• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
HenricoPW

CWS_NS3

10 posts in this topic

I have this CWS_NS3 hijacking and I done the following

 

I have run Adaware and S&D

I have spysweeper and it will keep finding this but does not get rid of it.

I have run the current version oc CWshreader and still it hangs in the pc.

 

here is my log

Thanks in advance

Charlie

 

Logfile of HijackThis v1.94.0

Scan saved at 7:50:47 AM, on 6/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://virtual

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://government.dellnet.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://virtual

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {29E0B6F5-BA88-681B-1675-330097155CFC} - C:\WINNT\d3ou32.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [HydraVisionViewport] Viewport.exe

O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe

O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [addkg32.exe] C:\WINNT\system32\addkg32.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2902985123fa465f5717/netzip/RdxIE2.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7892.3572800926

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\pwdesign\autodesksoftware\desktop\InstFred.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\pwdesign\autodesksoftware\desktop\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henrico

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henrico

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henrico

Share this post


Link to post
Share on other sites

Download the latest version of HijackThis and post a new log. You're using an outdated version.

 

-- LB

Share this post


Link to post
Share on other sites

oops

sorry about that

here it tis

 

Logfile of HijackThis v1.97.7

Scan saved at 1:40:10 PM, on 6/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Nhksrv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\hpb2ksrv.exe

C:\WINNT\System32\hpbhksrv.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\WINNT\System32\NMSSvc.exe

C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\devldr32.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\system32\desk95.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\WINNT\system32\Viewport.exe

C:\WINNT\System32\hpnra.exe

C:\WINNT\System32\hpstatus.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Creative\ShareDLL\MediaDet.Exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\system32\addkg32.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINNT\System32\HPBSPSVR.EXE

C:\WINNT\System32\HPBJDSNT.EXE

C:\WINNT\explorer.exe

C:\Documents and Settings\sad02\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AEDD30CE-0434-07CE-1DCA-5D2ADE907371} - C:\WINNT\system32\crou.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [HydraVisionViewport] Viewport.exe

O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe

O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [addkg32.exe] C:\WINNT\system32\addkg32.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [iebi32.exe] C:\WINNT\iebi32.exe

O4 - HKLM\..\RunOnce: [atlmh.exe] C:\WINNT\atlmh.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINNT\web\AOpenClient.htm

O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINNT\web\AOpenClient.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2902985123fa465f5717/netzip/RdxIE2.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7892.3572800926

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\pwdesign\autodesksoftware\desktop\InstFred.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\pwdesign\autodesksoftware\desktop\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henrico

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henrico

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henrico

Share this post


Link to post
Share on other sites

Change settings to show hidden files.

 

Find the following file:

 

C:\WINNT\system32\crou.dll

 

right click on it and choose Properties from the pop-up menu. Click on the Version tab and post the values for each item in the item name list.

 

Also, make a copy of this file and put it somewhere safe (like My Documents). You may be asked to submit this file.

 

-- LB

Share this post


Link to post
Share on other sites

I have a client who is experiencing the same problems with CWS_NS3. I tried getting rid of it using all the techniques suggested here but I noticed that the PC would be reinfected once I tried double clicking the Users and Passwords icon in the control panel. Have you experienced this? Does your Users and Passwords icon work correctly?

Share this post


Link to post
Share on other sites

Ryan:

 

My users and paswords icon is ok

 

vashondude:

I may be missing this but there is no version tab

running windows 2000

Share this post


Link to post
Share on other sites

I'm going to check with the experts on how to handle that file. I'll be back once I get an answer.

 

-- LB

Share this post


Link to post
Share on other sites

Just Got off the phone with the Folks at Webroot (spysweeper)

And they are working on a solution to this new variant of CWS_NS3 / Cws_NS3 Hijacker

They may be posting a new update Thur or Fri.

Share this post


Link to post
Share on other sites

You'll need to create a new folder called C:\HJT and move HijackThis to it. Otherwise your desktop will be cluttered with the backups made by HijackThis.

 

After doing that, go back into HijackThis amd, with all browser windows closed, remove the following:

 

O2 - BHO: (no name) - {AEDD30CE-0434-07CE-1DCA-5D2ADE907371} - C:\WINNT\system32\crou.dll

O4 - HKLM\..\Run: [addkg32.exe] C:\WINNT\system32\addkg32.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\RunOnce: [iebi32.exe] C:\WINNT\iebi32.exe

O4 - HKLM\..\RunOnce: [atlmh.exe] C:\WINNT\atlmh.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2902985123fa465f5717/netzip/RdxIE2.cab

 

These next 2 items are considered optional removal, but they are resource hogs, so you may want to remove these:

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Reboot into safe mode by repeatedly tapping F8 during reboot until you hit a menu. Choose Safe Mode.

 

Once you're in Safe Mode, delete the following files:

 

C:\WINNT\system32\addkg32.exe

C:\WINNT\iebi32.exe

C:\WINNT\atlmh.exe

internat.exe

 

You'll have to do a search to find that last one. Click on the Start Menu and click on Search (or Find). Choose "all files and folders" and enter "internat.exe" in the file name field.

 

At some point you may want to do a full virus scan. I saw evidence of at least 2 prior virus infections.

 

Finally, reboot and post a new log.

 

-- LB

Edited by VashonDude

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0