Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS_NS3/OnlyTheBest


  • Please log in to reply
4 replies to this topic

#1 Sdrabor

Sdrabor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 26 May 2005 - 08:52 AM

I have a Win98 machine that appears to be running the above CWS. I've run through the entire cleaning process described at http://www.pchell.com/support/onlythebest.shtml but I haven't been able to find the root of the problem. I was able to get rid of quite a bit of the extra spyware and other junk, but the root still remains. :thumbsup: After finishing the clean, I could see that items I had removed had started to reappear. This log file was taken right after the above processes had been performed.

Thanks to everyone for any help...

Logfile of HijackThis v1.99.0
Scan saved at 11:49:35 AM, on 5/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\D3CR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\IPIZ32.EXE
C:\WINDOWS\ADDXX32.EXE
C:\WINDOWS\ADDXX32.EXE
C:\WINDOWS\ADDXX32.EXE
C:\WINDOWS\DESKTOP\ADWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\chsvx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\chsvx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\chsvx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\chsvx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\chsvx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\chsvx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\chsvx.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B45FBA8B-32EC-569B-FC95-4D0D6A512D7B} - C:\WINDOWS\SYSTEM\JAVABN32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\SYSTEM\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [SDKFG.EXE] C:\WINDOWS\SYSTEM\SDKFG.EXE
O4 - HKLM\..\Run: [D3CR.EXE] C:\WINDOWS\D3CR.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [IPIZ32.EXE] C:\WINDOWS\IPIZ32.EXE /s
O4 - HKLM\..\RunServices: [ADDXX32.EXE] C:\WINDOWS\ADDXX32.EXE /s
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {0FAA926E-2AF4-11D3-9995-00A0CC3A27A9} (Infragistics ComboBox Control) - http://www.timecentre2000.com/status/Common/pvcombo.cab
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (Infragistics DataTable Control 8.0 (OLEDB)) - http://www.timecentre2000.com/status/Common/pvdt80.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://www.timecentre2000.com/Status/Common/iemenu.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.timecentre2000.com/viewer/activ...tivexviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://epicorevents.webex.com/client/v_myw...ent/ieatgpc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = thepark.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 66.195.138.18,207.250.158.66

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 26 May 2005 - 07:33 PM

Hello Sdrabor and Welcome! :thumbsup:
Sorry you're having malware trouble.

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
FOLLOW ALL THE INSTRUCTIONS SLOWLY AND CAREFULLY.

STEP 1:
Please make sure that you can view all hidden files.
Instructions on how to do this can be found here.

STEP 2:
Please download CWShredder™ Version 2.1 here.
Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster by RubbeR DuckY here.
Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE (Ad-Aware SE Build 1.05) here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE
Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 9.9MB in size.
Don't run it yet, we will use it later.

STEP 6:
From Safe Mode, copy the contents of the Quote Box below to Notepad. Name the file as cwsfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


STEP 7:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here.
STEP 8:
From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 9:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for rogue files and automatically run a second time.

STEP 10:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 11:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

STEP 12:
Now double-click on the cwsfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

STEP 13:
From Safe Mode, please delete the following files and/or folders:
Go to Start, Find, For Files or Folders, and type in each file or folder name.

C:\WINDOWS\D3CR.EXE <----Delete this file.
C:\WINDOWS\IPIZ32.EXE <----Delete this file.
C:\WINDOWS\ADDXX32.EXE <----Delete this file.
C:\WINDOWS\SYSTEM\SDKFG.EXE <----Delete this file.

STEP 14:
Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#3 Sdrabor

Sdrabor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 31 May 2005 - 09:03 AM

Wow! Thanks so much for the quick reply! :thumbsup: I will post my new info as soon as I'm able to run all these steps.

#4 Sdrabor

Sdrabor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 06 June 2005 - 04:50 PM

Just wanted to let those of you that were helping me. We ended up deciding to just buy a new computer, since the cost of a new computer is most likely going to be less than the cost of working on this computer for multiple more hours. Thanks to those of you with your input. Really appreciated. :thumbsup:

#5 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 06 June 2005 - 10:32 PM

You are welcome. :thumbsup:

You can send me your old infected PC if you want, I'll take it.....just kidding. :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users