Jump to content


Photo

cws variant


  • Please log in to reply
3 replies to this topic

#1 ratai

ratai

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 03:38 AM

hi,

i have try all the things to remove a redirection cws with spywareblaster, pestpatrol, spybot, adaware, cwshreder and manuel delete on the registry but at each boot i see my registry changed for redirection, and the protection disabled for a lot of sites in spybot and spywareblaster.
In pestpatrol it is a cws.google.ms3, in spybot a DSO exploit and the name i found in registry and protection disabled is often xxxtoolbar.

I have tried dllfix and after in safe mode of windows, three host redirection was recently found by adaware and cwsshredder Removed from my system:
- CWS.Svchost32
- CWS.Smartsearch
- CWS.Jksearch

but they become...

Logfile of HijackThis v1.97.7
Scan saved at 10:36:41, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Raxco\PerfectDisk\PDSched.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\essspk.exe
D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
D:\Program Files\SpyBlocker Software\spyblocker.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\tvicon.exe
D:\Program Files\dudez\protowall\ProtoWall.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\12Ghosts\12wash.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\OpenOffice.org1.1.1\program\soffice.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Avant Browser\iexplore.exe
C:\LOG\VIRUSETSPY\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://radiosplace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts file is located at: D:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [SpyBlocker] D:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TridentTVIcon] tvicon.exe
O4 - HKCU\..\Run: [ProtoWall] D:\Program Files\dudez\protowall\ProtoWall.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: 12Ghosts Wash.lnk = D:\Program Files\12Ghosts\12wash.exe
O4 - Startup: OpenOffice.org 1.1.1.lnk = D:\Program Files\OpenOffice.org1.1.1\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Bloquer ce serveur... - D:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Bloquer cette publicité... - D:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Ouvrir tous les liens de la page... - D:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Rechercher avec Google... - D:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Surligner - D:\Program Files\Avant Browser\Highlight.htm
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8147.5940740741
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

what can i do?
thanks

ratai

#2 ratai

ratai

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 06:05 AM

please help me

#3 ratai

ratai

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 06:45 AM

i precise that in the beginnig i have cws.oslogo and cws.google.ms3 that are removed and now 3 different cws.... is it normal?
i believe i have a system prog that was replaced... but now i begin to remove anythig without a good knowledge...
here it is my last hijack...

Logfile of HijackThis v1.97.7
Scan saved at 13:44:09, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\essspk.exe
D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\tvicon.exe
D:\Program Files\dudez\protowall\ProtoWall.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Avant Browser\iexplore.exe
C:\LOG\VIRUSETSPY\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://radiosplace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [SpyBlocker] D:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TridentTVIcon] tvicon.exe
O4 - HKCU\..\Run: [ProtoWall] D:\Program Files\dudez\protowall\ProtoWall.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Bloquer ce serveur... - D:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Bloquer cette publicité... - D:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Ouvrir tous les liens de la page... - D:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Rechercher avec Google... - D:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Surligner - D:\Program Files\Avant Browser\Highlight.htm
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8147.5940740741
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

#4 ratai

ratai

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 06:52 AM

spybot find this key

Windows Explorer: Recent file global history (Clé du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: Last visited history (6 files) (Clé du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: User Assistant history files (34 files) (Clé du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: User Assistant history IE (4 files) (Clé du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Common Dialogs: History (23 files) (Clé du registre, fixed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

DSO Exploit: Data source object exploit (Modification du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
[/B][/B]

Internet Explorer: Download directory (Modification du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Internet Explorer\Download Directory!=

Log: Shutdown: System32\wbem\logs\wmiprov.log (Sauver le fichier, fixed)
D:\WINDOWS\System32\wbem\logs\wmiprov.log

Log: Activity: imsins.log (Sauver le fichier, fixed)
D:\WINDOWS\imsins.log

Log: Activity: ntbtlog.txt (Sauver le fichier, fixed)
D:\WINDOWS\ntbtlog.txt

Log: Install: comsetup.log (Sauver le fichier, fixed)
D:\WINDOWS\comsetup.log

Log: Install: ocgen.log (Sauver le fichier, fixed)
D:\WINDOWS\ocgen.log

Log: Install: setupact.log (Sauver le fichier, fixed)
D:\WINDOWS\setupact.log

Log: Install: setupapi.log (Sauver le fichier, fixed)
D:\WINDOWS\setupapi.log

Log: Shutdown: System32\wbem\logs\wbemess.log (Sauver le fichier, fixed)
D:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Sauver le fichier, fixed)
D:\WINDOWS\System32\wbem\logs\winmgmt.log

MS Direct3D: Most recent application (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS Media Player: Anonymous ID (Modification du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Regedit: Recent open key (Modification du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

MS Wordpad: Recent file list (1 files) (Clé du registre, fixed)
HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button