Jump to content


Need Help Plz Possible CWS not sure

  • Please log in to reply
2 replies to this topic

#1 Syn3rgy



  • New Member
  • Pip
  • 2 posts

Posted 08 July 2004 - 02:20 PM

I have run hijack, adaware, spybot s&d, CWShredder and buster. CWShredder says everything is clean as does spybot. Adaware says it found CWS and says it removes it but it doesnt really. Everytime i run the buster it finds files, so something is still on the system. It changes my start page and delivers popups. I cant seem to get rid of it no matter what i do. logs below. Any help would be great.

Logfile of HijackThis v1.97.7
Scan saved at 2:15:38 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeri\Desktop\AboutBuster.exe
C:\Documents and Settings\Jeri\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hatvg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hatvg.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hatvg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hatvg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hatvg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hatvg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {F84CD05B-7AC6-704D-1455-2625BA680123} - C:\WINDOWS\system32\iess.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [atlrw.exe] C:\WINDOWS\atlrw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [ntdv32.exe] C:\WINDOWS\ntdv32.exe
O4 - HKLM\..\RunOnce: [crpr32.exe] C:\WINDOWS\crpr32.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for ~: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll


About:Buster Version 1.25
Removed! : C:\WINDOWS\lfsmla.dat
Removed! : C:\WINDOWS\System32\atlns32.exe
Error Removing! : C:\WINDOWS\System32\iess.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#2 meeeeeee



  • Helper
  • Pip
  • 86 posts

Posted 08 July 2004 - 06:28 PM

Sometimes it needs a few runs of About:buster to kill the CWS. Please follow these directions:


Make sure you have the latest updates of Ad-aware before starting this process.


Hello, Please download this tool called About:Buster from:


Unzip it to your desktop but don't run it yet.


Now start Hijackthis and tick the boxes next to these items:

O2 - BHO: (no name) - {F84CD05B-7AC6-704D-1455-2625BA680123} - C:\WINDOWS\system32\iess.dll
O4 - HKLM\..\Run: [atlrw.exe] C:\WINDOWS\atlrw.exe
4 - HKLM\..\RunOnce: [ntdv32.exe] C:\WINDOWS\ntdv32.exe
O4 - HKLM\..\RunOnce: [crpr32.exe] C:\WINDOWS\crpr32.exe

Now close ALL windows and hit fix checked.


Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!


Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.


Boot into safe mode and run Ad-aware. Let it fix all that it finds.


Reboot and post a new HijackThis log along with the two reports from About:Buster.

#3 Syn3rgy



  • New Member
  • Pip
  • 2 posts

Posted 09 July 2004 - 09:08 AM

ok ill will try this today. thanks for the help.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!