CWShredder Enigma!Help! Take 2. 35dayswithnoanyresponse

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Hello!

I just did big spring cleaning and it took me a good while, because all this stuff is quite new to me. I clicked "Scan only" on CWShredder and it gave me strange list of things. Spybot SD, Ad-aware, CWShredder(Fix says I'm perfectly free of CW) and HijackThis already did good job. What this list is about? Do these things remain on my comp? Or it's something ells? I don't understand this. I am new here and will appreciate if someone could explain me what is about and how can I fix it if I have to? I put here this report.

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (135 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (925 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)
- END OF REPORT -

Thank you for your time and help!

satchick · Posted: Thu May 20, 2004 7:24 pm Post subject:

Hi fimoulia,

CWShredder is reporting the existance of 4 CoolWebSearch variants on your system (CWS....). These are malware programs that take control of your browser and force you to sites you don't want to go.

All the other stuff is just CWShredder telling you that it has checked those vital areas of Windows (hosts file, WinLogon, web registry entries, and both major system files win.ini & system.ini).

Run CWShredder again and click on the NEXT button and let it remove these hijackers from your system.

Run hijackthis again and copy and past you log here. The tools you use don't always remove everything, and often manual removal is needed. The log will help us assist. Very Happy

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Hello satchick,

Thank you very much for taking time and trouble to be here with me!

I did as you said and here is my log. You can see that it's pretty clean. 017 - are my ISP DNS servers. I ran CWShredder few times already about that in the past and now and it doesn't stop saying that my system is clean from any sign of CWS, exept this scan report. That's why I call it "Enigma".

Logfile of HijackThis v1.97.7
Scan saved at 02:27:07, on 21/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Security Tools\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho...wflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/...earadj.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O17 - HKLM\System\CCS\Services\Tcpip\..\{025B81E8-08A9-46E6-83B4-CC1E466FABFE}: NameServer = 193.74.208.65,194.119.228.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{025B81E8-08A9-46E6-83B4-CC1E466FABFE}: NameServer = 193.74.208.65,194.119.228.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{025B81E8-08A9-46E6-83B4-CC1E466FABFE}: NameServer = 193.74.208.65,194.119.228.67

satchick · Posted: Fri May 21, 2004 8:18 am Post subject:

CWShredder will post this message at the top of its final screen when its done (if your system is clean of what it detects):

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Hello satchik,

This is how my CWShredder logs look now. Remain the same. There is some problem.

satchick · Posted: Fri May 21, 2004 11:14 am Post subject:

If its detecting these:
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4

Then hitting the FIX button instead of the SCAN ONLY button should fix them. Did you do this? And if so, did they come back?

Go to windows update and make sure you have all the latest critical updates. Please let me know the answers to the above.

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

satchick...

I have all the latest critical updates from Microsoft.

I open CWShredder (it's in special folder for small security programs on C:/). Then I look for updates. Says I have the latest version 1.57.0. I hit "Fix". It runs and then says: Done! Your system was completely clean. I exit, reboot, open again and hit "Scan only". And then I have this log which I've posted. And it's all the time like that. These 4 bad entries are always there.

Thanks.

satchick · Posted: Fri May 21, 2004 12:10 pm Post subject:

OK, I will seek council about this with the experts here. Smile

satchick · Posted: Fri May 21, 2004 3:02 pm Post subject:

fimoulia, a security expert here says that, that is a normal scan log for CWShredder. Even saw their own log and its just like yours!

As long as you got the 'Done! Your system was completey clean.' message as you did, then you're good to go. Very Happy

Mariner · Posted: Fri May 21, 2004 3:30 pm Post subject:

Can confirm this is so. Had same problem myself.....clean machine, 'dirty' CWS log report. All A-OK, though. No harm in asking as you did, better safe than sorry.

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

satchick!!! Perfect job! Thanks A LOT! Feels much better. Bananas

Mariner! What can I say? Thanks again! Thumbs Up

satchick · Posted: Fri May 21, 2004 6:01 pm Post subject:

Were happy to have helped. Very Happy

satchick · Posted: Fri May 21, 2004 7:55 pm Post subject:

Mosaic1 · Posted: Sat May 22, 2004 3:15 am Post subject:

To explain, those entries mean that those sites have been placed on your Restricted sites list , probably by a security program you installed.

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Restricted CWS sites lists of Spybot S&D or SpywareBlaster are veeeeeeeeeery long. Why only these 4 in the report? And satchick's "clean" log? He doesn't run Spybot S&D and SpywareBlaster with its RS lists?
...sorry for bother.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 963 pages served in previous 5 minutes. Page Rendered: 0.427 seconds.