Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS_NS3 infection? HJT log


  • Please log in to reply
30 replies to this topic

#1 melbb

melbb

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 19 January 2005 - 12:31 PM

Hi. I became suspicous that I had spyware but Ad-Aware and Spybot did not come up with anything except a DSO exploit from Spybot that shows up in every scan (does anyone know anything about this?). I wasn't satisfied and downloaded a bunch of free programs. Spy Sweeper said it found CWS_NS3, but it keeps showing up in new scans. I have not seen any evidence of this infection (hijacks, etc). I am only moderatly computer literate, so I would appreciate pretty detailed instructions if there is a problem. Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 10:29:45 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NZSearch\hcm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Melanie Beebe.CT18M51.000\Desktop\Spyware Detection\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=...=7.NQ4&N=PV&O=A
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MELANI~1.000\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MUSICMATCH MX Web Player (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.naturallycurly2.com
O15 - Trusted Zone: http://*.netzero.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095136692812
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Edited by melbb, 19 January 2005 - 12:39 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 19 January 2005 - 11:23 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log

#3 melbb

melbb
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 20 January 2005 - 01:48 AM

The new version crashed when I tried to run it. Here is the log for version 1.98.2:

Logfile of HijackThis v1.98.2
Scan saved at 10:46:05 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\MELANI~1.000\LOCALS~1\Temp\Temporary Directory 1 for HijackThis1982.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=...=7.NQ4&N=PV&O=A
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MELANI~1.000\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.naturallycurly2.com
O15 - Trusted Zone: http://*.netzero.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095136692812
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E4E0CE-6F62-4A69-AB78-69228B37B82F}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{35E4E0CE-6F62-4A69-AB78-69228B37B82F}: NameServer = 205.188.146.145

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 20 January 2005 - 05:24 PM

Nothing bad that I see here.

Try some online scans like:

Please run two online virus scans:

http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/

Then let us know if its working better and what the scans found.

#5 melbb

melbb
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 21 January 2005 - 02:19 AM

I ran both housecall and panda and they found nothing. So my questions are:

Why can I not run v1.99.0 of HJT if there is nothing "bad" on my computer?
Why does Spy Sweeper keep saying I have CWS_NS3?

Spy Sweeper will detect one spyware file and 3 traces. I tell it to remove and if I rescan, nothing shows up. But after a couple of reboots, it is supposedly back again.

To give a little more info on why I initially became suspicous I had spyware (or something), I was running Cyberscrub Prof to delete some files and my internet activity, and it would go through most of the process and then say that it couldn't delete some files without restarting the computer. So it restarts and then says it cannot delete the files because they are in use by some program. The files are always in the temp folder and have long names (random letters). The same thing happens if I use Cyberscrub to erase what is in the recycle bin. So I checked the temp folder. There is a program file called rtdrvmon, that I know nothing about. I can usually delete it in the temp folder of a user other than myself (my husband) who is not logged on, but not from the logged on users temp folder. But, the file always shows up again. When I first noticed this a couple of months ago, I could find no information on the internet about it. I just did a search now and came up with 3 hits from another computer forum, just posted this year. I can't really make sense of it from what I read. Here are the links.

http://forums.net-integration.net/index.ph...pic=26974&st=0&
http://forums.net-integration.net/index.ph...7150entry127150

Please help. I don't mean to be paranoid, but I think something is going on here. Thank you.

Edited by melbb, 21 January 2005 - 02:22 AM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 21 January 2005 - 09:25 AM

Where are these files located that keep being found?

Also version 1.99.0 has a known bug where certain clean machines crash when using it. You can read more from the author here:

http://www.merijn.org/

A new version is in the works

#7 melbb

melbb
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 21 January 2005 - 12:19 PM

Are you referring to the CWS files or rtdrvmon?

If you are referring to the CWS traces, I don't know. I have never looked into it, just let Spy Sweeper take care of it. How can I tell where those files are?

If you are referring to the rtdrvmon program, it is in C:\Windows\temp and C:\Documents and Settings\Melanie Beebe.CT18M51.000\Local Settings\Temp.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 21 January 2005 - 12:34 PM

When spysweeper finds the files..what are the names and where are they located on your computer?

I want to take a look at the rtdrvmon file. See if you can find the file and copy it to your c:\ drive.

Then do the following:

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

c:\rtdrvmon.exe

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder. If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com, fill in the required fields, and browse to the file. Then click on the Send File button.

#9 melbb

melbb
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 21 January 2005 - 09:49 PM

With regard to Spy Sweeper, I made an error in saying it finds a file. It lists the number of spywares found (in my case, one, being CWS-NS3), then lists the number of traces (in my case, three). The traces are in the registry. This is what it lists:

HKEY_LOCAL_MACHINE\software\policies\microsoft\internet explorer\infodelivery

HKEY_LOCAL_MACHINE\software\policies\microsoft\internet explorer\infodelivery\restrictions

HKEY_LOCAL_MACHINE\software\policies\microsoft\internet explorer\infodelivery\restrictions || nosplash


With regard to rtdrvmon, I was able to copy it and make a zip file and will submit it now.

Thanks.

#10 melbb

melbb
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 21 January 2005 - 09:52 PM

Grinler, I successfully submitted the rtdrvmon zip file.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 22 January 2005 - 04:44 PM

rtdrvmon is part of your realtek audio....its ok so can be ignored.

As for those three registry entries, why does spysweeper say it cant fix them? If you want to remove them download the attached reg file to your desktop and double-click on it. When it asks if you would like to merge the information, please do so.

Attached Files



#12 melbb

melbb
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 23 January 2005 - 01:48 AM

Spy Sweeper does not say it can't fix them. It fixes them, and when I repeat the scan, they don't come up again. But after a few reboots, if I do a sweep, Spy Sweeper finds them again. I will try your file to remove them. So, is the identification of CWS_NS3 by Spy Sweeper a false positive or what? What are these registry entries from?

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 23 January 2005 - 05:32 PM

Not sure what they are from..looks like a policy restriction. Is this an office computer?

#14 melbb

melbb
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 23 January 2005 - 06:32 PM

No, it is a home computer.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:18 PM

Posted 23 January 2005 - 11:04 PM

Ok lets try the reg file I made, and then reboot a few times and lets see if its back




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users