• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ratai

cws variant

4 posts in this topic

hi,

 

i have try all the things to remove a redirection cws with spywareblaster, pestpatrol, spybot, adaware, cwshreder and manuel delete on the registry but at each boot i see my registry changed for redirection, and the protection disabled for a lot of sites in spybot and spywareblaster.

In pestpatrol it is a cws.google.ms3, in spybot a DSO exploit and the name i found in registry and protection disabled is often xxxtoolbar.

 

I have tried dllfix and after in safe mode of windows, three host redirection was recently found by adaware and cwsshredder Removed from my system:

- CWS.Svchost32

- CWS.Smartsearch

- CWS.Jksearch

 

but they become...

 

Logfile of HijackThis v1.97.7

Scan saved at 10:36:41, on 15/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Sygate\SPF\smc.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Raxco\PerfectDisk\PDSched.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\essspk.exe

D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

D:\Program Files\SpyBlocker Software\spyblocker.exe

D:\WINDOWS\System32\ctfmon.exe

D:\WINDOWS\System32\tvicon.exe

D:\Program Files\dudez\protowall\ProtoWall.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\12Ghosts\12wash.exe

D:\Program Files\SpywareGuard\sgmain.exe

D:\Program Files\OpenOffice.org1.1.1\program\soffice.exe

D:\Program Files\SpywareGuard\sgbhp.exe

D:\Program Files\Avant Browser\iexplore.exe

C:\LOG\VIRUSETSPY\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://radiosplace.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O1 - Hosts file is located at: D:\WINDOWS\System32\drivers\etc\hosts

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

O4 - HKLM\..\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe

O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

O4 - HKLM\..\Run: [spyBlocker] D:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [TridentTVIcon] tvicon.exe

O4 - HKCU\..\Run: [ProtoWall] D:\Program Files\dudez\protowall\ProtoWall.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: 12Ghosts Wash.lnk = D:\Program Files\12Ghosts\12wash.exe

O4 - Startup: OpenOffice.org 1.1.1.lnk = D:\Program Files\OpenOffice.org1.1.1\program\quickstart.exe

O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: Bloquer ce serveur... - D:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Bloquer cette publicité... - D:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Ouvrir tous les liens de la page... - D:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Rechercher avec Google... - D:\Program Files\Avant Browser\Search.htm

O8 - Extra context menu item: Surligner - D:\Program Files\Avant Browser\Highlight.htm

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8147.5940740741

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

 

what can i do?

thanks

 

ratai

Share this post


Link to post
Share on other sites

i precise that in the beginnig i have cws.oslogo and cws.google.ms3 that are removed and now 3 different cws.... is it normal?

i believe i have a system prog that was replaced... but now i begin to remove anythig without a good knowledge...

here it is my last hijack...

 

Logfile of HijackThis v1.97.7

Scan saved at 13:44:09, on 15/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Sygate\SPF\smc.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\essspk.exe

D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

D:\WINDOWS\System32\ctfmon.exe

D:\WINDOWS\System32\tvicon.exe

D:\Program Files\dudez\protowall\ProtoWall.exe

D:\Program Files\SpywareGuard\sgmain.exe

D:\Program Files\SpywareGuard\sgbhp.exe

D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

D:\Program Files\Avant Browser\iexplore.exe

C:\LOG\VIRUSETSPY\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://radiosplace.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

O4 - HKLM\..\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe

O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

O4 - HKLM\..\Run: [spyBlocker] D:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [TridentTVIcon] tvicon.exe

O4 - HKCU\..\Run: [ProtoWall] D:\Program Files\dudez\protowall\ProtoWall.exe

O4 - HKLM\..\RunOnce: [spybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: Bloquer ce serveur... - D:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Bloquer cette publicité... - D:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Ouvrir tous les liens de la page... - D:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Rechercher avec Google... - D:\Program Files\Avant Browser\Search.htm

O8 - Extra context menu item: Surligner - D:\Program Files\Avant Browser\Highlight.htm

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8147.5940740741

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

Share this post


Link to post
Share on other sites

spybot find this key

 

Windows Explorer: Recent file global history (Clé du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

 

Windows Explorer: Last visited history (6 files) (Clé du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

 

Windows Explorer: User Assistant history files (34 files) (Clé du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

 

Windows Explorer: User Assistant history IE (4 files) (Clé du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

 

Common Dialogs: History (23 files) (Clé du registre, fixed)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

DSO Exploit: Data source object exploit (Modification du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3[/b][/b]

 

Internet Explorer: Download directory (Modification du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Internet Explorer\Download Directory!=

 

Log: Shutdown: System32\wbem\logs\wmiprov.log (Sauver le fichier, fixed)

D:\WINDOWS\System32\wbem\logs\wmiprov.log

 

Log: Activity: imsins.log (Sauver le fichier, fixed)

D:\WINDOWS\imsins.log

 

Log: Activity: ntbtlog.txt (Sauver le fichier, fixed)

D:\WINDOWS\ntbtlog.txt

 

Log: Install: comsetup.log (Sauver le fichier, fixed)

D:\WINDOWS\comsetup.log

 

Log: Install: ocgen.log (Sauver le fichier, fixed)

D:\WINDOWS\ocgen.log

 

Log: Install: setupact.log (Sauver le fichier, fixed)

D:\WINDOWS\setupact.log

 

Log: Install: setupapi.log (Sauver le fichier, fixed)

D:\WINDOWS\setupapi.log

 

Log: Shutdown: System32\wbem\logs\wbemess.log (Sauver le fichier, fixed)

D:\WINDOWS\System32\wbem\logs\wbemess.log

 

Log: Shutdown: System32\wbem\logs\winmgmt.log (Sauver le fichier, fixed)

D:\WINDOWS\System32\wbem\logs\winmgmt.log

 

MS Direct3D: Most recent application (Modification du registre, fixed)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

 

MS DirectDraw: Most recent application (Modification du registre, fixed)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

 

MS Media Player: Anonymous ID (Modification du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

 

MS Regedit: Recent open key (Modification du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

 

MS Wordpad: Recent file list (1 files) (Clé du registre, fixed)

HKEY_USERS\S-1-5-21-839522115-1580436667-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

 

 

--- Spybot - Search && Destroy version: 1.3 ---

2004-05-25 Includes\Cookies.sbi

2004-05-29 Includes\Dialer.sbi

2004-05-28 Includes\Hijackers.sbi

2004-05-28 Includes\Keyloggers.sbi

2004-05-12 Includes\LSP.sbi

2004-05-28 Includes\Malware.sbi

2004-05-04 Includes\Revision.sbi

2004-04-12 Includes\Security.sbi

2004-05-28 Includes\Spybots.sbi

2004-05-24 Includes\Tracks.uti

2004-05-28 Includes\Trojans.sbi

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0