Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Request : Removal of CWS_NS3


  • Please log in to reply
14 replies to this topic

#1 boardsailor

boardsailor

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 03 April 2005 - 08:52 AM

I have run Ad-Aware SE, Spy Sweeper and have not been successful in the removal of CWS_NS3. I have run the HIJACKTHIS tool and the log is below. However, I am not comfortable in interpreting this as I am a novice at this. Need assistance.

LOG:

Logfile of HijackThis v1.99.1
Scan saved at 1:58:32 AM, on 3/31/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\TEMP\ADAWARE\HIJACKTH.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.tamu.edu"); (C:\apps\Netscape\Users\common\prefs.js)
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\APPSR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [SYSYT.EXE] C:\WINDOWS\SYSYT.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [D3SF32.EXE] C:\WINDOWS\SYSTEM\D3SF32.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O12 - Plugin for .swf: C:\APPS\NETSCAPE\NAVIGATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .pdf: C:\APPS\NETSCAPE\NAVIGATOR\PROGRAM\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vth_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = flash.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.30.0.9,209.30.0.100

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:18 PM

Posted 03 April 2005 - 04:18 PM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\APPSR.DLL
O4 - HKLM\..\Run: [SYSYT.EXE] C:\WINDOWS\SYSYT.EXE
O4 - HKLM\..\RunServices: [D3SF32.EXE] C:\WINDOWS\SYSTEM\D3SF32.EXE
O13 - WWW. Prefix: http://


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\APPSR.DLL
C:\WINDOWS\SYSYT.EXE
C:\WINDOWS\SYSTEM\D3SF32.EXE

Reboot your computer to go back to normal mode and post a new log.

#3 boardsailor

boardsailor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 07 April 2005 - 08:35 AM

Thanks very much for help/guidance. I am posting the result log that I ran after fixing things as you indicated. Note that I did not find c:\WINDOWS\APPSR.DLL, fyi.

My system seemed to work better however, I have an application that hangs. Suggestions? The application is PC COMMUNICATION Assistant by COZMO. This is an application that is used to upload a blood sugar and dosage reading from an insulin pump. The media for commication is IR.

LOG RESULT:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:11 PM, on 4/6/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TEMP\ADAWARE\HIJACKTH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.tamu.edu"); (C:\apps\Netscape\Users\common\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O12 - Plugin for .swf: C:\APPS\NETSCAPE\NAVIGATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .pdf: C:\APPS\NETSCAPE\NAVIGATOR\PROGRAM\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vth_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = flash.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.30.0.9,209.30.0.100

#4 boardsailor

boardsailor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 07 April 2005 - 08:38 AM

OOPS. Wanted to ask another question.

I am running WINDOWS 98 and use dial-up for internet. Is there something that I can do software and/or hardware wise to protect my system from future attacks?

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:18 PM

Posted 07 April 2005 - 11:48 AM

I will let you know about the prevention steps after. Lets get your program working first as your health comes first!

Lets restore files that may have been deleted by this infection:
Please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations :

c:\windows\system

Then try your program and tell me if it works

#6 boardsailor

boardsailor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 11 April 2005 - 08:33 AM

I downloaded the shell as suggested. When I attempted to copy to the specified directory the system would not allow it as the shell was in use. Checking the directory that shell was still there.

However, I still have issues with the IR port of the system.

I did do some additional testing to try and figure out what was going on. I was able to send a text file from my system to my PDA. However, I could not send a file from my PDA to the system. The IRMON seems to recognize that something is there but is no executing the receive function. Suggestions? Thinking that I might try uninstalling the IRMON and then re-installing.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:18 PM

Posted 11 April 2005 - 11:14 AM

Yeah at this point I do not think we are dealing with a malware issue. Reinstalling the driver may do it.

#8 boardsailor

boardsailor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 14 April 2005 - 06:56 AM

Well I have spent some time over the last couple of days trying to uninstall IRMON to attempt fix it by reinstalling. The first thing that I tried was to stop SPY SWEEPER from running in the background thinking that it might have been inhibiting the upload throught IR port, a thought anyway. It still did not work. So, I pressed on and found the EXTENDED SYSTEM hardware and software and removed them. But, when attempting to reinstall I got a message stating that I needed to remove MICROSOFT IRMON V3.0 first and to see help on line for instructions, a lot help that was. Can you help with this?

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:18 PM

Posted 14 April 2005 - 02:29 PM

If you look under add/remove programs is that listed there?

#10 boardsailor

boardsailor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 14 April 2005 - 02:41 PM

It is not listed under add/remove programs, note I am using WINDOWS 98.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:18 PM

Posted 14 April 2005 - 02:47 PM

Try fixing this :

O4 - HKLM\..\Run: [IrMon] IrMon.exe

and then rebooting and trying again

#12 boardsailor

boardsailor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 18 April 2005 - 11:11 AM

Executed suggestion and it did remove it from that list but there is still something there that the EXTENDED SYSTEMS install sees as MICROSOFT ITMON v3.0 running.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:18 PM

Posted 18 April 2005 - 08:28 PM

If its not in device manager and not starting up , I am not sure what else to have you try

#14 boardsailor

boardsailor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 19 April 2005 - 12:03 PM

I have thought about "format c:"!

Seriously, I have reinstalled WINDOWS 98 again but still have same symptoms.

Some additional info that may be relevant.

The IR device is from EXTENDED SYSTEMS and connects to my PC via USB.

I found and removed the EXTENDED SYSTEMS application via ADD/REMOVE programs. I found and the IR hardware from ADD/REMOVE HARDWARE. And, I have removed the IR device from my PC and rebooted.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:18 PM

Posted 19 April 2005 - 12:36 PM

I really wish i could you give you further advice...but i dont know what else to have you try




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users