back until one of the Spyware removal programs can clean it.

The program runs as a service, under the name NETWORK SECURITY SERVICE.
DIsbale the service, go into your registry and delete the reg keys for that service, it should be under:
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES
and
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES
and
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES

Look for the first service thats named:

_NS3

Delete those keys.

Now the next problem is under your:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENT_VERSION\RUN
and
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENT_VERSION\RUNONCE

Look for anything that doesnt look right to you as a .EXE loading up. The Spyware changes the .EXE name everytime it loads so it's hard to pin down a specific name.

Delete them, then go into Internet Explorer (Internet Properties) and under advanced, Disable any 3rd party extensions from loading.

That should keep it from coming back until one of the spyware programs can remove it.

Hope that helps
Keyno

#21 indy_alaska

indy_alaska

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 12:01 PM

THANK YOU SpySweeper. I have been fighting with CWS_NS3 for a week.

For those of you that don't have SpySweeper, I'd really recommend it. It's not too expensive, especially for the peace of mind it will give you.

Another thing, what is line between spyware/adware and a virus? This felt like a horrible ordeal and since it was so difficult to remove, I was hoping my antivirus software company would help. Please, someone find the jerks that wrote all the variants of CWS and DO something to stop them!

#22 kill_spyware_mike

kill_spyware_mike

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 02 July 2004 - 04:58 PM

spysweeper cost me $30 at bestbuy... great GREAT software

Edited by kill_spyware_mike, 02 July 2004 - 05:26 PM.


#23 kill_spyware_mike

kill_spyware_mike

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 02 July 2004 - 05:27 PM

i downloaded the update for spysweeper... ran it.. and it deleted it all like normal. THIS TIME NOTHING CAME BACK!! thanks guys... thanks webroot!

#24 fox_x

fox_x

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 07:51 AM

Hello,
I found this CWS_NS3 on a computer of a user in my network, I think I solved it, though it took me a lot of time and boring job.

I've noticed that this thing also adds entries to the registry - HKLM\...\RUN with a random name. And this random name was also running in the memory (I could see it in the task manager) and I couldn't delete the file cause it was running in the memory.

So I many times restarted into CMD\Safe mode and deleted any files I saw, also searched for .exe files that were modified today (dir/od) and deleted all entries. Then booted up the computer, oh yes at some point I denied from myself write access to HKLM\...\RUN. Then ran spysweeper, found it again at a different name, deleted it also... after a loop of several times now it seems to be ok. I've ran now SpyWeeper, Adaware and SpyBot and all 3 of them found nothing now, so I hope it's good.

At the begining I've updated all windows updates patches.


we create our own hapiness

#25 fox_x

fox_x

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 07:52 AM

Hello,
I found this CWS_NS3 on a computer of a user in my network, I think I solved it, though it took me a lot of time and boring job.

I've noticed that this thing also adds entries to the registry - HKLM\...\RUN with a random name. And this random name was also running in the memory (I could see it in the task manager) and I couldn't delete the file cause it was running in the memory.

So I many times restarted into CMD\Safe mode and deleted any files I saw, also searched for .exe files that were modified today (dir/od) and deleted all entries. Then booted up the computer, oh yes at some point I denied from myself write access to HKLM\...\RUN. Then ran spysweeper, found it again at a different name, deleted it also... after a loop of several times now it seems to be ok. I've ran now SpyWeeper, Adaware and SpyBot and all 3 of them found nothing now, so I hope it's good.

At the begining I've updated all windows updates patches.


we create our own hapiness

#26 fox_x

fox_x

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 07:56 AM

Hello,
I found this CWS_NS3 on a computer of a user in my network, I think I solved it, though it took me a lot of time and boring job.

I've noticed that this thing also adds entries to the registry - HKLM\...\RUN with a random name. And this random name was also running in the memory (I could see it in the task manager) and I couldn't delete the file cause it was running in the memory.

So I many times restarted into CMD\Safe mode and deleted any files I saw, also searched for .exe files that were modified today (dir/od) and deleted all entries. Then booted up the computer, oh yes at some point I denied from myself write access to HKLM\...\RUN. Then ran spysweeper, found it again at a different name, deleted it also... after a loop of several times now it seems to be ok. I've ran now SpyWeeper, Adaware and SpyBot and all 3 of them found nothing now, so I hope it's good.

At the begining I've updated all windows updates patches.

#27 nwilcox

nwilcox

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 July 2004 - 10:22 PM

Well I've been reading this thread for the past few days and trying to find some solutions. I'm pretty sure I have, but it may only work in my case since this CWS has so many variations. Whenever it redirected me to another site it always starts with res:// and was followed by a dll and some other stuff that I didn't pay a whole lot of attention too. I then went to C:\WINDOWS\system32 and looked for a dll that matched the one that was in the URL. I deleted it entirely. (make sure you can see hidden files. After that I reset my internet options and it seems to work. (I have also shutdown Internet Explorer and restarted it and it did not revert back to the old search page. Also I haven't seen any popups yet. Hope this is helpful to someone because I'm sure it drove you guys pretty crazy too.

I tried that before and then a new .dll name will appear when you reboot. There is a .exe in startup that controls it and I will be damned if I can figure out wehat it is. Does Lavasoft actually know that Ad-Ware finds it but does not clean it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button