Jump to content


Photo

CWS_NS3


  • This topic is locked This topic is locked
9 replies to this topic

#1 HenricoPW

HenricoPW

    Member

  • New Member
  • Pip
  • 4 posts

Posted 29 June 2004 - 11:38 AM

I have this CWS_NS3 hijacking and I done the following

I have run Adaware and S&D
I have spysweeper and it will keep finding this but does not get rid of it.
I have run the current version oc CWshreader and still it hangs in the pc.

here is my log
Thanks in advance
Charlie

Logfile of HijackThis v1.94.0
Scan saved at 7:50:47 AM, on 6/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://virtual
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://government.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://virtual
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {29E0B6F5-BA88-681B-1675-330097155CFC} - C:\WINNT\d3ou32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HydraVisionViewport] Viewport.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addkg32.exe] C:\WINNT\system32\addkg32.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.3572800926
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autode...nu/InstBanr.Ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\pwdesign\autodesksoftware\desktop\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\pwdesign\autodesksoftware\desktop\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henrico
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henrico
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henrico

#2 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 29 June 2004 - 12:16 PM

Download the latest version of HijackThis and post a new log. You're using an outdated version.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#3 HenricoPW

HenricoPW

    Member

  • New Member
  • Pip
  • 4 posts

Posted 29 June 2004 - 12:47 PM

oops
sorry about that
here it tis

Logfile of HijackThis v1.97.7
Scan saved at 1:40:10 PM, on 6/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Nhksrv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\Viewport.exe
C:\WINNT\System32\hpnra.exe
C:\WINNT\System32\hpstatus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\addkg32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\HPBSPSVR.EXE
C:\WINNT\System32\HPBJDSNT.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\sad02\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AEDD30CE-0434-07CE-1DCA-5D2ADE907371} - C:\WINNT\system32\crou.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HydraVisionViewport] Viewport.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addkg32.exe] C:\WINNT\system32\addkg32.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [iebi32.exe] C:\WINNT\iebi32.exe
O4 - HKLM\..\RunOnce: [atlmh.exe] C:\WINNT\atlmh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINNT\web\AOpenClient.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.3572800926
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autode...nu/InstBanr.Ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\pwdesign\autodesksoftware\desktop\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\pwdesign\autodesksoftware\desktop\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henrico
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henrico
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henrico

#4 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 29 June 2004 - 03:55 PM

Change settings to show hidden files.

Find the following file:

C:\WINNT\system32\crou.dll

right click on it and choose Properties from the pop-up menu. Click on the Version tab and post the values for each item in the item name list.

Also, make a copy of this file and put it somewhere safe (like My Documents). You may be asked to submit this file.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#5 ryan

ryan

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 June 2004 - 04:46 PM

I have a client who is experiencing the same problems with CWS_NS3. I tried getting rid of it using all the techniques suggested here but I noticed that the PC would be reinfected once I tried double clicking the Users and Passwords icon in the control panel. Have you experienced this? Does your Users and Passwords icon work correctly?

#6 HenricoPW

HenricoPW

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 June 2004 - 08:17 AM

Ryan:

My users and paswords icon is ok

vashondude:
I may be missing this but there is no version tab
running windows 2000

#7 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 30 June 2004 - 09:50 AM

I'm going to check with the experts on how to handle that file. I'll be back once I get an answer.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#8 HenricoPW

HenricoPW

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 June 2004 - 11:26 AM

Just Got off the phone with the Folks at Webroot (spysweeper)
And they are working on a solution to this new variant of CWS_NS3 / Cws_NS3 Hijacker
They may be posting a new update Thur or Fri.

#9 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 30 June 2004 - 12:42 PM

You'll need to create a new folder called C:\HJT and move HijackThis to it. Otherwise your desktop will be cluttered with the backups made by HijackThis.

After doing that, go back into HijackThis amd, with all browser windows closed, remove the following:

O2 - BHO: (no name) - {AEDD30CE-0434-07CE-1DCA-5D2ADE907371} - C:\WINNT\system32\crou.dll
O4 - HKLM\..\Run: [addkg32.exe] C:\WINNT\system32\addkg32.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKLM\..\RunOnce: [iebi32.exe] C:\WINNT\iebi32.exe
O4 - HKLM\..\RunOnce: [atlmh.exe] C:\WINNT\atlmh.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab


These next 2 items are considered optional removal, but they are resource hogs, so you may want to remove these:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Reboot into safe mode by repeatedly tapping F8 during reboot until you hit a menu. Choose Safe Mode.

Once you're in Safe Mode, delete the following files:

C:\WINNT\system32\addkg32.exe
C:\WINNT\iebi32.exe
C:\WINNT\atlmh.exe
internat.exe


You'll have to do a search to find that last one. Click on the Start Menu and click on Search (or Find). Choose "all files and folders" and enter "internat.exe" in the file name field.

At some point you may want to do a full virus scan. I saw evidence of at least 2 prior virus infections.

Finally, reboot and post a new log.

-- LB

Edited by VashonDude, 30 June 2004 - 12:44 PM.

Want to help in the fight against malware? Join the SWI boot camp.

#10 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 16 October 2004 - 04:30 AM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button