1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CWS

Discussion in 'All other topics' started by p4_tt, Jan 25, 2005.

  1. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    Can any1 tell me how the hell to get these to f**k, Or how to uninsatll IE

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_USERS
    Object : .DEFAULT\software\microsoft\internet explorer\main
    Value : HOMEOldSP

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_USERS
    Object : S-1-5-18\software\microsoft\internet explorer\main
    Value : HOMEOldSP

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_USERS
    Object : S-1-5-21-299502267-839522115-725345543-1003\software\microsoft\internet explorer\main
    Value : HOMEOldSP

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\main
    Value : HOMEOldSP


    I have tried, Ad-Aware, Xoftspy, Spybot, Spy Sweeper, CWShredder and Mcafee VirusScan i have also tried runing them in Safemode no luck.
     
    Last edited: Jan 25, 2005
  2. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
  3. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    Logfile of HijackThis v1.99.0
    Scan saved at 20:56:25, on 25/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSI\Core Center\CoreCenter.exe
    C:\Program Files\MSI\SecureDoc\Logon.exe
    C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\JT\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JT\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JT\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {517E01A7-4DFC-4AE0-AA49-C4F7B6DA880E} - C:\WINDOWS\System32\babcfc.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O17 -
    O18 - Filter: text/html - {D32C97CB-ECE0-4F56-9B5F-CBB54741FD66} - C:\WINDOWS\System32\babcfc.dll
    O18 - Filter: text/plain - {D32C97CB-ECE0-4F56-9B5F-CBB54741FD66} - C:\WINDOWS\System32\babcfc.dll
    O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: McAfee Internet Security - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
    O23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

     
    Last edited: Jan 25, 2005
  4. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
    cleanout your windows cookies, temp & temporary internet folders & check your msconfig/startup for things that shouldn't be there.
    put a check on these in hijackthis
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JT\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JT\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    & edit this out of your post if your ip address
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2168C251-B576-4439-B682-AB8173F7919C}: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2168C251-B576-4439-B682-AB8173F7919C}: NameServer =
     
    Last edited: Jan 25, 2005
  5. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    All them locations are clean will nothing out of place, i delete them files that i checked with HijackThis but when i run it agin they are back should i run it in safe mode?
     
    Last edited: Jan 25, 2005
  6. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
    try in safe mode. i can't edit your post as i'm not authorized to do that. goto the icon at right of your post than can edit that post
     
  7. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    I will try it in safe mode, i ment can you edit the IP out of ur post
     
  8. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
    done
     
    Last edited: Jan 25, 2005
  9. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    Cheers, Nope still not working in safe mode it removes them and they just keep coming back nothing i have tried works :-( How about if i uninstall IE and then just reinstall it would that work?

    Acording to spy Sweeper its these

    CWS-AboutBlank
    CWS_NS3
    CWS_NS3 Hijacker


     
    Last edited: Jan 25, 2005
  10. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
  11. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    I have read it, i have tried all of them and there not doing much good, looks like am gonna have to format my hdd, again :-(

    This is not the 1st time i have had problems with CWS only b4 i have got rid of them but this one is new to me
     
    Last edited: Jan 25, 2005
  12. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
    try this ccleaner from this link http://www.ccleaner.com/update/?v=1.16.084&l=1033. i use that, ad-aware se, occasionally spybot s&d, clean out my cookies, temp & temporary internet folders & use avg7 free version & the odd time antivirus.com free housecall to check for viruses
     
  13. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    CCleaner is my best friend i use it all the time i love it, If i remember right it used to come with a other bit of software called CWShredder that was made just for getting rid of CWS spyware but i dont think its been updated in donkeys.
     
  14. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    It seems its gone now i dont have a clue why i did nothing diffrent, thanks for the help much aprechiated
     
    Last edited: Jan 26, 2005
  15. Jerry746

    Jerry746 Senior member

    Joined:
    Oct 23, 2003
    Messages:
    4,456
    Likes Received:
    0
    Trophy Points:
    116
    CWShredder was updated not to long ago. I still have it on my desktop and run it to make sure about once a week.

    Jerry
     
  16. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
    so ccleaner worked, teach & learn
     
  17. p4_tt

    p4_tt Active member

    Joined:
    Feb 3, 2004
    Messages:
    2,207
    Likes Received:
    0
    Trophy Points:
    66
    Yes its gone but to were i dont know know, Hey Jerry i downloaded the latest version of CWShredder it covers lots of CWS spyware but it cant find CWS.homepage which i think is newish so it may not be coved yet. ddp ur a star cheers ;-)
     
    Last edited: Jan 26, 2005
  18. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,071
    Likes Received:
    79
    Trophy Points:
    128
    no problem, as long as it is gone, it saved you from formating & reloading your hd
     

Share This Page