Jump to content


Photo

CWS_NS3 problems


  • Please log in to reply
3 replies to this topic

#1 mmcjawa

mmcjawa

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 July 2004 - 02:22 PM

hello...first time post, and first really bad problem I haven't been able to figure out myself

According to spysweeper, I have the above mentioned program on my computer, but of course it reappears each time I try to remove it. On top of that, it seems to be "letting in" other programs, as I keep tracking stuff down with either Adaware or AVG anti-virus, only for new or different trojans/virii to pop up later in the day (for instance, I have removed Downloader BJ a few times, and Proxy 5.AS is currently showing on my computer. In total, I have been using Spysweeper, AVG anti-virus, Spybot, Adaware, and Hijack This, but still can't get to the source of the problem

CWShredder can't find anything wrong, and I can't even get it to update

here's my HJ Log

Logfile of HijackThis v1.97.3
Scan saved at 2:56:11 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mscf.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\internst32.exe
C:\WINDOWS\iphn.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\System32\x0r\svnhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Notepad.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bftna.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.selfsearch.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bftna.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bftna.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bftna.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
O2 - BHO: (no name) - {CC086A15-62A9-AB60-EE8B-D823FC826E91} - C:\WINDOWS\addxi.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\internst32.exe internet.dll,LoadNetworkProfile
O4 - HKLM\..\Run: [iphn.exe] C:\WINDOWS\iphn.exe
O4 - HKLM\..\Run: [x0r] C:\WINDOWS\System32\x0r\svnhost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlgn.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...022384e480b9c0d
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7883.8337962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Help me before I commit computercide please!!!!!! :gasp:

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 27 July 2004 - 08:43 PM

Your hijackthis is out of date. Go here and download the most recent version.
http://www.majorgeek...wnload3155.html

Download About:Buster from Here (but don't run it yet)

http://www.downloads...AboutBuster.zip

Unzip it to your desktop.

Then boot into safe mode .

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bftna.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.selfsearch.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bftna.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bftna.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bftna.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
O2 - BHO: (no name) - {CC086A15-62A9-AB60-EE8B-D823FC826E91} - C:\WINDOWS\addxi.dll
O4 - HKLM\..\Run: [iphn.exe] C:\WINDOWS\iphn.exe
O4 - HKLM\..\Run: [x0r] C:\WINDOWS\System32\x0r\svnhost.exe
O4 - Global Startup: winlgn.exe

Then locate and delete these files.
C:\WINDOWS\addxi.dll
C:\WINDOWS\iphn.exe
winlgn.exe (note the spelling)

And these folders.
C:\WINDOWS\System32\x0r

You may have to enable hidden files to find all the files.

Open About:buster and hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report. Then reboot inot normal mode and post the report and a new Hijack this log here.
Posted Image

#3 mmcjawa

mmcjawa

    Member

  • New Member
  • Pip
  • 2 posts

Posted 28 July 2004 - 11:49 AM

Ok...did what you said...CWS_NS3 seems to still be on however as spysweeper popped a notice up that it was present...also more suspicous crap appeared in the HJ

anyway...heres the about buster log and Hijackthis report

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\addxi.exe
Removed! : C:\WINDOWS\irvcfd.dat
Removed! : C:\WINDOWS\rwkha.dll
Removed! : C:\WINDOWS\sdkgx.exe
Removed! : C:\WINDOWS\System32\oqhoa.dat
Removed! : C:\WINDOWS\System32\qtzln.dat
Removed! : C:\WINDOWS\System32\rlffy.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 12:41:53 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\apioi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\internst32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\atlly.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktnhl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ktnhl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ktnhl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ktnhl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktnhl.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CC086A15-62A9-AB60-EE8B-D823FC826E91} - C:\WINDOWS\addxi.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\internst32.exe internet.dll,LoadNetworkProfile
O4 - HKLM\..\Run: [atlly.exe] C:\WINDOWS\system32\atlly.exe
O4 - HKLM\..\RunOnce: [mscf.exe] C:\WINDOWS\system32\mscf.exe
O4 - HKLM\..\RunOnce: [sdkfw32.exe] C:\WINDOWS\sdkfw32.exe
O4 - HKLM\..\RunOnce: [ntrj32.exe] C:\WINDOWS\ntrj32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...022384e480b9c0d


right now I am preparing my computer for a reformat if all doesn't go well...

#4 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 28 July 2004 - 07:49 PM

I wouldn't get to excited about formating just yet. Sometimes it takes a couple runs to get rid of this.

Download coolweb shredder, unzip it to your desktop. (don't run it yet we will get to that shortly)

Boot into safe mode and run a hijackthis scan. Have hijackthis fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktnhl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ktnhl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ktnhl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ktnhl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktnhl.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CC086A15-62A9-AB60-EE8B-D823FC826E91} - C:\WINDOWS\addxi.dll
O4 - HKLM\..\Run: [atlly.exe] C:\WINDOWS\system32\atlly.exe
O4 - HKLM\..\RunOnce: [mscf.exe] C:\WINDOWS\system32\mscf.exe
O4 - HKLM\..\RunOnce: [sdkfw32.exe] C:\WINDOWS\sdkfw32.exe
O4 - HKLM\..\RunOnce: [ntrj32.exe] C:\WINDOWS\ntrj32.exe


While still in safe mode open coolweb shredder and click the fix button.
Then run an Adaware scan.
Then run About:buster repeatedly until it comes back clean.

Then reboot into normal mode and post a fresh hijackthis log.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button