Jump to content


Ive tried almost everything. CWS PROBLEM

  • Please log in to reply
8 replies to this topic

#1 aphexpusher



  • New Member
  • Pip
  • 4 posts

Posted 05 July 2004 - 11:56 PM

ok here is my hijackthis info:

Logfile of HijackThis v1.98.0
Scan saved at 9:40:03 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ragdoll\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ragdoll\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ragdoll\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ragdoll\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ragdoll\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ragdoll\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ragdoll\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CBCF880-A338-4E85-8927-ACF8893E35D0} - C:\WINDOWS\System32\lje.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A84D5B81-6219-4BD2-81A0-30783D0E7760}: NameServer =
O18 - Filter: text/html - {D3C1ECF4-32F4-4DA6-8C29-8370023E1C3D} - C:\WINDOWS\System32\lje.dll
O18 - Filter: text/plain - {D3C1ECF4-32F4-4DA6-8C29-8370023E1C3D} - C:\WINDOWS\System32\lje.dll

#2 NsaneRAZ



  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 12:35 AM

try this, its a program called About:Buster


itll work if ur lucky...if not theres other methods 2 kill it

#3 aphexpusher



  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 12:47 AM

well i did and nothing... didnt do anything.... however i did run cwsshredder and it found searchx. however it seems to reapear. anyone have any suggestions?

#4 MavZZ



  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 01:18 AM

What CWS version was found by CWShredder? Read about CWS.realyellowpage and CWS.Searchx together?

Have a look at http://www.spywarein...#realyellowpage

Looking at your HT log i had a CWS version almost the same as you, nothing worked but a manual removal of CWS.realyellowpage and then CWS.Searchx. Follow the instructions carefully on that webpage and you should be alright.

Finding the *.dll file might be a bit tricky, if you can post the PrcView log.



#5 aphexpusher



  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 01:22 AM

what is a HT log? hijackthis? also what is PrcView log?

#6 MavZZ



  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 01:27 AM

HT: HijackThis

PrcView: A program which shows you the DLL files used by internet explorer. Your version of CWS seems to be created by a DLL which was associated with Internet Explorer.

Go to http://www.spywarein...#realyellowpage, try removing this version of CWS manually following their instructions, it worked for me.

CWS.Searchx keeps coming back even though its erased by CWShredder because for some reason when CWS.realyellowpage is present CWS.Searchx cant be erased unless you erase realyellowpage first.

#7 aphexpusher



  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 01:30 AM

so how do i get rid of searchx? just run cwsshredder?

#8 MavZZ



  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 01:39 AM

to get rid of CWS.Searchx you FIRST have to get rid of CWS.realyellowpage following the instructions of the link Ive already posted.

CWS.realyellowpage is not visible on the HijackThis log, so you dont know you have it but if you cant uninstall CWS.Searchx you probably have it too.

Please read the webpage above specifically CWS.Searchx and CWS.realyellowpage.

#9 NsaneRAZ



  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 03:34 AM

lemi make this simple

boot in safemode with network press F6 on a windows 98 rappidly when restartn computer...for safemodes on other versions of windows google it or search forums

go 2 c\windows

and the folder calld "system" in ur windows folder

delete all the files as of and after date of infection...unless u r SURE the file is related to a new spyware/adaware program u installed in attempts 2 kill the virus

clean ur temp folder in windows and documents(if u have one there)
clear history
clear cookies
clear temporary internet files

download hijack this and fix all bad chekd items...like SP.exe and other stuff mainly at top of list tht loox bad, take chances 2.

download ad aware 6 (by lavasoft) and download the updated reference file as well(and copy and paste the unzipped ref file to the lavasoft ad aware 6 folder under program files

:run the program:

download spybot search and destroy

:run the program:

[i realise u probably cant get online...so u gota download all of this from another computer]

go to start>>>run>>>regedit

go to hkey local users/software/microsoft/windows/internet explorer/main
now look on ur right side and rt click and modify/edit ANY site listed tht isnt ur regular homepage..for the sake of this tutorial im guna say change ANY websites(or res things) to http://www.google.com

now exit registry...and open it again..and go to

hkeylocalmachine/software/microsoft/windows/internet explorer/internet settings
and do the same as listed for previous thing..

now exit registry

NOW, go 2 start>>run>>>msconfig and ONLY click the tab tht says startup..
and uncheck ANY suspicious programs.(and hit apply/ok) dont worry worst tht can happen is u uncheck a good file and windows doesnt work so u go into safemode and check it bak..and windowsll work again..or windows will autofix it without need of safemode.
-the reason ur doing this is to disable the bad files from starting up when windows does...for xample, AIM, a valid file, probably auto pops up for u when ur computer is turned on but if u unchek it in msconfig..it wont pop up on startup.

exit msconfig

okay you want 2 be safe rt?

scan your computer with ALL the programs again, yeah dont cry about it cuz itll take time...do it otherwise all the steps mita been worthless

***ALSO, if u want 2 be XTRA careful...restart computer in MS-DOS mode and delete all your temporary internet files, cookies etc..thru DOS...so it actually deletes it...not jus pretends 2 like in regular windows***
NOTE:the above applies 2 mainly win 98SE and below because i thnk tht problem is fixed in later versions.....but i'd do it despite what OS u have....
(h t t p:// w w w.f u c k m i c r o s o f t . c o m/c o n t e n t/m s - h i d d e n - f i l e s. s h t m l)<<<<without the spaces


if you have zonealarm (firewall)(any version) a file can get corrupted in it calld VSCONFIG.XML
-yes this is a VALID zonealarm file however it can get corrupted by this virus.
-its found in c\windows\system if ur file is over 1MB delete it. if when u click it and hit open...n it says error sumwhere n the code..delete it...infact delete it anyway...zonealarm will create a new CLEAN file on reboot.

if u do all tht u shud be clear

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!