• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
bfudeld

CWS_NS3 Highjacker Problem

2 posts in this topic

Hi There,

I to, like many others have been infected with CWS_NS3. I have read through many of your forum posts to get a feel for your instructions on getting rid of this persistant malware. I currently have Spy Sweeper 3.0, the newest version which recognizes CWS, quarantines and cleanes up the registery. My system stabalizes and is fine until I envoke IE again and once that happens.... everything is back and the problem persists. So Spy Sweeper is still missing something.

I have also tried some of the suggestions that you discussed on other postings with no luck. Cleaning up temp files etc. etc. So I am now forced to do my own post to get help

I have downloaded current versions of all the programs you have suggested and now have Spybot, Ad-aware, AboutBuster and HighjackThis available to me.

Here is my current HighjackThis log after running Ad-Aware and Spybot. Please help.

 

Logfile of HijackThis v1.98.0

Scan saved at 7:19:29 PM, on 7/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spy Sweeper\SpySweeper.exe

C:\Program Files\DIRECWAY\BIN\dpcstart.exe

C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE

C:\Clie\HOTSYNC.EXE

C:\Program Files\Nikon\NkView4\NkVwMon.exe

C:\QUICKENW\QWDLLS.EXE

C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe

C:\WINNT\System32\PackethSvc.exe

C:\WINNT\System32\alg.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\netit32.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Utilities\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\iepgy.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iepgy.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iepgy.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\iepgy.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\iepgy.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://iepgy.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {844B3206-C870-233B-78ED-338A80F0EE15} - C:\WINNT\system32\netku32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [d3gc.exe] C:\WINNT\system32\d3gc.exe

O4 - HKLM\..\Run: [crno32.exe] C:\WINNT\system32\crno32.exe

O4 - HKLM\..\Run: [sysox.exe] C:\WINNT\system32\sysox.exe

O4 - HKLM\..\Run: [crpz.exe] C:\WINNT\system32\crpz.exe

O4 - HKLM\..\Run: [mshn.exe] C:\WINNT\system32\mshn.exe

O4 - HKLM\..\Run: [windq.exe] C:\WINNT\system32\windq.exe

O4 - HKLM\..\Run: [winvk32.exe] C:\WINNT\system32\winvk32.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE

O4 - Global Startup: CompuServe 2000 Tray Icon.lnk = C:\Program Files\CompuServe 2000\cstray.exe

O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe

O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE

O4 - Global Startup: HotSync Manager.lnk = C:\Clie\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe

O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://demo.spabiz.com/msrdp.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312

O17 - HKLM\System\CCS\Services\Tcpip\..\{4046EC4A-7624-40CD-90C6-8D369DDD7D9C}: Domain = direcway.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{4046EC4A-7624-40CD-90C6-8D369DDD7D9C}: NameServer = 198.77.116.8

O17 - HKLM\System\CS1\Services\Tcpip\..\{4046EC4A-7624-40CD-90C6-8D369DDD7D9C}: Domain = direcway.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{4046EC4A-7624-40CD-90C6-8D369DDD7D9C}: NameServer = 198.77.116.8

 

 

Thanks in advance.

Share this post


Link to post
Share on other sites

Hello please download About:Buster and unzip it to your desktop. Don´t run it yet.

 

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Don´t use it yet.

1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R333 18.07.2004 or higher listed.

 

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

 

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

 

4. Reboot to Safe Mode

How to start the computer in

Safe mode

 

5. Make sure your PC is configured to show hidden files

 

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.

Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

 

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\iepgy.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iepgy.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iepgy.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\iepgy.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\iepgy.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://iepgy.dll/index.html#96676

O2 - BHO: (no name) - {844B3206-C870-233B-78ED-338A80F0EE15} - C:\WINNT\system32\netku32.dll

O4 - HKLM\..\Run: [d3gc.exe] C:\WINNT\system32\d3gc.exe

O4 - HKLM\..\Run: [crno32.exe] C:\WINNT\system32\crno32.exe

O4 - HKLM\..\Run: [sysox.exe] C:\WINNT\system32\sysox.exe

O4 - HKLM\..\Run: [crpz.exe] C:\WINNT\system32\crpz.exe

O4 - HKLM\..\Run: [mshn.exe] C:\WINNT\system32\mshn.exe

O4 - HKLM\..\Run: [windq.exe] C:\WINNT\system32\windq.exe

O4 - HKLM\..\Run: [winvk32.exe] C:\WINNT\system32\winvk32.exe

 

7. Delete the following files if present.

C:\WINNT\iepgy.dll

C:\WINNT\netit32.exe

C:\WINNT\system32\netku32.dll

C:\WINNT\system32\d3gc.exe

C:\WINNT\system32\crno32.exe

C:\WINNT\system32\sysox.exe

C:\WINNT\system32\crpz.exe

C:\WINNT\system32\mshn.exe

C:\WINNT\system32\windq.exe

C:\WINNT\system32\winvk32.exe

 

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

 

9. Scan with Adaware and let it remove any bad files found.

 

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

 

12. Finally, do an online scan HERE. Let it remove any infected files found.

 

Replace Deleted Files

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

 

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

 

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'

Exit Program.

 

If you have Spybot S&D installed you may also need to replace one file.

Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0