Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cws.svchost32 Found By Cwshredder (every Run)

  • Please log in to reply
1 reply to this topic

#1 ~whirled-peas~


  • Members
  • 1 posts
  • Local time:08:49 PM

Posted 27 August 2007 - 07:06 AM

Home network (2 PCs) w/ WiFi link to internet
WiFi link
D-link DI-624 Wireless Router on /27 subnet
Security currently disabled (no WEP/WPA at present)
MAC filtering
UPnP disabled
Static IPs by MAC - DHCP on for 1 IP only
Encore ENRXWI-G as Access Point Client
provides Ethernet connection to switch for home network

Notebook (focus of this post)
Acer Aspire 3000 - 3003WLMi w/Mobile Sempron 3000+
replaced (1) 128MB RAM board w/ 1GB board = 1.12GB RAM
Desktop (also having issues - will resolve later...)
ASUS A7N8X-E Deluxe w/Athlon XP 2500+
(2) 512MB RAM boards = 1GB RAM

DI-624 router has newest firmware from D-Link (v 2.76)
Both computers running WinXP Hm Ed w/SP2 and all current critical/security updates

I manually update (at least every 2-3 days) and scan using the following protection apps:
- Adaware SE Personal
- Spybot S&D
- SpywareBlaster <---- hard time remembering to update this one...
- avast!
- CleanUp!
- RegScrubXP
- RegCompact.NET

Recently added tools
- ATF Cleaner
- ComboFix
- a-squared Free
- AVG Anti-Spyware
- CCleaner
- HijackThis
- Sunbelt Personal Firewall <---- gets shut down and/or made inoperable

I understand CWS is supposed to only affect IE, but *something* is drastically affecting my notebook system. Online activity slows to a crawl, then very quickly stops altogether. Also, my router resets about every 10 minutes. At present, I had to login as Administrator (p/w protected) in Safe Mode (w/ntwkg) to access web at all.

Started about a week ago - click a link and ntwk icon in systray would flash 'outgoing' side but nothing 'incoming' and no display. Firefox will return "Server not found" "Request timed out" "Unable to connect" - or any number of other error msgs.

This has been a particular issue with accessing Yahoo Mail and tech-help support boards (such as this one). I d/l & ran CWShredder and at each run, see CWS.svchost32 is found and 'removed' but it reappears on the next run. I can even 'fix', watch it go by as 'removed' and then 'scan' on the next screen, and it shows up again.

I've also noticed TaskMgr/Processes will intermittently show blanks for User Name. At times I'll have an entry for svchost with a Mem Usage entry around 100K. When I End Process on that item, I can access web again - for a minute or two. This entry does not always appear when I'm having problems.

I also use IP Reset (netsh.exe int ip reset c:\ipreset.log), though I don't remember where I found this. I have to reset all my LAN adapter manual settings, but it usually works to restore connectivity, for a minute or two.

I'm attaching a HJT log for analysis. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 6:54:59 AM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cwshredder.net/cwshredder/cwsredir....rget=chronicles
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ---------------------------------------
O1 - Hosts: google.com
O1 - Hosts: yahoo.com
O1 - Hosts: mail.yahoo.com
O1 - Hosts: time
O1 - Hosts: signin.ebay.com # - site has been hijacked 9:09 AM 8/18/2007 - Firefox cookies?
O1 - Hosts: 66.44.*.* dns1 (IPs manually edited for this post...)
O1 - Hosts: 66.44.*.* dns2
O1 - Hosts: ---------------------------------------
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - HKCU\..\RunOnce: [Magnify] Magnify.exe (yes, my eyes are failing!)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E29CA351-3F65-40CA-96A4-692199870301}: NameServer = 66.44.*.*,66.44.*.* (IPs manually edited for this post)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)


#2 Falu


  • Security Colleague
  • 3,001 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:49 PM

Posted 09 September 2007 - 04:14 PM

Hi ~whirled-peas~, :flowers:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

A new version of HijackThis has now been released, so before you repost your log please download and install the new version by following the instructions in Step 9 of the Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks for your patience! :thumbsup:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users