1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need Help with CWS variant removal/removal verification

Discussion in 'Virus & Other Malware Removal' started by MostAdroit, Jul 3, 2004.

Thread Status:
Not open for further replies.
  1. MostAdroit

    MostAdroit Thread Starter

    Joined:
    Jul 3, 2004
    Messages:
    2
    My computer, running Windows2000 with all latest patches, is infected with some sort of CWS variant. I am running SpywareGuard, Norton Antivirus2004 (useless),ZoneAlarm. I have run Adaware, Spybot Search & Destroy, CWSShredder, and HijackThis. CWSShredder now seems to run much slower than it used to a few days ago on my system. It claims to have removed CWS.Searchx and CWS.jkSearch (i don't remember exact name, but it had jk in it), but adware/trojan/browser hijacking symptoms and componets seem to keep re-appearing -- even if not connected to the internet! I am also using a HOSTS file. I also switched to Firefox Mozzilla browser from IE and installed Sun Java VM (but can't seem to find directions for deleting MS Java -- do I just delete the msjava.dll from c:/WININT/system32 ?)

    Am I still infected with something? If so, how do I get rid of it for good? Last two entries look suspicious to me, but I get and error if I try to let H/T fix them. Advice would be most appreciated. Thanks in advance.

    H/T error message:
    -------
    An unexpected error has occurred at procedure: cmdFix_Click()
    Error #75 - Path/File access error (30 items in results list)

    Please email me at [email protected], reporting the following:
    * What you were doing when the error occurred
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.00.2195
    MSIE version: 6.0.2800.1106
    HijackThis version: 1.98.0

    This message has been copied to your clipboard.
    ----------
    H/T logfile:
    Logfile of HijackThis v1.98.0
    Scan saved at 12:15:33 PM, on 7/3/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Mixer.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Quicken\QWDLLS.EXE
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\system32\taskmgr.exe
    C:\Program Files\Accessories\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O18 - Filter: text/html - {B61CA349-B71C-42C6-B6DC-E7918AFD4CD4} - c:\recycler\s-1-5-21-1275210071-1993962763-854245398-1000\dc82.dll
    O18 - Filter: text/plain - {B61CA349-B71C-42C6-B6DC-E7918AFD4CD4} - c:\recycler\s-1-5-21-1275210071-1993962763-854245398-1000\dc82.dll
     
  2. John Burns

    John Burns

    Joined:
    Jul 29, 1999
    Messages:
    1,150
    I WISH I could help you - believe me. I got CWS_NS3 on one of my computers last week and tried EVERYTHING. Nothing worked that I tried. You might look for something on AboutBuster - one of the forums I was in indicated there was a fix there in conjunction with HJT. I don't really know - I just gave up and did a clean re-install of XP - but that is drastic. My System Restore was going thru the motions but wouldn't set restore to any point that was there. CWS kept adding "exe" files at bootup. It seems this is becoming more and more prevalent. Hope you find something that will work. I got disturbed when my System Restore quit working and gave up. Let me know if you find something to fix this - just in case I get it again. Good Luck.
     
  3. MostAdroit

    MostAdroit Thread Starter

    Joined:
    Jul 3, 2004
    Messages:
    2
    John & other's infected with this nasty pest,
    I followed Floorman's "3 step" process posted today at

    http://forums.techguy.org/t246140.html

    discovered that I indeed had (I hope it is gone) LOGK.DLL variant of CWS, but it was hidden and I could not find it.

    If it stays gone for a couple of days, I will make a small donation and send him a thanks note.

    If a moderator is reading this, please close this thread. thanks.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/246036

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice